Data breaches concerning individuals and organisations are increasingly common, highlighted by the growing emphasis on GDPR, organisational security measures and associated complaints and litigation, and more recently Track and Trace concerns.

When data breaches occur, despite the best interests and quality data control of organisations, not only can an organisational reputation be adversely affected and its customer trust be damaged, but any other individual persons or ‘customer’ may be significantly affected psychologically and socially. Typical psychological effects include invasion of privacy, feeling victimised, upset and depressed, insomnia, eating and sleeping difficulties and social anxiety. The stress of experiencing a data breach may also result in other well known adverse life events such as needing to move house, area, losing a job, relationship stress and separation and dislocation from friends and family.

Recent unpublished records identified that a significant number of cases, where psychological disputes post data breach was found, a level of disturbance and disruption consistent with a recognised psychological disorder such as an adjustment disorders, depressive disorder, generalised anxiety disorder and in extremis, PTSD. The finding of an appropriate diagnosis helps all parties understand logically how severe a problem has been and whether it requires treatment to rectify.

The roll out of COVID-19 contact tracing was aimed at “minimising the spread of COVID-19 and move towards safely reducing lockdown measures.” The Ethics Advisory Board set out the principle for secure data sharing and storage, and stated that data collected should be minimised and protected so that users privacy is preserved, the whole process should be as transparent as possible. However, the generality and ambiguity of these principles and the Government’s response have caused concern, worry and little reoccurrence. (McHale, 2020)

With regards to whether a data breach would meet the criteria of a life threatening event (with implications for PTSD), this is less likely. However the ‘knock on’ effect of a serious data breach could conceivably result in high levels of stress and subsequent adverse life events with serious implications.

Given that a claimant involved in a data breach claim is likely to be anxious and distressed, it is important that the claim is pursued and resolved as speedily as possible, ensuring the claimant finds the process convenient and accessible. Needless to say, the culture of this medico-legal process should, itself, be aligned with optimal information security and unbiased, fair and impartial witness reporting.

Helping the claimant obtain the best legal and medico-legal advice requires trust in the legal firm involved. Making a compensation claim for a data breach can be stressful. Recent rulings have paved the way for those affected by data breaches to claim damages for distress with or without actual financial loss being involved. The immediate future for these types of claim should allow greater recognition and support for individuals who have been placed in such individous positions by data breaches.

Koch H, Milner P, Payne L & Jansen F (2020) Claiming for COVID-19 Stress Syndrome, Expert Witness Journal, Winter

McHale J (2020) Track, Trace and Contain. www.Bimingham.ac.uk.

Hugh CH Koch Visiting Professor in Law and Psychology at Birmingham City University and Director of HK Associates.