Circuit Court dismisses claim for damages arising from data breach

Summary

A Circuit Court action against Ulster Bank was recently dismissed on the basis that the Plaintiff did not establish any loss arising from a data breach.

Facts

The Plaintiff was a customer whose bank statements were sent in error to his ex-wife over a period of seven months. The Plaintiff issued proceedings against the Bank seeking damages arising from this data breach, specifically damages for stress arising from an alleged breakdown in his relationship with his ex-wife and their children. The claim for damages was made pursuant to the Data Protection Acts 1988 to 2003. It was submitted on behalf of the Bank that the entitlement to compensation for a breach of the Data Protection Acts is predicated on a claimant establishing that they have suffered actual loss and damage. There is no entitlement to damages for distress and upset. 

Decision

Under cross-examination, the Plaintiff was unable to point to any specified financial loss which he suffered. While it was the case that there was a breach of duty, the Plaintiff did not establish any loss or damage. The Plaintiff's claim was dismissed and an Order was made the Plaintiff pay the Defendant's costs, to be taxed in default of agreement.  An application by the Plaintiff's counsel for a stay on the execution of the costs order was refused.

Takeaway

This case highlights the fact that, for claims made pursuant to the Data Protection Acts 1988 -2003, a Plaintiff must establish actual loss or damage in order to be able to make a successful claim. Under the new Data Protection Act 2018 which implements the GDPR regime, there is provision for non-material damage which may cause harm to be actionable. It is possible that the outcome may have been different if the case was heard under the new legislative framework, although there are not yet any reported decisions in this regard.