The recent hacking of website AshleyMadison.com has exposed the website's parent companies to lawsuits in the US and Canada and has attracted the attention of the Australian Privacy Commissioner. The Ashley Madison hack will undoubtedly fuel the perception that threats to privacy are growing in the digital age. Partner Gavin Smith, Senior Associate Aleisha Brown and Law Graduate Shelley Drenth examine the litigation risks that stem from incidents of cyber-attack or data breach.
How does it affect you?
- Entities that fail to protect personal information from unauthorised access face the prospect of enforcement action by the Australian Privacy Commissioner, as well as litigation brought by affected individuals and possible serious reputational damage.
- The protection of personal information is the key to avoiding the litigation and reputational risks that stem from incidents of cyber-attack and data breach. Entities that collect and store personal information must implement cyber resilience programs with robust security measures to protect that information. Entities should also review their insurance policies to ensure they are covered for cyber-risk liabilities and losses.
- Even in the absence of a mandatory data breach notification scheme in Australia, entities must be prepared to notify the Privacy Commissioner and affected individuals of serious incidents of data breach. An entity's notification procedures are an essential part of an effective data breach response plan.
Following the recent high-profile hacking of the website AshleyMadison.com (a website that assists users to organise discreet extra-marital affairs), plaintiffs have filed lawsuits in the US1 and Canada2 against the website's parent companies Avid Dating Life, Inc. and Avid Life Media, Inc for failing to protect the personal information of the website's users. In Australia, the Privacy Commissioner has been liaising with the relevant Canadian authorities and has been in direct contact with Avid Life Media regarding the breach.3
The changes to the Privacy Act 1998 (Cth) in 20144 reflect the increasing importance of privacy and data protection in Australia. The Ashley Madison hack will undoubtedly fuel the perception that threats to privacy are growing with the increased use of technology by individuals. In this context, the time is ripe to examine how Australian plaintiffs might follow in the footsteps of their Canadian and US counterparts to take legal action against Avid Life Media, or against other entities who experience similar data breaches.·
Australia's Privacy Act does not create a cause of action that allows litigants to sue for an 'invasion of privacy'.5 Unlike in other countries such as the US and the UK,6 there is no common law tort of invasion of privacy in Australia.7 Even so, the risks associated with incidents of cyber-attack or data breach are numerous. Entities that fail to protect personal information from misuse or loss, and from unauthorised access, modification or disclosure, face not just the prospect of enforcement action by the Privacy Commissioner, but also the prospect of:
- litigation brought by affected individuals on other bases (including representative complaints to the Privacy Commissioner); and
- serious damage to their reputation.
The impact of enforcement action was illustrated by Optus' experience earlier this year when it became the first entity to enter into an enforceable undertaking with the Privacy Commissioner. This undertaking followed Optus' voluntary data breach notification to the Privacy Commissioner. Although the Privacy Commissioner decided not to seek an award of a civil penalty against Optus (largely because of Optus' proactive engagement with the Privacy Commissioner), compliance with the undertaking is likely to be an expensive exercise.8
In the absence of a statutory tort of privacy invasion, privacy plaintiffs in Australia may turn to other causes of action to pursue entities that fail to protect their personal information:
- Privacy plaintiffs might rely on an express or implied contractual promise by an entity to keep personal information secure9 to found an action for breach of contract. However, in order to receive an award of damages for breach of contract, privacy plaintiffs will need to prove actual economic harm.10 This may be difficult where individuals affected by a data breach are readily reimbursed by their banking or financial institutions for any economic loss.
- Similarly, negligent invasions of privacy may be actionable under the common law tort of negligence, although currently this is only where actual damage in the form of physical injury, psychiatric illness, property damage or financial loss has been suffered by the plaintiff from the defendant’s negligent breach.11
Privacy plaintiffs (including the victims of the Ashley Madison hack) typically focus on loss associated with emotional distress. In Australia, damages for distress are available in successful claims for breach of confidence.12 However, plaintiffs relying on breach of confidence have generally shown that their confidential information was deliberately disclosed by the entity, rather than disclosed as a result of an unauthorised attack.
Given the difficulties identified above, privacy plaintiffs who are unable to show economic loss may avail themselves of the complaints process under the Privacy Act. Under the Privacy Act, individuals (or classes of individuals) can complain to the Privacy Commissioner about an interference with their privacy.14 Following an investigation of the complaint, the Privacy Commissioner may require the entity to pay compensation to affected individuals15 (in addition to pursuing enforcement action against the entity).
The Privacy Commissioner can award compensation for 'loss or damage', which includes injury to an individual's feelings or humiliation suffered by the individual.16 While the Privacy Commissioner has previously made only moderate awards for compensation,17 a representative complaint involving a large number of individuals might lead to a significant award of damages for humiliation.·
While privacy plaintiffs in Australia may face hurdles in establishing actual economic loss, the publicity associated with any attempt to do so (or a representative complaint to the Privacy Commissioner) poses serious reputational risks to entities in Australia.
