Cyberwashing: a key focus for data breach class actions

Kate Austin: What is the key class action risk?

Five class actions have been filed this year: four against Medibank and one against Optus. A class action against Latitude is also being investigated. The Medibank claims have been consolidated into two proceedings – one consumer claim and one shareholder claim. The case against Optus is a consumer claim. 

The common element across the claims is an overarching allegation that:

• the defendant made promises and representations to consumers in its privacy policies, contracts and other material about the systems and processes it had in place to comply with its data handling and cybersecurity obligations; and
• these promises and representations were false.

This means that for corporate Australia statements companies make about their security and data handling practices and data breaches present the biggest class action risk at this time. These types of claims are high risk for consumer-facing organisations, especially those with a significant volume of personal and sensitive data – like those in the healthcare or financial services industries – and ASX listed organisations.

Valeska Bloch: What practical steps can be taken to minimise this risk?

Companies need to be particularly careful about statements that they make in two contexts:

1. The first context is statements made in the aftermath of a cyber incident about the nature and severity of the incident. And that's harder than you'd think, because in the immediate aftermath of a cyber incident, organisations typically know very little about what has happened, and what they think they know often turns out to be wrong.
   
   Getting to the bottom of what has happened – if that's possible at all – can take a while.  And it's a task made even more difficult if the organisation has inadequate monitoring and logging capabilities, or if these have been bypassed or tampered with by the threat actor. And yet, organisations are often under enormous pressure to notify early, in some cases within hours of becoming aware that something has happened.
   
   This means that while it's important for organisations to be transparent and to disclose the critical information people need to reduce the risk of harm to them and others, it's also important not to feel compelled to make claims that you'll likely need to roll back from, or to speculate or make assumptions.   You need to be clear about what is known, what is unknown, what is suspected but not confirmed and what impacted individuals (and other stakeholders) can expect will happen next.  All statements should be vetted by Legal and you should keep evidence that backs up those statements.
   
   The best way to prepare for this is to have a well-developed cyber incident communications plan and notification strategy.
   
   
2. But as we've seen with the Optus and Medibank class actions, statements made my organisations about their security posture more broadly, their compliance with relevant regulatory regimes, and the cyber risks that they face, will also be interrogated, and can expose them to significant liability.
   
   These statements may be made on websites, in privacy policies, collection notices or security statements, in marketing collateral, at conferences, in annual reports, in attestations and in contracts. 
   
   When making these statements, it's important to ensure they are accurate and up to date.  Don’t overstate your organisations capabilities, but also be careful not to provide too much technical or other detail that might in and of itself create a security risk. 
   
   Finally, keep an inventory of these statements and attestations and ensure they are regularly tested, challenged and kept up to date.

Kate Austin: Future risk?

The class actions brought this year have largely focussed on statements made by the defendants.  This focus on cyberwashing continues the trend of scrutiny of these sorts of statements that we've been seeing overseas for several years now – from class action plaintiffs and regulators alike.

But with the government providing support for the introduction of a direct right of action for breach of the Privacy Act, we expect the volume of class actions to escalate.   A direct right of action will increase the avenues available to claimants and will clarify that damages for emotional distress may be claimed (a key area of uncertainty in the current class action claims).

Kate Austin: Conclusion

In-house legal advisers, boards and risk and compliance teams need to be part of the cyber-compliance conversation and strategy development in any business. If you'd like more information on how to best facilitate this, please reach out to our team.