Increased scrutiny following Optus incident 8 min read
Within days of Optus revealing it had suffered a major cyber incident, two major plaintiff class actions firms announced investigations into potential class action claims. One of those, Maurice Blackburn, has since lodged a representative complaint with the Office of the Australian Information Commissioner (the OAIC). It is possible that more potential class actions will be announced.
Back in 2018, we asked 'Where are all the data breach class actions in Australia?' While such claims have been a feature of the UK and US landscape for several years, in Australia the challenges for plaintiffs in demonstrating a legal basis for their claims and quantifying loss have dampened what otherwise might have been fertile ground for class action activity.
However, the public and political response to the Optus incident, including the Federal Government's announcement of urgent privacy law reform, suggests there may now be an appetite to test these obstacles, or for the Government to legislate around them.
In this Insight, we consider what the key developments arising from the Optus incident may mean for the future of data breach class actions in Australia.
- The Optus data breach has resulted in intense public and political scrutiny of cybersecurity and data handling practices by Australian companies.
- The Federal Government may implement law reforms that could address some of the current obstacles to data breach class actions in Australia.
- We expect increased regulatory scrutiny and enforcement activity around cybersecurity – a trend we were already seeing before the Optus incident, and that is often a precursor to class action activity.
- While we do not expect to see a US-style avalanche of cyber incident and data breach class actions in the near future, we anticipate a growing number of significant claims against Australian companies. For this reason, we consider this to be a high-risk area that should be watched closely.
- To manage class action risk in this new landscape, and comply with regulatory obligations, companies should ensure that they:
- have effective data governance and cyber risk management arrangements in place; and
- are prepared to respond (and are resilient) to inevitable cyberattacks (including by developing and testing cyber incident response plans and processes).
On 22 September 2022, Optus announced that it was investigating a possible cyberattack, which had resulted in the disclosure of customers’ names, dates of birth, phone numbers, email addresses; and, for a subset of customers, addresses, driver's licence or passport numbers. Optus subsequently confirmed that for a further subset of customers, Medicare ID numbers may have been disclosed.
Optus is continuing to investigate the attack, and is cooperating with various authorities. It estimates that 9.8 million customer records may have been exposed – which would make it one of the largest data breaches in Australian history.
Data breach class actions in Australia
To date, there has only been one data breach class action run in the Australian courts: the 2017 case of Evans v Health Administration Corporation.1 That proceeding was brought on behalf of employees of the NSW Ambulance service after a contractor working for it obtained access to and sold health and personal information contained in employees' files.
The case illustrates the challenges data breach claimants face in Australia. The class brought claims for:
- breach of confidence (and misuse of confidential information);
- breach of contract;
- misleading or deceptive conduct under the Australian Consumer Law; and
- a breach of the (as yet unrecognised) tort of invasion of privacy.
In approving a settlement of $275,000, Chief Judge in Equity Ward (as her Honour then was) noted the 'particular risks' associated with the litigation, including the need to establish new ground in relation to some of the claims sought to be pressed in this jurisdiction, and the defences to be raised by the first defendant.
One of the key obstacles currently facing class action plaintiffs is that there is no specific 'fit for purpose' cause of action under Australian law enabling an individual to pursue a claim for breach of privacy or loss of data. In particular, there is no direct right of action allowing individuals to bring claims for breaches of the Privacy Act 1988 (Cth), which can only be investigated by the OAIC, and no established tort of invasion of privacy.
Accordingly, plaintiffs have to bring claims under a range of other causes of action, which are largely untested as to privacy claims. Perhaps the most challenging hurdle for plaintiffs whose data has been compromised is establishing compensable loss. The typical consumer may have difficulty pointing to any actual economic loss, and there is generally no avenue to seek damages for emotional distress.