Australian entities should also be aware of the risk of being sued in privacy plaintiff friendly jurisdictions. In Vidal-Hall v Google Inc,18 three British claimants sued Google for the tort of 'misuse of private information' and for a breach of the Data Protection Act 1998 (UK). Although Google is registered in and has its principal place of business in the US, the claimants have obtained permission to serve Google outside of the jurisdiction on the basis that they had suffered damage in the UK.19
Finally, if a company's board of directors knows that its security is flawed and that the business is susceptible to a cyber-attack, but takes no steps to mitigate this risk, directors may be liable for breaching their duties of care and diligence under section 180 of the Corporations Act 2001 (Cth).20
It is also worth remembering that, on 3 March 2015, the Federal Government announced its support for the introduction of a mandatory data breach notification scheme by the end of the year.21 Although the Federal Government has not yet released draft legislation for the scheme, entities will soon be required to notify the Privacy Commissioner, as well as affected individuals, where a data breach results in the misuse or loss and unauthorised access, modification or disclosure of personal information held by those entities. We consider it likely that the heightened awareness of data breaches that would result from such a scheme will contribute to an increased appetite for privacy litigation in Australia. However, the fact that there are only five more weeks in 2015 when both Houses of Parliament are sitting makes it increasingly unlikely the government will meet its commitment to introduce the notification scheme by the end of this calendar year. ·
In the meantime, the Privacy Commissioner has made it clear that an entity must adopt notification procedures as party of an entity's data breach response plan. In late 2013, the Privacy Commissioner opened an own motion investigation into Adobe Systems Software Ireland Ltd following Adobe's announcement that it had suffered attacks on its network involving the theft of the credit card details of 135,288 Australians. The Privacy Commissioner found that Adobe had failed to protect all the personal information it held from unauthorised access, and recommended, among other things, that Adobe take steps to ensure it can implement a faster and more wide-spread notification procedure should it experience another data breach of this nature and scale.22 As the attack occurred before March 2014, the Privacy Commissioner was not able to seek an enforceable undertaking regarding such recommendations.
In light of the increased attention paid to privacy, cyber-attack and data breaches and the prospect of a mandatory data breach notification scheme in Australia, clients would be well advised to review their cyber resilience programs. Entities must ensure they are adequately prepared for and can respond to and recover from a cyber-attack or data breach.23 Entities must also ensure that their insurance policies cover cyber-risk specific losses and liabilities.
We have developed a number of resources that may assist you in developing an effective cyber resilience program and data breach response plan:
- Insuring against cyber-risks: A changing landscape
- Cyber security – what should businesses do to avoid, minimise or remedy the damage caused by a cyber-breach?
- 'Ashley Madison, parent company sued in U.S. over data breach', Reuters (24 August 2015).
- Tanya Basu, 'Ashley Madison Faces $578 Million Class Action Lawsuit', TIME (23 August 2015).
- Office of the Australian Information Commissioner (OAIC), 'Ashley Madison data breach' (20 August 2015).
- See Focus: Major privacy reforms passed for information about the key changes to the Privacy Act.
- The Australian Law Reform Commission (the ALRC) has proposed a new statutory cause of action for serious invasions of privacy. However, it is highly unlikely that the current Government will implement the ALRC's recommendation (see Focus: ALRC Final Report: 'Serious Invasions of Privacy in the Digital Era' for more information).
- Although the United Kingdom does not strictly have a tort for invasion of privacy, it has extended the doctrine of breach of confidence, which prevents the disclosure of information ‘imparted in circumstances importing an obligation of confidence’ to a quasi-privacy tort called 'misuse of private information': Campbell v MGN Ltd  2 AC 45, 464  (Lord Nicholls). Notably, the position in the United Kingdom is heavily influenced by article 8 of the European Convention on Human Rights that provides, in part, that ‘everyone has the right to respect for his private and family life, his home and his correspondence’. Section 6 of the Human Rights Act 1988 (UK) makes it unlawful for a public authority to act in a way that is incompatible with a Convention right.
- As the High Court has explained, the Privacy Act ‘stops short of enacting what might be called a statutory tort of privacy invasion’: see Australian Broadcasting Corporation v Lenah Game Meats (2001) 208 CLR 199,  (Justices Gummow and Hayne).
- See Focus: First enforceable undertaking under new privacy laws for more information.
- The ALRC has suggested that it would not 'be difficult to find an implied term that private information about the plaintiff should not be disclosed except for the purposes of the contract or in compliance with terms of the contract': ALRC, Serious Invasions of Privacy in the Digital Era (Report 123, 3 September 2014) 120 (ALRC Report).
- Damages for emotional distress for breach of contract are limited to where the contract provides for enjoyment or relaxation: Baltic Shipping v Dillon (1993) 176 CLR 344.
- ALRC Report 119-120. See, eg, section 31 of the Civil Liability Act 2002 (NSW).
- Giller v Procopets  VSC 113.
- Shahid v Australasian College of Dermatologists (2008) 168 FCR 46, 113-15 -, citing Marks v GIO Australia Holdings Ltd (1998) 196 CLR 494.
- Section 36 of the Privacy Act.
- Section 52(1)(b)(iii) of the Privacy Act. An award for compensation is recoverable as a debt in the Federal Court: see sections 60 and 62 of the Privacy Act.
- Section 52(1AB) of the Privacy Act. See, eg, DK v Telstra Corporation Ltd  AICmr 118 (30 October 2014) in which the Privacy Commissioner awarded $18,000 for anxiety and stress.
- See also OAIC, 'Privacy determinations'.
-  EWCA Civ 311.
- The Supreme Court has granted Google permission to appeal the Court of Appeal's decision as it relates to the Data Protection Act 1998 (UK).
- ASIC, 'Cyber resilience: Health check' (Report 429, March 2015).
- Senator the Hon George Brandis QC and the Hon Malcolm Turnbull MP, The Australian Government has responded to the inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (3 March 2015). See Client Update: Data Deal - Mandatory Data Breach Notification Laws to be introduced as trade-off for controversial Metadata Retention Regime for more information.
- OAIC, 'Adobe Systems Software Ireland Ltd, Own motion investigation report 13/00007' (June 2015).
ASIC, 'Cyber resilience: Health check' (Report 429, March 2015)