7 Min Read

Data breach claims and fixed recoverable costs reforms

Read more

By Hans Allnutt & Stuart Hunt


Published 15 May 2023


As any insurer or organisation that deals with data breach claims will know, legal costs typically exceed the quantum of the claim and are a major feature of claims resolution. The recent publication of the draft rules extending the fixed recoverable costs regime, taking effect from October 2023, is a welcome and important development in this field.

In response to the publication of the draft amendments required for the implementation of the extended fixed recoverable costs regime, our costs team have produced an extensive review of the proposals. The headline is that from 1 October 2023 fixed recoverable costs (FRC) will be extended for civil claims up to £100,000, with other changes including the introduction of an intermediate track and various bands of complexity for cases assigned to either the fast or intermediate tracks.

The wide scope of the reforms will impact data breach claims. As experts in dealing with data breach claims, our focus remains on ensuring that those claims which can be disposed of fairly within the small claims track in the County Court, should be dealt with accordingly. However for those low value data breach claims which are not so allocated, the extension of the fixed recoverable regime is likely to further limit costs compared to the current regime.

The recovery of fixed costs as opposed to the assessment of costs on the standard basis should disincentivise the pursuit of limited merit data breach claims by claimant firms who experienced similar developments personal injury reforms.

Why are the changes important?

Currently, the small claims track applies to claims valued up to £10,000. Claims assigned to the small claims track pose a significantly lower costs risk to defendants; a successful claimant will be limited to recovery of fixed costs and reimbursements of certain disbursements. In addition, allocation to the small claims track usually prevents claimants from being subject to an adverse costs order.

Whilst the starting point is that such claims should be assigned to the small claims track. claims may be assigned by exception to the fast track depending on a number of factors which are set out in CPR 26.8. These factors include the likely complexity of the claim, circumstances of the parties and evidential issues. Data breach claims may be issued in the County Court or High Court, but should only be issued in the High Court if their financial value, complexity or public importance warrants it.

In the second half of 2021, we saw increasing numbers of data breach actions being issued in the High Court. The standard often comprised a number of overlapping or inadequately pleaded number of actions, such as breach of data protection legislation, breach of confidence and misuse of private information. It was usually submitted that the High Court was the appropriate forum for these claims, and the County Court would not provide appropriate access to justice. 

It is acknowledged that some claims of this nature may need to be issued in the Media and Communications List of the High Court, but that there exists a category of claims which are capable of being brought and fairly tried in the County Court.

Any subsequent transfer of the claim from the High Court to the County Court did not necessarily remove the Defendant’s exposure to a disproportionate level of Claimant costs, given that costs are normally recoverable from a Defendant (should the Claimant be successful). DAC Beachcroft have been at the forefront of challenging the allocation of these data breach claims, including the subsequent question of costs.

There are examples of how claimed costs in data breach claims are capable of being inflated far beyond the value of the claim itself, requiring intervention to treat what are routine data protection claims as suitable for the County Court.

  • Johnson v Eastlight Community Housing Trust – DACB acted for the Defendant in this matter, where the Claimant’s cost budget was in excess of £50,000 for a damages claim which was pleaded in the value of £3,000. 

Master Thornett stated that “No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000.

  • Cleary v Marston Holdings – the Claimant’s costs budget was in excess of £46,000 for a damages claim which was pleaded in the value of £3,000

A number of published cases, including those above, have directed that low value data breach claims ought to be (and in some cases have been) allocated to the small claims track.

Initial impact of the fixed recoverable costs reforms

It would follow from the above that the small claims track might be avoided for data breach claims that are valued above £10,000.

The extension of the fixed recoverable costs regime for all civil claims up to £100,000 should now provide some additional fixed cost protection such that Claimants may not stand to recover all costs on the standard basis.

Claimants will now need to consider, if their breach claim is not allocated to the small claims track, whether the claim is commercially viable as the costs of pursuing a claim to trial will likely exceed the damages recovered.

Defendants will benefit from full knowledge of their possible costs exposure.

A rush to litigation?

Whilst the announcement of the draft rules will be welcomed in providing practitioners time to understand and adjust to the change, there remains the risk that claimant practitioners will look to issue claims prior to 1st October 2023 to maximise their possible recoverable costs. Insurers will need to identify those data breach claims in their book which may be at risk of issue, and consider any strategies to prevent unnecessary costs being incurred.