Managing data breach incidents

The judgment handed down by the Court of Appeal in Farley -v- Equiniti [2025] has clarified that there is an objective threshold test in claims for psychiatric injuries resulting from a disclosure of personal data. However, as explained below, the test is formulated in such a way that by the time proceedings have been issued, a defendant’s best and perhaps only chance to influence the result has already come and gone.

We have distilled the decision down into one, very specific lesson for those managing data breach incidents: assume the letter of notification is your only chance to provide a judge with all the information you would want them to know if they were considering the Equiniti test. It probably is your only chance.

The new test

A claimant seeking damages for a psychiatric injury caused by the disclosure of their personal data must: (1) identify the non-hypothetical risk of their data being misused that concerned them; and (2) prove their associated fear was “objectively reasonable”. Crucially, this assessment is performed on the basis of the claimant’s relevant subjective knowledge, at the time the injury is alleged to have been caused.

Knowledge

It is likely that an individual will be unaware of a data breach incident unless and until they receive notification from the data controller. It will be their reaction to that notification, or more specifically to their perception of the associated risk of data misuse, that will be alleged to have caused their psychiatric injury.

Consequently, their subjective knowledge for the purposes of the test will be limited to the information provided to them by the letter of notification. Accordingly, it is the content of the letter of notification which establishes the factual context in which the test will be applied.

Two perspectives - no difference?

When drafting a letter of notification consider this: is what you want to tell the recipient the same as what you would want to tell the court?

The answer to that question should certainly be that you want to enable each to undertake the most nuanced and accurate assessment of risk that is possible, so therefore you want to provide all the relevant information to both the recipient and the court. In practical terms, relating to the provision of information there is no difference or distinction between them.

That approach must be correct, but the question is more subtle because it requires consideration not just of what information will be included in the letter of notification, but also how it will be conveyed. It is often that case that those who have responsibility for drafting correspondence that will be sent direct to individuals will have been trained, or seen guidance, about how they should approach “style” and “tone”. It will not be the same approach as correspondence with, say, a legal representative. The potential impact of this difference can be illustrated with this example:

Accounting for the fact it is intended for an unrepresented recipient, a letter of notification is drafted so as to be easily read and understood, avoiding complexity in favour of a simple and direct style. One key issue is addressed as follows, ‘Please be assured that we took immediate steps which successfully mitigated the data breach.’

It will be easy to imagine the immediate reaction of a solicitor, or indeed a judge, would be to question what steps were taken, and the extent of the mitigation. A judge will very likely reject the broad, non-specific drafting as having conveyed much if anything that helped the recipient make an assessment of risk.

If that perspective is accounted for, the same point of reassurance might be conveyed as, ‘In order to mitigate the data breach we recalled the relevant email within 30 minutes, and all copies of the document containing your personal data were identified and deleted from our server within 1 hour. A review performed the following day confirmed there were no copies remaining on the server. Although the email was sent to 15 internal email accounts, an analysis by our data-security team has confirmed that none of the recipients accessed the attachment which contained your personal data.’

The second draft conveys detail which becomes part of the recipient’s subjective knowledge, and, therefore, will be considered if a judge should one day have to determine whether there was a credible, non-hypothetical risk of data misuse, and if so, whether the fear it caused was objectively reasonable.

The necessity of a detailed approach should not viewed as superseding the obligation to communicate effectively with a recipient, who may well take greater reassurance from having the detail: perhaps by chance the recipient is also a judge!

Impact

If the notification of data breach incidents is managed as we have suggested, it will not be possible to rely upon wild, hypothetical risks, even if they represent what was genuinely believed, and so there will be fewer viable claims.

Perhaps most importantly, the common business model, which relies upon using advertising to gather large cohorts of claims which can be managed collectively, may no longer be viable. These cases are now fact specific and firms may simply be unwilling to invest the time in assessing cases individually, particularly if few will be taken on. Ironically, the main factor responsible for making an entire industry out of data breach claims will very probably be the main factor responsible for shutting it down.