by Hugh Koch, Clinical Psychologist and Visiting Professor in Law & Psychology to Birmingham City University (BCU), Simon Midgley, Clinical Psychologist, Emma Riggs, Clinical Psychologist and Nkem Adeleye, Lecturer in Law (BCU)
Data breaches concerning individuals and organisations are increasingly common highlighted by the growing emphasis on GDPR (General Data Protection Regulation) and organisational security measures. Despite best intentions and quality control of data disclosure, sensitive data breaches can have a variety of negative consequences (1). When a data breach occurs in an organisation, whether public or private, one compromising episode can adversely affect the best of reputations. Such damage to reputation and brand value as a result of a cyber security breach is an increasingly common occurrence. The digital world of immediate accessibility can lead to a company’s identity being adversely affected throughout its customer base, and result in a significant loss of customer trust, whether the ‘customer’ be an individual or another corporate entity. The consequent shut down in operations in order to rectify the data breach very easily results in significant loss of revenue. In the UK, between 40-45% of all businesses identified at least one cyber breach in the past 12 months (2) – it is clearly a priority for companies to learn how to keep data secure or face the consequences, one of which could be litigation.
Due to the highly sensitive nature of data breaches, individuals affected by a data breach may also be at risk of identity theft. Criminals can steal an identity and commit fraud in a victim’s name, using the exposed and released information. It can be used on the ‘cyber black market’ to file fraudulent tax returns, open new credit, make false purchases on existing credit accounts and obtain services including medical treatment (3, 4).
Public bodies collect a significant amount of sensitive information about people that it provides services to/for. They have a duty to use and store this data responsibly. The Data Protection Act [2018] and Human Rights Act [1998] set out rules to protect the public and its personal data. Public bodies such as the NHS, Police, and Local Authorities are at risk of breaching these rules at times by storing inaccurate or out-of-data information, holding data longer than necessary, failing to make data secure from external hackers or by using data outside its stated purpose. Individual rights can be infringed when a public body commits any (5a) of these errors, and these can result in litigation.
A breach can occur in numerous ways including hacking, lost laptops, iPads and iPhones, theft by an employee and error in data processing and transmission. It is incumbent on businesses to prevent data breaches and secure the personal information it handles but this does not always occur. Due to the myriad of potential breaches, the probability of a data breach increases over time and failure to promptly take action in the event of a breach can have significantly adverse results for any one individual and the organisation concerned (3).
Latest research indicates (5,6) that people are becoming stressed by the additional pressure to keep large amounts of information and passwords secure. There is a lack of trust in technology companies and organisations that hold information to keep that information safe. Least trusted was the Government and its many agencies. Most trusted were manufacturing, healthcare and education despite these industries all experiencing data breach problems recently.
The Psychological effects of a Data Breach
In most cases of cyber/data breach, there is some financial loss to the victim, a loss which gets greater when stolen data is sold on (6). However, a less understood effect is the psychological stress and trauma experienced by the individuals concerned.
Typical psychological effects include:
1. Invasion of their privacy, feeling victimised
2. Feeling upset, depressed and guilty
3. Insomnia
4. Eating and sleeping difficulties
5. Social anxiety, avoidance, hypervigilance and disruption
The stress of experiencing a data breach may result in other, well known adverse life events, such as needing to move house, move area, losing a job, relationship stress and separation, dislocation from friends and family, and difficulties with home purchase if I.D is compromised.
A number of diagnosable mental disorders or ‘psychological injuries’ can occur and be identified when interviewing claimants over 3-36 months after the data breach they have experienced. These include:
• Adjustment Disorder with Anxiety and Depressed Mood. (DSM5 309.28)
• Adjustment Disorder with Depressed Mood. (DSM5 309.0) (F43.22)
• Adjustment Disorder with Anxiety. (DSM5 309.24) (F43.22)
• Specific Phobia (Situational Type). (DSM5 309.29) (F40.248)
• Post-Traumatic Stress Disorder. (DSM5 309.81) (F43.10)
• Acute Stress Disorder. (DSM5 308.3) (F43.0)
• Major Depressive Disorder. (296x)
• Panic Disorder. (DSM5 300.01) (F41.0)
• Agoraphobia. (DSM5 300.22) (F40.00)
• Generalised Anxiety Disorder. (DSM5 300.02) (F41.1)
• Obsessive Compulsive Disorder. (DSM5 300.3) (F42)
The finding of an appropriate diagnosis helps all parties understand logically how severe a psychological problem or ‘injury’ has been, and, secondly, whether it requires treatment to rectify. This can be reinforced by contemporaneous information from the GP records and reinforced by a clear descriptive narrative of how the index data breach has adversely affected the claimant. With regards to whether a data breach would meet the criteria of a life threatening event and its implication for PTSD, this is unlikely. However, the ‘knock on’ effect of a serious data breach could conceivably result in high levels of stress and subsequent adverse life events with serious implications.
