Takeaways from the Optus and Medibank data breach class actions

Compliance risk arises both from actions and words 10 min read

Over the past four months, four data breach class actions have commenced against Optus and Medibank. Prior to that, only one data breach class action had ever been brought in Australia—it ultimately settled for the (relatively) negligible amount of approximately $275,000.¹

And yet, these latest proceedings will face many of the same challenges that previously deterred data breach class actions. What's especially interesting is that plaintiff firms haven't waited for the likely introduction of a new direct right of action that individuals could bring for a breach of the Privacy Act 1988 (Cth) (expected later this year or early next), which would smooth the path for data breach class actions in the future.

The proceedings will be test cases requiring courts to assess whether certain technical and operational cybersecurity controls and practices are necessary to comply with regulations that are largely principles-based. The plaintiffs may also face challenges in establishing compensable loss.

They also emphasise that both compliance with burgeoning cybersecurity and privacy regimes, and what companies say about their compliance, are no longer simply regulatory concerns—they present a high class action risk, particularly in the wake of high-profile cyber incidents which tend to shine a light on cybersecurity and data-handling practices.

In this Insight, we examine the common elements that form the basis for the pleadings, some emerging issues and the practical steps that corporate Australia should be taking now to reduce their class action risk.

You can also access our detailed comparison of each proceeding here.

Key takeaways

• Data breach class action filings are accelerating in Australia. Four class actions have been filed: three against Medibank and one against Optus, and an investigation commenced into a potential class action against Latitude, following recent high-profile data breach incidents involving those entities. Three of the current class actions are consumer-based, whereas the fourth is a shareholder claim.
• The common themes between these claims are allegations that:
  • the defendant failed to comply with regulations regarding data handling and cybersecurity; and
  • those failures amounted to breaches of contractual promises and privacy policies, misleading representations and/or breaches of continuous disclosure obligations.
• These class actions are test cases with challenges for plaintiffs, especially in relation to:
  • the specific data-handling and cybersecurity practices required to comply with regulatory regimes that are largely principles-based; and
  • establishing loss and damage.
• Data breach class actions are now high risk for consumer-facing organisations that experience a data breach impacting a large number of customers. The likely introduction of a direct right of action for a breach of the Privacy Act²—making it easier for these claims to be brought—will only increase this risk.
• Companies should exercise caution in relation to what they say about privacy, the protection of personal information, and cybersecurity readiness and resilience in contracts, policies (including privacy policies), disclosure documents and marketing materials.

Who in your organisation needs to know about this?

Privacy and cyber risk management and resilience should be considered an 'all of company' issue, not confined to IT personnel. In-house legal advisers, boards and risk and compliance teams also need to be part of the cyber-compliance conversation and strategy development.

The data breach claims

For some time now we have been expecting data breach class actions, and in the aftermath of the Optus data breach incident, we noted the risks had increased.

The Optus and Medibank data breaches are now the subject of four class actions:

• 6 February 2023: Baker & McKenzie filed a consumer class action against Medibank in the Federal Court. This proceeding is funded by Omni Bridgeway, one of Australia's largest funders.
• 28 March 2023: Quinn Emanuel filed a shareholder class action against Medibank in the Victorian Supreme Court.
• 20 April 2023: Slater & Gordon filed a consumer class action against Optus in the Federal Court.
• 4 May 2023: Slater & Gordon also filed a consumer class action against Medibank in the Federal Court.

In addition, Maurice Blackburn has lodged representative complaints against Optus and Medibank with the Office of the Australian Information Commissioner (OAIC).

