How stress claims work after a data breach

Answer

A recent Court of Appeal decision has confirmed that people can claim compensation for emotional distress, such as fear or anxiety, caused by a data breach, even if the distress is relatively minor. Farley v Equiniti makes clear that organisations handling personal data can’t avoid liability simply because no serious harm resulted from the breach. The decision confirms that compensation may be awarded for well-founded fears of data misuse, even if the risk of harm never materialises.

What happened?

In late August 2019, Equiniti, the administrator of the Sussex Police pension scheme, sent more than 750 annual benefit statements to old residential addresses because of a system error. The statements contained personal details including officers’ names, dates of birth, National Insurance numbers and pension benefits, as well as salary information.

The mistake came to light about a month later. Some envelopes were returned unopened, some were retrieved, but most were never recovered. The Information Commissioner’s Office investigated and concluded that the breach resulted from Equiniti’s failure to keep its systems updated, although it assessed the overall risk of serious harm as ‘low’ and took no further action.

More than 400 affected officers then brought claims for distress, arguing that they feared what might happen to their personal information if it had been accessed or misused by a third party, including the risk of fraud or identity theft.

The High Court said that unless the officers could show someone had actually opened and read the letters, they had no viable claim for damages. The judge viewed the incident as a "near miss" because there was no evidence of disclosure to a third party.

What did the Court of Appeal decide?

The Court of Appeal took a different approach. It confirmed that sending personal data to the wrong address is unlawful processing, and that a data breach doesn’t depend on proving that someone actually opened or read the letters.

However, a breach on its own doesn’t guarantee compensation. To recover damages, claimants must show that any fear or distress they experienced was objectively well-founded.

In this case, the court noted that most officers had no realistic basis for believing their letters would be opened or misused. For example:

• only 14 envelopes were shown to have been opened, and only two by someone outside the officer’s family or workplace;
• most people don’t open private mail addressed to someone else, and many envelopes here were returned unopened;
• the risk of misuse was objectively low: only 37 of 750 officers took up free fraud insurance and no evidence of fraud or identity theft has emerged almost six years later; and
• fears were generally not objectively reasonable unless supported by specific individual circumstances.

This case confirms two important points for anyone bringing a data breach claim:

• Individuals can recover compensation for emotional distress such as stress, anxiety or fear, and there’s no requirement for the distress to be serious. Even low-level emotional harm can be compensable.
• Compensation isn’t automatic. A claimant must still prove that their fear was objectively well-founded, rather than based on a purely speculative or imagined risk.

In practice, claimants must explain why, in their specific circumstances, it was realistic to think their data might be accessed or misused. Many officers didn’t identify any concrete reason why their misdirected letters were likely to be opened or misused, and as a result a significant number of claims may still fail when the High Court reviews them individually.

Why does this matter for organisations?

This decision has important implications for employers, pension administrators, insurers, public bodies and any organisation that handles personal data.

First, the Court of Appeal confirmed that sending personal data to the wrong address is enough to amount to a data breach. Organisations can’t rely on arguments such as “no one opened the letter” or “no serious harm was caused”. Incorrect handling of personal data may still amount to unlawful processing.

Second, although individuals can claim compensation for even low-level emotional distress, the court made clear that these claims aren’t automatic. Claimants must show that their fear was objectively well-founded, which creates a meaningful safeguard against speculative or exaggerated claims. For organisations, this means:

• many low-value claims may still fail without proper evidence;
• a clear and prompt incidence response can influence whether a claimant's fear is seen as reasonable; and
• regulators and courts will focus not only on the cause of the breach, but also on the adequacy of the organisation's response.

Finally, the case highlights an important commercial lesson: robust data governance is essential, but so is the way organisations respond when something goes wrong. Timely investigations, clear communication and appropriate support (eg, offering fraud protection) can significantly reduce the likelihood of successful claims.

In short, the decision reinforces accountability for data breaches, while ensuring that only well evidenced distress claims succeed. Organisations should review their processes not only to prevent breaches, but also to manage them effectively when they occur.

Regina Gabbasova is a trainee solicitor at RPC.