Awards for Distress
Increasingly case law has emerged, emphasising the interrelationships between privacy rights, Tort Law and data protection. Claims are being brought on more than one ground i.e. for the misuse of private information, and for breach of data protection obligations (7).
Recent case law of relevance has included:
- a) TLT and others v. Secretary of State for the Home Department: The Court awarded a global sum of damages rather than separating out a damages award under district head of damages.
b) Vidal-Hall and others v. Google Inc: This made it easier to bring claims for compensation for distress alone, and not only as an adjunct to some financial loss.
The type of data breach i.e. medical, financial or social will affect quantum. Differing effects on relationships both marital and social had significant effects on quantum.
c) Burrell v. Clifford: The court held that the question of appropriate compensation was broad and should take into account circumstances such as:
•. The nature of the information
•. The nature, expert and purpose of the misuse
•. The consequences of the misuse
•. Whether the misuse caused the claimant financial loss
•. Any aggravating factors
d) Gulati: Emphasis may be put on high awards to celebrities but the Court of Appeal stated that there should be a reasonable relationship between the lack of damages awarded for distress in privacy claims and awards made for psychological injury in personal i njury cases.
In Gulati, the Court of Appeal also stated that damages should not be limited to damages for distress but recognised that an award of damages can be made for infringement of the right itself – the misuse of private information, consistent with decisions of the European Court of Human Rights. This expands the reach of the law itself.
Conclusion
With greater awareness of GDPR, claims solely for distress against organisations who hold and control data will be given a firmer legislative basis (7) and become more common. The principles and methods for investigating psychological injuries consequent on data breaches are being developed (8), with each case being considered on its individual merits, and adjudicated with careful application of the Gulati principles and personal injury guidelines.
Given that a claimant involved in a data breach claim is likely to be anxious and distressed, it is important that the claim is pursued and resolved as speedily as possible, ensuring the claimant finds the process convenient and accessible. Needless to say, the culture of this medico-legal process should, itself, be aligned with optimal information security and unbiased, fair and impartial witness reporting (9).
Helping the claimant obtain the best legal and medico-legal advice requires trust in the legal firm involved. Making a compensation claim for a data breach can be stressful. Recent rulings have paved the way for those affected by data breaches to claim damages for distress with or without actual financial loss being involved (10). The immediate future for these types of claim should allow greater recognition and support for individuals who have been placed in such invidious positions by data breaches.
References
1. The scary side effects of a cyber breach (2018). www.vantiv.com
2. The damaging after effects of a data breach (2018). www.itgov ernance.co.uk
3. Data br each (2018) www.slk-law.com/practices
4. Data br each lawyers (2018) www.robinsonfirm.com
5. Cyber Crime victims left depressed and traumatised (2018) www.infosecurity-magazine.com
5a. Data breach issues (2018) www.irwinmitchell.com
6. Are data breaches stressing you out? (2018) www.kasp ersky.com
7. Privacy and Data Protection Cases: Quantifying Damages for Distress (2018) www.brownejacobsen.com
8. Koch HCH (2018) From Therapist’s Chair to Courtroom: Understanding Tort Law Psychology. LCB Publ ishing
9. Fair and impartial witness reporting (2018) www.prem exservices.co.uk
10. Data breaches are stressful (2018) www.hayesconnor.co.uk
Cases
1. TLT and others v. Secretary of State for the Home Departme nt (2016) EWHC 2217 (QB).
2. Vidal-Hall and others v. Google Inc. (2015) EWCA. CIV 311.
3. Burrell v. Clifford (2016) 294.
4. Gulati (2015) EWCA 1482.
Further details on this area of personal injury litigation can be obtained from Professor Hugh Koch.