While the specific causes of action in the four class actions differ, each pleads the following common themes:

• The defendant is subject to certain regulatory requirements regarding data handling and cybersecurity, including, for example:
  • the Australian Privacy Principles (APPs) under the Privacy Act, particularly APP 1.2 (practices, procedures and systems), APP 6 (use and disclosure), APP 11.1 (security) and APP 11.2 (deletion or de-identification); and/or
  • industry-specific regulations such as the Health Records Act 2001 (Vic) and APRA Prudential Standard CPS 234 Information Security (CPS 234) (for Medibank) and the Telecommunications (Interception and Access) Act 1979 (Cth) (for Optus).
• The defendant breached those data-handling or cybersecurity regimes (eg by failing to implement multi-factor authentication). In all claims, the fact that a major data breach incident occurred is said to give rise to an inference that the defendant's systems and controls were inadequate.
• The defendant's failure to comply with applicable regulatory requirements amounted to:
  • breach of contract for failure to comply with data-handling and cybersecurity statements contained in customer contracts, policies and terms and conditions (in the consumer claims);
  • misleading representations amounting to a breach of the Australian Consumer Law (ACL)³ (in the consumer claims); and/or
  • breach of continuous disclosure obligations (in the shareholder claim).

You can access our detailed comparison of the four proceedings here.

What cybersecurity standards and practices are required to comply with principles-based regulations?

A key question for courts to determine will be what was required of the companies at various junctures in order to comply with relevant regulations,⁴ in circumstances where those regulations are largely principles-based?

For example:

• APP 11.1 provides that entities must 'take such steps as are reasonable in the circumstances' to protect information from misuse and unauthorised access; and
• CPS 234 provides that APRA-regulated entities must 'maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity'.

In the shareholder class action, the plaintiff claims CPS 234 required that Medibank had cybersecurity measures, including multi-factor authentication and a 'network control system', to monitor for unusual activity and detected malware, amongst other things. The claim does not detail the basis on which these specific systems and controls were required by Medibank to comply with CPS 234, which will no doubt feature prominently in the evidence in the proceeding, including expert evidence.

Whilst principles-based regulations provide flexibility to regulated entities as to how they handle cyber-risk management and cybersecurity, they can also make it harder to pinpoint the exact standards and controls required. The OAIC's Guide to Securing Personal Information does not specify the particular technical standards (eg ISO standards) to be met. However, it does expand on the principles and risk factors that organisations must consider in securing personal information.

It is also clear that in assessing 'reasonable steps,' the OAIC will have regard to relevant international standards (like ISO standards)⁵—and the OAIC recommends that entities consider using relevant international and Australian standards, policies, frameworks and guidance on information security.⁶ The OAIC specifically referred to the Australian Cyber Security Centre's Essential Eight cybersecurity strategies in its quarterly data breach reports,⁷ and APRA similarly recently notified financial institutions of the importance of multi-factor authentication and the Essential Eight.⁸

Is a breach evidence of a failure?

In all of the claims, the fact that a major data breach occurred is said to support an inference that the defendant's data-handling and cybersecurity systems and controls were inadequate.

However, the occurrence of a data breach incident (whether or not caused by a third-party threat actor) does not in and of itself mean an organisation's privacy or data protection measures are non-compliant, particularly in circumstances where the threat landscape is evolving and increasingly sophisticated.

As the OAIC found in its investigation report in September 2011 into the Sony PlayStation Network/Qriocity data breach (which considered the predecessor to APP 11.1, NPP 4.1): 'A targeted attack on an organisation does not necessarily mean that the organisation has failed to take 'reasonable steps'…'.⁹ Indeed, the Notifiable Data Breaches scheme in the Privacy Act effectively acknowledges that suffering a data breach does not mean an organisation has breached the APPs—so long as 'reasonable steps' were taken in the circumstances. 

Additional comments on the shareholder claim

There are a number of interesting issues which emerge from the shareholder class action advanced against Medibank.

The materiality of any non-compliance with CPS 234 will be a critical issue in the proceeding and will have ripple effects for future shareholder class action risk following a data breach incident.

First, the allegations focus on Medibank's alleged lack of compliance with CPS 234 over a three-year period (and not around the data breach event itself). As noted above, given that CPS 234 is not prescriptive, we expect there will be a dispute between the parties regarding:

• the adequacy of the measures Medibank had taken to comply with the prudential standard; and
• if there were any deficiencies in Medibank's compliance (for all or part of the period of the claim period), whether those deficiencies constituted material information requiring disclosure in accordance with Medibank's continuous disclosure obligations.

The materiality of any non-compliance with CPS 234 will be a critical issue in the proceeding and will have ripple effects for future shareholder class action risk following a data breach incident.

