In this day in age, data breaches are common. Digital extortionists will use sophisticated techniques to obtain confidential and private information of millions of individuals from well-known platforms like Yahoo and Shopify. If you are a victim of such an attack, the question becomes: what damages are you entitled to?
Unfortunately, a recent decision by Justice Perell (a well-respected respected Judge in Ontario) demonstrates that, absent tangible, quantifiable harm, victims will not receive much relief. Specifically, in order to obtain meaningful relief, a victim must show that:
- he/she suffered actual harm, not merely a risk of harm. In other words, the victim must show that because of the data breach, he/she suffered financially; and,
- the harm suffered was caused by the data breach itself. In other words, the victim must prove that the harm was a consequence of the breach and did not result from some other explainable factor.
Given this test, many victims who have commenced claims for having their personal information stolen, but have not suffered quantifiable damages, were unsuccessful. In contrast, victims who can prove that his/her banking information was stolen and the money was withdrawn as a result of the data breach, have fared much better.
Spending time and money on a lawsuit in relation to a data breach only makes sense if you can prove that you have actually suffered. Personal and mental anguish, i.e., frustration and anxiety that a fraudster may have your personal information, does not, in and of itself, matter, when damages are awarded.