Class actions arising out of data breaches have been common in the US for some time, but in Australia, we're yet to see a plaintiff bring such an action successfully. In some ways this is unsurprising. Despite the fact that data breaches are now commonplace and that class action law firms are increasingly active, plaintiffs looking to bring a class action for a data breach will face a number of obstacles under Australian law, particularly where compensable loss is difficult to quantify. Nevertheless, we expect to see an attempt to bring an Australian data breach class action in the near future. This article looks at potential causes of action that could be brought by class action litigants, the hurdles that plaintiffs will need to overcome to mount a successful claim and the practical implications for Australian businesses.
- On the horizon. Although yet to be tested in Australia, class actions for data breaches have been successfully brought overseas. Data breach class actions have been particularly common in the US, with such actions being brought in recent years against high profile targets like Target, Yahoo, Ashley Madison and Home Depot. This has not gone unnoticed by plaintiff lawyers and litigation funders in Australia, who have expressed an appetite to take on data breach actions. A recent class action has been launched against NSW Ambulance in connection with a data breach, and IMF Bentham recently announced that it will fund a representative complaint under the Privacy Act 1988 (Cth) (the Privacy Act), flagging that 'a class action may follow'.1
- There can be no class action without a cause of action. In Australia, finding a suitable cause of action is troublesome. For one, unlike in other jurisdictions, there is no actionable right to privacy in Australia. There is, for example, no statutory right for a civil claim by an individual for breach of privacy under Australian law, nor does the Australian law recognise a tort for breach of privacy. Although negligence has emerged as the claim of choice overseas, being included in 95% of data breach class actions in the US, quantifying compensable loss for negligence and other claims will prove difficult in Australia.2 Shareholder class actions against a company whose share price is materially affected by a data breach are also a possibility. Such actions might be (among others) grounded in claims of misleading and deceptive conduct or breach of continuous disclosure obligations. For example, shareholders might claim that a company had made representations to the market that it had adequate systems and processes in place for handling personal information which (in view of a data breach) were misleading or deceptive.
- Don't forget about representative complaints. While there is no actionable right for individuals to bring proceedings under the Privacy Act, it is possible for individuals to make a representative complaint to the Office of the Australian Information Commissioner under section 38 of the Privacy Act. IMF Bentham recently announced that it is funding a representative complaint in relation to the Facebook Cambridge Analytica scandal.
- OAIC – a roadmap to claims? As seen in the recent IMF announcement which suggests that a class action might follow its OAIC representative complaint, OAIC action (and the information contained in any findings that follow) might provide plaintiff law firms and litigation funders with fodder to help them build their class. We have already seen enforcement by other regulators used in this way by litigation funders and plaintiff firms.
- Who is in the class? Data breach class action litigants could come in a variety of forms. Data breach class actions don't have to involve consumers whose personal information was the subject of the breach.3 In fact, consumers as a class often find it difficult to quantify the loss suffered in order to establish damages. The more successful class actions in the US have been launched by disgruntled financial institutions or credit card companies who have incurred quantifiable breach-related expenses (eg card reissuance or reimbursement for fraudulent transactions). Enterprise customers affected by an upstream data breach are another class that might bring an action, particularly where they are required to incur considerable costs as a consequence of the breach.
- US trends. A number of key trends have emerged from the proliferation of data breach class actions in the US: (1) the medical industry has been disproportionately targeted by plaintiffs; and (2) the "lightning rod" effect has seen class action lawsuits cluster around the same high-profile breaches and plaintiffs file multiple claims against companies that have had the largest and most publicised breaches.4 This makes having an appropriate crisis communications and management approach even more critical.
While data breach class actions have proliferated in the US, a number of challenges have likely dampened, and may continue to dampen, the enthusiasm of plaintiff law firms and litigation funders to take up these types of actions in Australia.
There can be no class action without a cause of action
There is currently no specific cause of action under Australian law that entitles an individual to pursue a claim for breach of their privacy or loss of data. However, the allure of being the 'first mover' on this type of litigation might mean that there are a number of possible causes of action which get tested by plaintiff law firms. A recent class action brought in relation to the NSW Ambulance Service data breach alleges breach of confidence (in equity), breach of contract, breach of the tort of privacy, and misleading and deceptive conduct. For more information, see our article A global snapshot of data breach class actions.
While many of these claims have been alleged in data breach class actions overseas, at present, the high settlement rate means it is difficult to get a clear picture of which of these claims have been most successful. In addition to some of the hurdles experienced by US plaintiffs, each cause of action has its own unique hurdles in an Australian context, as set out below.
