Barings Solicitors: Spurgeon & Ors v Capita: High Court Refuses Application to Strike Out Data Breach Compensation Claims

High Court Allows Capita Data Breach Compensation Claims to Proceed

In a landmark ruling, the High Court of England and Wales has rejected an attempt by outsourcing giant Capita plc to strike out compensation claims from 4,000 individuals affected by its 2023 data breach. The breach, one of the largest in UK history, exposed the personal data of 6.6 million people, including employees and members of 325 pension schemes managed by Capita’s clients.

The Breach and Its Fallout

The incident came to light in 2023, when hackers infiltrated Capita’s systems, stealing sensitive information. The company subsequently notified 9,000 "high-risk" individuals, including the claimants in this case. Law firm Barings Solicitors later launched a no-win, no-fee compensation campaign, estimating average payouts of £1,000 per claimant potentially totaling £3–4 million across all cases.

Capita’s Strike-Out Attempt

Capita sought to dismiss the claims, arguing that Barings had "irrevocably tainted" the evidence by drafting Particulars of Claim that included emotive language such as "tormented," "violation," and "betrayal of trust" which the claimants themselves had not used. The company contended that this constituted an abuse of process, as the legal team had allegedly misrepresented their clients’ instructions and signed a statement of truth without proper verification.

Court Rejects Capita’s Arguments

Master Dagnall, presiding over the case, ruled that striking out the claims would be disproportionate. While acknowledging concerns over the ambiguity of certain terms (e.g., "tormented"), he emphasized that:

• Pleadings are not evidence they merely outline the legal basis for a claim, with witness statements to follow.
• Lawyers have broad discretion in drafting claims, provided clients assent to the wording.
• Each claimant retains the right to a judicial determination of their damages, even if procedural issues arise.

The judge noted that while the language used was open to interpretation, it did not amount to professional misconduct or an abuse of process. However, he suggested clarifying terms like "tormented" to avoid confusion, with further adjustments to be addressed at a later hearing.

Broader Implications

This ruling underscores the challenges of collective redress in data breach cases, particularly when claims are individually assessed rather than pursued as a class action. While Capita has already faced a £14 million fine from the ICO, the ongoing litigation highlights the financial and reputational risks for organizations failing to secure sensitive data.

The case now proceeds, with Capita facing a choice: contest each claim at trial or seek a settlement both options carrying significant costs. The outcome will be closely watched as a precedent for data breach litigation in the UK.

Source: https://www.ropesgray.com/en/insights/viewpoints/102mm5m/spurgeon-ors-v-capita-high-court-refuses-application-to-strike-out-data-breach

Barings Law cybersecurity rating report: https://www.rankiteo.com/company/barings-law

"id": "BAR1772800548",
"linkid": "barings-law",
"type": "Breach",
"date": "1/2023",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': '6.6 million people (including '
                                              '4,000 claimants)',
                        'industry': 'Business Process Outsourcing, Pension '
                                    'Management',
                        'location': 'UK',
                        'name': 'Capita plc',
                        'size': 'Large',
                        'type': 'Outsourcing Company'}],
 'customer_advisories': 'Notified 9,000 high-risk individuals',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '6.6 million',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information)',
                 'type_of_data_compromised': 'Personal data, pension scheme '
                                             'member information'},
 'date_detected': '2023',
 'date_publicly_disclosed': '2023',
 'description': 'The High Court of England and Wales allowed compensation '
                "claims from 4,000 individuals affected by Capita plc's 2023 "
                'data breach to proceed. The breach exposed personal data of '
                '6.6 million people, including employees and members of 325 '
                'pension schemes managed by Capita’s clients. Capita attempted '
                'to strike out the claims but was rejected by the court.',
 'impact': {'brand_reputation_impact': 'Significant reputational damage',
            'data_compromised': 'Personal data of 6.6 million people, '
                                'including high-risk individuals',
            'financial_loss': '£3–4 million (estimated compensation payouts)',
            'identity_theft_risk': 'High (personal data exposed)',
            'legal_liabilities': 'Ongoing litigation, potential £3–4 million '
                                 'in compensation'},
 'investigation_status': 'Ongoing',
 'references': [{'source': 'High Court of England and Wales Ruling'}],
 'regulatory_compliance': {'fines_imposed': '£14 million (ICO fine)',
                           'legal_actions': 'Ongoing compensation claims',
                           'regulations_violated': 'UK Data Protection Laws'},
 'response': {'communication_strategy': 'Notified 9,000 high-risk individuals'},
 'threat_actor': 'Hackers',
 'title': 'Capita Data Breach Compensation Claims',
 'type': 'Data Breach'}