Retailers warned that data breach laws may lead to more class actions
High-profile Australian brands may be subject to increasing consumer class actions should they fail to protect the personal information of clients, a Dentons partner has warned.
Dentons litigation lawyer Ben Allen has warned of the consequences looming data breach regulation will have for retailers in Australia.
Mr Allen said that the new laws would soon create a requirement for retailers to report a data breach “that is likely to result” in serious harm to an individual.
According to the law firm partner, these changes would likely have serious consequences for a number of high-profile brands who fail to protect the personal information of customers.
“Until recently consumers shopping online have often had limited or even no notification that their personal, credit card or other financial details may have been obtained by hackers,” Mr Allen said.
He explained that any retailer with a turnover greater than $3 million will be required to report a successful cyber attack to the Office of the Australian Information Commissioner (OAIC) and potentially inform all affected individuals and make a public apology. This rule will apply, unless an exception applies, for retailers that hold customer data such as credit card details.
“Failure to [report] or repeated non-compliance could see civil penalties of up to $1.8 million imposed but also leave them at risk of a further class action,” Mr Allen added.
He pointed to an example from the United States earlier this year, when Target was dragged to court by 200,000 consumers after hackers were able to access the credit and debit card details of 40 million entries held by the retailer.
Mr Allen added that the risk a potential data breach poses went far beyond reputational damage.
The company – that is not connected to the Australian brand – ultimately paid out US$18.5 million to the US government. Since a one-time data breach in 2013, Target has also invested a reported US$200 million managing the hacking incident.
“The rise of litigation funders in Australia over the past couple of years, coupled with a very well-developed class action scheme in Victoria and New South Wales, makes it almost a certainty that retailers here will face legal action if they fail to adequately respond to a cyber attack,” Mr Allen said.
In Australia only 107 voluntary data breach notifications were made to the OAIC between 2015 and 2016. Retail and online services were among the top five sectors of those to report breaches to the commissioner.
Mr Allen recommended that company directors and senior management implement measures to ensure they are notified immediately of a potential breach, rather than at the end of an investigation.
“The level of risk means data breaches are not simply ‘an issue for the IT,” he said.