The Pharmacists' Defence Association has announced that it is pursuing litigation on behalf of nearly 600 members affected by a data breach (disclosed in late 2018) by Well Pharmacy. Details of the breach can be seen below, but I was particularly struck by the surprise from some quarters that such a claim can be pursued, even where no financial loss has been suffered.

It's true that it certainly used to be the case that a claimant needed to show loss (usually financial loss) before a claim could be pursued. But the tide has been turning. In a case considered by the Court of Appeal in 2018, the Morrisons supermarket chain were held liable for a data breach affecting their staff. This was a breach which Morrisons had done a good deal to mitigate, including by purchasing ID fraud protection for affected personnel. The ICO had also considered the breach and confirmed that there was very little more that Morrisons could have done to safeguard the data that was lost. Nevertheless, staff were permitted to pursue their class action claim for damages for anxiety and distress caused by the breach, even without any evidence of monetary loss having been suffered.

One of the answers to this (says the Court of Appeal in the Morrisons decision) is to make sure that adequate insurance is in place to cover such claims. But the data breach insurance market is not very mature (in the UK at least) and concern is growing about the extent to which some general liability policies will answer to claims for data breaches. All of this just adds another range of issues for businesses to grapple with in the immediate aftermath of a data breach. It reinforces the importance of having a good plan in place (which includes proper provision for immediate insurance, PR and legal responses) ahead of time.