A New York Court dismissed the claim by two former employees against their professional services firm based on an alleged failure to protect their personal information in a data breach.
The court held that a claimant for damages in these circumstances must prove actual harm. The employees’ had only speculated as to whether they might suffer harm at some unknown future date. They also speculated about the extent of the harm, if and when it did materialise. The employees’ failure to the alleged “cognisable damages” arising out of the breach foreclosed the possibility of a damages claim. Damages must not be merely speculative; they must be caused in some way by the defendant.
This principle should be true under delictual law in South Africa. Although the Protection of Personal Information Act creates privacy rights, obligations, consequences and penalties, that does not mean a damages claim follows unless there is actual measurable harm.