- Breach of continuous disclosure obligations – As a general rule, under the Corporations Act 2001 (Cth) and ASX Listing Rules, if a data breach would reasonably be expected to have a material effect on the price of a listed entity's securities, it must be disclosed to the ASX. While entities should certainly consider whether they are required to disclose any data breach in accordance with their continuous disclosure obligations, it is likely that a particularly serious data breach would be required to satisfy a court that the disclosure obligation attached.5
In Australia, we have seen recent shareholder class actions allege failures to disclose to the market inadequacies in risk, ethics and compliance systems. A similar claim could be constructed in the cybersecurity context following a data breach, with shareholders claiming that the company knew or ought to have known of deficiencies in its systems for handling and securing personal information but failed to disclose those deficiencies to the market.
It is also possible that regulatory action might follow a failure to disclose a data breach that would reasonably be expected to have a material effect on share price, as we have recently seen in the US, with enforcement action taken against Yahoo for failing to disclose its 2014 data breach to the market – see our article Yahoo continues to pay the price for its 2014 data breach.
- Misleading and deceptive conduct – Affected individuals and shareholders may also seek to pursue a claim for misleading or deceptive conduct (under the Australian Consumer Law and, in the case of shareholders, under the Corporations Act 2001 (Cth) or ASIC Act 2001 (Cth)). Such a claim would likely be in relation to statements made by an organisation about how it handles and secures personal information, which are revealed to be false by the circumstances of a data breach.
In order to pursue such a claim, plaintiffs would need to:
- identify a representation made by the company in relation to the handling of personal information;
- establish that the relevant representation was misleading or deceptive; and
- establish that they relied on that representation and, by doing so, suffered a loss.
Misleading and deceptive conduct was one of several claims brought in the NSW Ambulance class action launched late last year.6 Other than in the context of a shareholder class action that seeks to connect such a misrepresentation to the price of the company's shares, a claim of this kind is likely to suffer from difficulties in quantifying loss, and it will be interesting to see how this issue is dealt with in the NSW Ambulance action.
A further hurdle for plaintiffs bringing this type of claim will be establishing reliance on the representation. With the volume of material that consumers receive in the internet age, and the flippancy with which most of us review that material, it may be difficult to establish that each member of the class relied on the representation to their detriment.
- Breach of contract – Depending on the nature of the contractual arrangement, individuals or enterprises affected by a data breach may be able to base their claim on a contractual breach by the company that suffered the data breach, eg where the agreement specifies that personal information will be held or protected in a certain way.
In order for a plaintiff to successfully bring a breach of contract claim, they will need to establish that:
- the contract contained a relevant express or implied term or terms;
- the relevant term or terms was or were breached by the company; and
- the plaintiff sustained economic loss which was caused by a breach of those terms.
In practice, this final component is likely to be the most challenging for Australian plaintiffs – either because the data breach cannot be attributed to a specific failing on the part of the company or because the loss sustained was not economic and is not quantifiable. Nonetheless, overseas, breach of contract has proven to be a popular and successful choice for data breach class actions, forming part of the claims brought in a number cases including the Target, Yahoo, Home Depot, and AvMed class actions.
In our view, a breach of contract claim is most likely to succeed when brought by an enterprise further up or down the supply chain that can quantify incurred losses from remedying the data breach or developing workarounds. The recent PageUp data breach, which affected the recruitment programs of a number of Australian organisations, is a good example of this type of breach.
- Negligence – Plaintiffs might choose to bring a claim for negligence on the basis that an organisation owed individuals a duty of care to maintain adequate technological safeguards to protect their data from unauthorised access. Like other claims, loss (ie injury or damage) is likely to be the most challenging hurdle for such a claim – plaintiffs would need to establish that they had suffered damage in the form of physical injury, psychiatric illness, property damage or financial loss as a result of the defendant's negligence (see further discussion of financial loss in the section below).
Overseas, negligence has proven to be the most common and successful cause of action in data breach class actions. However, generally speaking, the Australian states tend to take a more restrictive approach to negligence claims (particularly where the matter involves an unintentional act), and negligence may be an unlikely choice in an Australian context.
- Breach of confidence – A claim might also be framed as an equitable cause of action for breach of confidence, as was pleaded in the NSW Ambulance class action. However, a claim for breach of confidence in Australia would not be without its challenges.
Generally, breach of confidence claims have involved deliberate disclosures of information rather than an 'accidental' disclosure caused by a third-party attack. Further, this cause of action has traditionally been used in relation to commercial and 'proprietary' confidences, and not breaches of confidence involving purely personal information.7 This means that the use of this cause of action in a situation involving the personal data of affected individuals may pose special difficulties.