Secondly, shareholder class actions typically allege that a defendant has both engaged in misleading or deceptive conduct and contravened its continuous disclosure obligations. However, in this case the plaintiff only alleges a contravention of Medibank's continuous disclosure obligations. There is currently no allegation that Medibank made any misleading statements to the market, meaning that the risk of a shareholder class action for a listed entity following a data breach incident is a live one irrespective of whether a company has actually made any representations relating to its cybersecurity measures.

Issues to watch

• Establishing loss and damage for data breaches remains a key challenge for class action promoters. We have previously observed that consumers are likely to have difficulty pointing to actual economic loss resulting from a data breach incident (particularly where organisations have already reimbursed immediate costs such as replacing identification documentation or obtaining credit monitoring services). Whether damages for emotional distress are available under existing causes of action is also uncertain.¹⁰
• Various issues arising from a multiplicity of claims will need to be resolved. For example, Medibank currently faces three court-based class actions as well as an OAIC representative complaint. Slater & Gordon's class action against Medibank is temporarily stayed, with a hearing scheduled on 1 August 2023 to resolve which class action will proceed. It also remains to be seen whether the OAIC's representative complaint will also proceed alongside the class action, and if so, how issues such as inconsistent factual findings and the potential for double recovery will be resolved.
• Whether investigative reports are privileged will also be ventilated. In the Optus class action, Slater & Gordon has foreshadowed an intention to seek discovery of a Deloitte report commissioned by Optus into the incident, including access to underlying materials. Despite early suggestions that at least some aspects of the report would be shared to help others in the private and public sector holding sensitive data, Optus is now indicating it may be subject to a claim for legal professional privilege. The circumstances surrounding Deloitte’s engagement and the report’s intended purpose will be important considerations in determining whether the applicant is entitled to discovery of this material. There may be a similar privilege fight with respect to a Deloitte report commissioned by Medibank (which Medibank has indicated it will not make public).
• The Attorney-General's review of the Privacy Act is likely to result in a major overhaul of Australia's privacy laws, including by introducing a 'direct right of action' allowing individuals to bring claims for breaches of the Privacy Act. Those changes will only increase the risk of data breach class actions in Australia.

Actions you can take now

• Undertake a cyber risk assessment. The fact that Australia's privacy and cybersecurity regulatory regimes are principles-based means it is especially important for organisations to understand their risk profile and implement measures needed to appropriately address those risks. As the Federal Court considered in its judgment in proceedings brought by the Australian Securities and Investments Commission against RI Advice Group Pty Ltd (RI Advice),¹¹ in order to appropriately manage cyber risks, companies will need to undertake risks assessments to understand the risks faced by the entity (and, where applicable, to third parties acting on its behalf) and take steps to mitigate those risks—which can change over time.¹² For more on conducting cyber-risk assessments, see Risky business: What regulators want you to know about managing cyber risk (allens.com.au).
  For large entities like Optus and Medibank that hold a substantial volume of personal information, particularly sensitive information, those risks are clearly significant—and expectations for the controls and processes put in place to secure that data are commensurately high.
• Ensure you have appropriate data-handling policies and practices in place. Make sure those policies and practices are periodically reviewed to ensure they remain up to date and fit for purpose, taking into account the data you hold and the threat environment.
• Know what data you hold, why you hold it and where you hold it. Make sure you have a robust data retention and destruction program and, where possible, reduce the amount of data you are holding.
• Review your contractual promises and other representations made about data handling, privacy and cybersecurity in customer-facing documents and terms and conditions—this includes your organisation's privacy policies and data collection disclosures. Make sure you catalogue statements you make about your security and data-handling practices, as well as statements you make about any cyber incidents or data breaches. Ensure statements are periodically reviewed to ensure they are up to date.
• Have a well-developed cyber incident response plan and consider cyber and class action strategies early. Your plan should be regularly tested through tabletop exercises and simulations.

Should you have any concerns raised from this Insight, please contact us below. 

Zoe Chapman, Sam Clark, and William Gordon also contributed to this Insight.