Psychology and data breaches. The emotional impact of privacy violations
The sheer scale of the information we share with organisations is enough to leave us all open to the threat of financial and identity fraud. But, when talking about the real-life impact of data breaches, we often don't consider the impact on an individual's mental state.
At Hayes Connor Solicitors, we help our clients to make compensation claims after their data has been put at risk by the organisations they trust to look after it. In some cases, these breaches result in serious financial fraud. But, every day, we also help people come to terms with privacy violations that have a severe and often lasting impact on their mental health.
To shed some light on this issue, we interviewed renowned clinical psychologist Professor Hugh C. H. Koch - visiting professor in law and psychology at Birmingham City University School of Law - to find out more about the typical psychological effects experienced by victims of data breaches.
Is there a lack of trust in the organisations that hold our personal information to keep that data safe?
The small number of cases which are publicised and involve the abuse of personal information indicate that personal information can be inappropriately used and this raises individuals' concerns about security.
Why has that trust broken down?
Significant publicity is given within the media when an organisation or one of its members has abused personal information, resulting in some form of data breach. As a result, individuals are less likely to trust organisations in general when providing personal information. This then can adversely affect effective communication, dealing with correspondence and, especially, telephone or email communications.
Are people becoming more stressed about the need to keep their personal information and passwords secure?
People are certainly becoming more aware of the potential risks in giving out personal information to organisations which may or may not be stored and used for purposes of which the individual is unaware. The storage and changing of passwords also raises concerns about security. This increased awareness can, in some cases, result in individuals becoming stressed and worried about adverse consequences.
What are the typical psychological effects experienced by victims of data breaches?
Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.
How are the principles and methods for investigating psychological injuries following a data privacy violation evolving?
As a result of increased volumes of data breach incidents, lawyers and experts are using their respective skills to assess the psychological and social consequences, symptoms and 'injuries' in reliable and valid ways. Structured interviewing, psychometric assessment and perusal of medical and occupational records are all part of this process.
Do organisations (those that hold our data) understand the full impact, psychological stress, and trauma that can be experienced by individuals following a data breach?
Learning how individuals are adversely affected by data breach events is a gradual process. Once an organisation has 'got it wrong', it should learn in a reflective way, why and how this occurred and what deleterious effect a data breach has had on any one individual. As a result, it should improve security practices to prevent further occurrences.
What about the ICO? Does it still need educating on the emotional impact of data breaches?
The role of the Information Commissioner's Office (ICO) is to uphold information rights in the interest of the public and manage the complaints process. To do this effectively it needs to understand the various psychosocial effects that data breaches can have on individuals.
Do changes to the law that reflect the impact of emotional distress go far enough?
It is important that mild or minor examples of emotional distress get recognised as well as the more severe and disruptive effects. However, it is essential that these are assessed and described in a reliable way.
How are psychologists and lawyers collaborating in this area?
Collaboration between lawyers and psychologists will result in clear and reliable assessment of the psychological effects of data breaches on individuals and families. In some cases, once an assessment takes place, some form of treatment may be appropriate to rectify any residual or ongoing problems. Collaboration will encourage rapid, accessible and effective assessment and treatment where appropriate.
What is working, and where do we need to improve?
In order to maximise the usability of a psychological assessment, it is essential to have a clear and concise description typically for a focused witness statement, as to the effects of the specific data breach. I repeat, 'concise and focused', rather than lengthy and unclear.
What can the legal profession do to shed more light on the emotional impact of data breaches and cybercrime?
Education within the legal media, both written and digital, concerning the psychological effect of data breaches reinforced at legal educational meetings and conferences will raise the bar of how much lawyers know and understand about data breach effects.
Are digital innovations making the data breach claims process less stressful for victims?
Digital innovation (D.I) is a development which has both positive and negative effects on the practice of law and wellbeing. If D.I helps to increase the recognition of data breach effects and their resolution, then this will reduce the overall stress on victims who are bringing claims.
Anything else you want to add?
This is an exciting and very worthwhile relatively new medico-legal intervention. At this time, it is likely that more such cases will be investigated. Further analysis of the effects on compensation and rehabilitation will be necessary.
- Koch HCH, Midgley S, Riggs E, and Adeleye N (2018). Psychological Injury, Cyber Crime and Data Breach Damages. Expert Witness Journal, Manchester, December.
- Koch HCH (2018). "From Therapist's Chair to Courtroom - The Psychology of Tort Law". LCB Publishing.