This site uses cookies.

Legal Mind Case and Commentary No 20 - Assessing Distress Post-Cyber Breaches [Koch HCH, Laraway A, Pelser C & Lamswood S 2018]

20/12/18. This is the twentieth in a series of Case reports and Commentaries from Dr Koch and colleagues.

Case: A recent case involving data breaches is summarised below and debated.

TLT and others vs. Secretary of State for the Home Department and the Home Office (2016) EWHC 2217 (QB)

This case involved the publishing of family return statistics which, by error, included details of applications for asylum or leave to remain. Before the error was discovered, one unknown individual had downloaded and saved the spreadsheet.

One individual (TLT) was notified of this data breach involving his personal and status details.

Areas of legal contention in this case involved whether TLT was subject to (proof of) distress and whether this crossed a threshold below which damages were not recoverable. The judge correctly took into account the assessment of damages in personal injury psychological cases, to ensure appropriate comparison. Although he did not necessarily define operationally what the threshold was, he opined that this approach of differentiation was appropriate in this case. He also took into account the claimant’s loss of control over his private and confidential information.

The background to this case involved TLT, a citizen of Iran, who came to the UK on a visitor’s visa. The judge made a global award taking into account the circumstances and the ‘distress’ which he had experienced. The award was in line with equivalent awards in PI cases for moderate psychological and psychiatric damages. The award was not differentiated into parts.

This summary is in line with the outcome of three other cases:

1) Burell v Clifford (016) EWHC (Ch)

2) Vidal-Hall, Hann and Bradshaw v Google Inc. (2016) EWCH 2217 (QB)

3) Gulati v GMC (2001) UKPC 22 (5.4.01)

In each of these cases, there was debate about how to partial out contributing factors to the ‘distress’ experienced and concluded that one overall award for distress was appropriate.


It is likely that during the next four years, the frequency of cyber crimes and breach cases will increase. At present, provided that the assessment of the psychological impact on individuals of the index crime or data breach is comprehensively made by the appropriate expert with experience of these types of cases, then whether the type or types of distress are partialled out and differentiated from each other is of a less concern, at this moment of time. However, currently, what is of most concern is to ensure the knock on effects of data breach in terms of serious and
significant adverse life events such as unemployment, relationship breakdown and relocation pressure are adequately assessed as well as the more obvious clinical injuries of depression and generalised anxiety (1, 2, 3).

The number of high profile data breaches in the last few years has increased. The highest profile case this year being the Facebook and Cambridge Analytica data breach which affected up to 87 million people. How are psychological damages cases taken into account when there could be millions of people that could come forward in some cases due to the nature of the source the breach came from.

How can causation be proven beyond reasonable doubt that it has had psychological damages to the person outside of the current context they were in? e.g. the stress of awaiting an asylum application and right to stay? These questions remain for further exploration and analysis.


Professor Hugh Koch, Dr Alec Laraway, Dr Cara Pelser and Dr Sarah Lamswood, Hugh Koch Associates, Cheltenham, Gloucestershire, UK.


  1. Koch HCH, Midgley S, Riggs E and Adeleye N (2019). Psychological injury, cyber crime and data breach damages. PIBULJ January (in press)

  2. Koch HCH (2016) Legal Mind: Contemporary issues in psychological injury and law. Expert Witness Publishing

  3. Koch HCH (2018) From therapist’s chair to courtroom: Understanding tort law psychology. LCB Publishers


Image ©

All information on this site was believed to be correct by the relevant authors at the time of writing. All content is for information purposes only and is not intended as legal advice. No liability is accepted by either the publisher or the author(s) for any errors or omissions (whether negligent or not) that it may contain. 

The opinions expressed in the articles are the authors' own, not those of Law Brief Publishing Ltd, and are not necessarily commensurate with general legal or medico-legal expert consensus of opinion and/or literature. Any medical content is not exhaustive but at a level for the non-medical reader to understand. 

Professional advice should always be obtained before applying any information to particular circumstances.

Excerpts from judgments and statutes are Crown copyright. Any Crown Copyright material is reproduced with the permission of the Controller of OPSI and the Queen’s Printer for Scotland under the Open Government Licence.