To date, breach of confidence has rarely been claimed in the context of data breach class actions overseas.
- Breach of directors duties – As was the case in one of the many Target lawsuits, it is also possible, though in our view unlikely, that shareholders might choose to bring a derivative action against the directors of a company8 alleging the directors have breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach.
Derivative class actions have not been a popular choice in the Australian class action landscape, as establishing culpability is often difficult and a number of defences are available to directors.9
Loss and damages
The most challenging hurdle for a plaintiff class action involving individuals is likely to be establishing the loss suffered by class members which should be compensated.
In most cases involving theft of financial information, financial institutions tend to provide reimbursement for any fraudulent charges on the affected accounts, meaning that individuals are less likely to suffer actual financial loss or to be motivated to pursue a claim in their own name. Even if financial loss can be established, the doctrine of pure economic loss may prevent recovery in negligence depending on the nature of the financial loss and the court's approach.10
When a data breach occurs, often the most serious harm will be the potential for future losses or for non-monetary harm, such as embarrassment. Damages for emotional distress are not available for the majority of claims available to individuals affected by a data breach, and quantifying and proving future losses will present unique challenges even where those losses might be financial.11
The situation is likely to be simpler for data breach class actions brought by shareholders or enterprises affected by a breach, eg a financial institution that has reimbursed customers for fraudulent transactions on their accounts,12 shareholders that have had their shareholdings are diminished in value by the data breach, or enterprise customers that have urgently had to build workarounds.
Mitigation of loss may also become an issue in certain circumstances. For example, if affected individuals were notified by the company about a data breach and advised to change their passwords but failed to do so, ultimately leading to more severe financial loss, a court may reduce any award of damages based on failure to mitigate the extent of loss.
- IMF Bentham Class Action Centre, 'IMF Bentham launches representative action against Facebook for privacy breaches' (10 July 2018).
- Bryan Cave Leighton Paisner, 2017 Data Breach Litigation Report (8 September 2017).
- Sid Khaitan, 'A deeper look into class-action data breach lawsuits', Rippleshot (29 July 2016).
- Bryan Cave Leighton Paisner, 2017 Data Breach Litigation Report (8 September 2017).
- For more on how continuous disclosure obligations interact with data breaches, see our article Coming clean and staying clean: Continuous disclosure obligations in the age of the data breach.
- Harriet Alexander, 'Paramedics launch class action over the sale of their medical records to personal injury solicitors', Sydney Morning Herald (18 November 2017).
- See Jessica Hudson, 'Rudiments of the Equitable Remedy of Compensation for Breach of Confidence' in Simone Degeling and Jason NE Varuhas (eds.), Equitable Compensation and Disgorgement of Profit (London: Bloomsbury Press, 2017), p269.
- A derivative action is one where shareholders of a company choose to litigate on behalf of the company. See Part 2F.1A of the Corporations Act 2001 (Cth).
We have written before on the duty of care and diligence which is likely to be the lynchpin of such a claim – see our article Directors' duties and cyber resilience. In brief, directors owe both a statutory duty of care and diligence under section 180(1) of the Corporations Act 2001 (Cth) but also under the general law. The business judgment rule in section 180(2) of the Corporations Act which provides directors with a defence may make a claim of this kind more difficult to establish.
- Generally, financial loss is only recoverable in negligence where it is consequential on some other property damage or personal injury. It remains to be seen whether courts would consider a loss of personal information to be property damage, as this would ground the recovery of consequential economic loss. However, given that courts have tended to treat 'property' damage as being limited to tangible property, this is highly unlikely. Indeed, this has been a bar to recovery in several recent US cases, eg In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (United States District Court, District of California), 21 January 2014. If, on the other hand, financial loss is considered to be pure economic loss, plaintiffs will likely need to establish an assumption of responsibility by the defendant and known reliance by the plaintiff for their claim to succeed (see Brookfield Multiplex Ltd v Owners Corporation Strata Plan 61288 (2014) 254 CLR 185). As already discussed above, establishing known reliance will present difficulty.
- See eg Falko v James McEwan & Co Pty Ltd  VR 447 and Addis v Gramophone Co Ltd  AC 488 in relation to breach of contract.
- However, if the claim was brought in negligence, the doctrine associated with recovery of purely economic loss may similarly prevent recovery as such financial institutions would not themselves have lost property or information. Generally, purely economic loss is not recoverable unless the plaintiff can establish an assumption of responsibility by the defendant and known reliance by the plaintiff. Claims by financial institutions in the US have been vexed by this very issue.