This site uses cookies.

Can Data Breach result in Psychological Injury? - Professor Hugh Koch, Dr Joe Grace, Dr Fay Huntley & Michael Davies

21/12/20. Data breaches concerning individuals and organisations are increasingly common, with sensitive data breaches having a number of negative consequences. These have been discussed in depth (1). They focused especially on the psychological effects a data breach can have, over and above any financial loss to the victim. Common data breach types (2) include database hacking, local authority and council breaches, and card skimming and financial attacks (3).

Typically, psychological effects include: -

1. Invasion of their privacy, feeling victimised

2. Feeling upset, depressed and guilty

3. Insomnia

4. Eating difficulties

5. Social anxiety, avoidance, hypervigilance and disruption

The stress of experiencing a data breach may result in other, well known adverse life events, such as needing to move house, move area, losing a job, relationship stress and separation, dislocation from friends and family, and difficulties with home purchase if I.D is compromised.

A number of diagnosable mental disorders or ‘psychological injuries’ can occur and be identified when interviewing claimants over 36 months after the data breach has been experienced. These include:

· Adjustment Disorder with Anxiety and Depressed Mood. (DSM5 309.28)

· Adjustment Disorder with Depressed Mood. (DSM5 309.0) (F43.22)

· Adjustment Disorder with Anxiety. (DSM5 309.24) (F43.22)

· Specific Phobia (Situational Type). (DSM5 309.29) (F40.248)

· Post-Traumatic Stress Disorder. (DSM5 309.81) (F43.10)

· Acute Stress Disorder. (DSM5 308.3) (F43.0)

· Major Depressive Disorder. (296x)

· Panic Disorder. (DSM5 300.01) (F41.0)

· Agoraphobia. (DSM5 300.22) (F40.00)

· Generalised Anxiety Disorder. (DSM5 300.02) (F41.1)

· Obsessive Compulsive Disorder. (DSM5 300.3) (F42)

The clarification of an appropriate diagnosis helps all parties understand logically how severe a psychological problem or ‘injury’ has been, and, secondly, whether it requires treatment to rectify. This can be reinforced by contemporaneous information from the GP records and reinforced by a clear descriptive narrative of how the index data breach has adversely affected the claimant. With regards to whether a data breach would meet the criteria of a life-threatening event and its implication for PTSD, this is infrequent. However, the ‘knock on’ effect of a serious data breach could conceivably result in high levels of stress and subsequent adverse life events with serious psychological and social implications (4).

Gradually, litigation details and case law is emerging which looks at Tort Law and data protection: -

1. TLT and others v. Secretary of State for the Home Department (2016) EWHC 2217 (QB).

2. Vidal-Hall and others v. Google Inc. (2015) EWCA. CIV 311.

3. Burrell v. Clifford (2016) 294.

4. Gulati (2015) EWCA 1482.

With greater awareness of GDPR, claims solely for distress against organisations who hold and control data will be given a firmer legislative basis and become more common. The principles and methods for investigating psychological injuries consequent on data breaches are being developed, with each case being considered on its individual merits, and adjudicated with careful application of the Gulati principles and personal injury guidelines (5). The Doctrine in Tort Law in Misuse of Private Information (MPI) Which was developed for Campbell V. MGN.

The potential impact of COVID-19 working from home arrangement for many large and small organisations could weaken data protection arrangement, thus posing more risk of breaches.

Given that a claimant involved in a data breach claim is likely to be anxious and distressed, it is important that the claim is pursued and resolved as speedily as possible, ensuring the claimant finds the process convenient and accessible. Needless to say, the culture of this medico-legal process should, itself, be aligned with optimal information security and unbiased, fair and impartial witness reporting.

Helping the claimant obtain the best legal and medico-legal advice requires trust in the legal firm involved. Making a compensation claim for a data breach can be stressful. Recent rulings have paved the way for those affected by data breaches to claim damages for distress with or without actual financial loss being involved. The immediate future for these types of claim should allow greater recognition and support for individuals who have been placed in such invidious positions by data breaches (6).


1. Koch HCH (2019) Psychological Injury, Cyber Crime and Data Breach Damages. Expert Witness Journal, Winter.

2. Preston R (2020) Data Breach and Privacy Claims. PIBULJ, August.

3. The scary side effects of a cyber breach (2018).

4. Are data breaches stressing you out? (2018)

5. Privacy and Data Protection Cases: Quantifying Damages for Distress (2018)

6. Koch HCH (2018) From Therapist’s Chair to Courtroom: Understanding Tort Law Psychology. LCB Publishing

Further details on this area of personal injury litigation can be obtained from the first author (This email address is being protected from spambots. You need JavaScript enabled to view it. ).

Image ©

All information on this site was believed to be correct by the relevant authors at the time of writing. All content is for information purposes only and is not intended as legal advice. No liability is accepted by either the publisher or the author(s) for any errors or omissions (whether negligent or not) that it may contain. 

The opinions expressed in the articles are the authors' own, not those of Law Brief Publishing Ltd, and are not necessarily commensurate with general legal or medico-legal expert consensus of opinion and/or literature. Any medical content is not exhaustive but at a level for the non-medical reader to understand. 

Professional advice should always be obtained before applying any information to particular circumstances.

Excerpts from judgments and statutes are Crown copyright. Any Crown Copyright material is reproduced with the permission of the Controller of OPSI and the Queen’s Printer for Scotland under the Open Government Licence.