While not a court-based class action procedure, the OAIC has a representative complaints process that shares some similarities with a class action proceeding. This process allows an individual to lodge a complaint on behalf of a broader class of individuals alleging breaches of the Privacy Act arising from a common set of facts (ie the same cyber incident). The Information Commissioner may then investigate the alleged breaches, including whether an act comprises interference with the privacy of an individual.2 Importantly, this procedure allows the Information Commissioner to declare that complainants are entitled to compensation, including for emotional distress.
In 2021, the Information Commissioner determined that the Secretary of the Department of Home Affairs had breached the Privacy Act by inadvertently publishing sensitive, personal information of individuals in immigration detention, including their period of immigration detention, boat arrival details and why they were 'unlawful non-citizens'. The Commissioner declared that 1297 class members who provided details of loss or damage were to be paid compensation, including for emotional distress.
It remains unclear whether any court-based class actions will proceed against Optus. Any action would not have the benefit of the reforms being debated, so would face many of the obstacles in the law as it currently stands. However, the scale of the incident may mean the sum of individual losses is significant and therefore attractive to class action promoters. This is a pattern seen in the US with class action lawsuits clustering around the same high-profile breaches.
The fact that Maurice Blackburn has chosen to file a representative complaint with the OAIC in relation to the Optus incident is perhaps an acknowledgement of the existing obstacles. Maurice Blackburn is already running a representative complaint to the OAIC in relation to a 2019 incident involving Optus, regarding the alleged disclosure of approximately 50,000 consumers' personal information, including names, addresses and phone numbers in the White Pages.
In either forum, there will be a question about the actual economic loss suffered by individuals. Alleged loss might include the time and costs involved in responding to the breach: eg replacing identification documents (though we understand Optus is reimbursing certain costs) and any loss suffered as a result of identity theft. As noted above, a benefit of the OAIC representative procedure is that damages for emotional distress may also be available.
It is also worth noting that end consumers are not the only group that might bring a data breach class action. Many of the successful class actions in the US have been brought on behalf of financial services entities that incurred quantifiable expenses arising from a data breach: eg credit-card reissuance costs, or reimbursement for fraudulent transactions. Enterprise customers affected by an upstream data breach who incur considerable costs as a consequence of the breach may also comprise a ready 'class'.
The Attorney-General, Mark Dreyfus, has indicated that the Government will make 'urgent reforms' to the Privacy Act, though the precise nature of the intended changes is unclear. The Attorney-General's public comments have largely focused on increasing penalties, suggesting they should be 'very serious' and need 'to be something that concentrates the minds of the board members of big companies'. Currently, the civil penalty provisions in the Privacy Act provide for a maximum $2.2 million penalty for serious or repeated interferences with privacy.3
We may not have to wait long to find out what other changes the Government has in mind: the Attorney-General has suggested that it will be expediting privacy reforms. The first round of reforms will be put before Parliament before the end of this year – though we expect that the previously earmarked introduction of a direct right of action for a breach of the Privacy Act and/or a statutory tort of privacy would require further consultation and is unlikely to form part of this first tranche.
A direct right of action or statutory tort would largely address the current legal obstacles to bringing data breach claims in Australia, including by enabling individuals to claim damages for the emotional distress associated with having their data compromised.
The Optus data breach has also brought more keenly into focus the regulatory enforcement risk associated with cybersecurity risk management. It is a particularly complex environment, with aspects of oversight from the OAIC, APRA, ASIC and the ACCC, among others. Most of these regulators had already signalled that cybersecurity was an enforcement priority even before the Optus incident, and have since issued to their regulated entities a flurry of reminders and warnings relating to cybersecurity responsibilities.
Enforcement activity by regulators often provides plaintiff law firms and litigation funders with vital information to identify and assess the viability of potential class action claims.
For more information about the steps directors should be taking in relation to cyber risk management, see our handbook, Everything you need to know about cyber risks, resilience and responsibilities. If you have questions or there is anything you would like to discuss, please reach out to our Cyber team.
 NSWSC 1781.
The Privacy Act.
Section 13G of the Privacy Act.