The broader implications of data breach class actions
After 9.7 million Medibank customers had their data accessed during a massive data breach, there have been a number of firms seeking legal action on behalf of those customers. Here’s what these actions may mean moving forward.
In early November, hackers were able to access names, dates of birth, addresses, phone numbers, and email addresses for almost 10 million current and former Medibank customers, as well as ahm customers’ Medicare numbers.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
“Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers, and around 20,000 international customers [were accessed]. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered,” the insurer stated at the time.
“Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed, and around 2,900 next of kin of these patients have had some contact details accessed.”
A ransomware group has since been posting the stolen data online in an attempt to extort the company. In response to Medibank not meeting its ransom demand, hackers have started to release the remaining customer data on the dark web.
Last month, Maurice Blackburn lodged a formal complaint with the Office of the Australian Information Commissioner (OAIC), which has the power to order Medibank to pay compensation to affected customers, in what the firm said was an “important test of Australian privacy laws”.
The firm first launched an investigation into action on 13 November, following the one announced the week before by Bannister Law Class Actions and Centennial Lawyers. At the time, Maurice Blackburn was also in the process of considering a class action against Optus following its own data breach.
As cyber security hacking incidents become more “common and formidable”, so do the actions related to them, according to Professor Michael Duffy, director of the Corporate Law, Organisation and Litigation Research Group at Monash Business School.
“In terms of the liability argument, there may be a question of whether reasonable care was or was not exercised by Medibank, and whether appropriate defensive technology is being used.
“As these hacks are becoming more common and formidable, there may be another question into the future of how reasonable it is for businesses to keep asking for sensitive personal data as a condition of doing business. This may or may not apply in the case of Optus and Medibank — and certainly some of these requirements are driven by government regulation,” he explained.
“Nevertheless, businesses requesting and keeping personal details that aren’t completely essential could become more legally problematic for them, if they are hacked.”
Moving forward — and with one legal compensation claim already filed by Maurice Blackburn — this will mean that companies that hold customers’ data will be at an increased risk.
“Companies will realise that holding large amounts of personal data now holds risk, as well as any presumed benefit. Though liability is yet to be fully determined, class action mechanisms mean that companies will be increasingly held to account civilly where private data falls into the wrong hands,” Mr Duffy added.
“It will become apparent soon if existing privacy laws need to be strengthened. Companies will also see more clearly that their potential exposure goes beyond liability to regulators and includes liability to citizens who suffer loss. Governments too will have to have a good look at their practices as they are exposed too.”
The Maurice Blackburn action, in particular, said Mills Oakley cyber risk and insurance partner Jason Symons, has the potential to be a “wake-up call” for other organisations.
“Like the breach itself, it is not the first of its kind. However, this one could be the one that forces organisations to see privacy or cyber-related class actions as a substantial risk. The scale of the Medibank breach, the sensitivity of the personal information disclosed, the number of customers involved, and the fact it is brought by one of Australia’s largest plaintiff firms, means it ticks all the boxes to potentially set a precedent for these kinds of class actions,” he told Lawyers Weekly.
“A class action of this kind will test how Australian privacy law as it currently stands responds to a very large data breach that includes the disclosure of personal information that is sensitive to many people. We may also see, depending on how the complaint is brought, Medibank’s cyber security posture tested in terms of what was expected to satisfy the requirements of the Australian Privacy Principles.
“The ASIC v RI Advice Federal Court case gave us a taste of what a court’s expectations may look like when it comes to cyber security risk management and how to respond to cyber incidents. The Medibank complaint may see the first demonstration of what the OAIC expects of large Australian corporations.”
However, a complaint brought before the OAIC has a number of “procedural hoops”, according to Mr Symons, who said that whilst the complaint can be brought without consent of class members, it still needs to meet a number of requirements pursuant to the Privacy Act.
“At some point, class members will be asked by the commissioner if they wish to participate in any potential compensation, and if so, present evidence of their loss or damage (both economic and non-economic). To be compensated for non-economic loss, class members have to produce evidence of, for example, any injury to feelings, humiliation, anxiousness or mental health condition they have suffered as a result of the data breach.
“The OAIC then considers the evidence, submissions of both parties and its own investigation before making its determination regarding whether there has been an interference with the privacy of the class members caused by the data breach, compensation payable to the participating class members, and what other steps the respondent may have to take to ensure such a breach does not happen again,” he added.
“If it cannot be agreed by the parties, the OAIC provides a process for determining the loss payable. The complainant or commissioner may commence Federal Court proceedings to enforce the determination, or a party can have the determination reviewed by the Federal Court or Administrative Appeals Tribunal (AAT).”
Actions like these are also set to change the way big corporations look at their cyber security measures, Mr Duffy emphasised.
“Companies need to understand that cyber attacks are an increasing risk — the possibility of state actors or hackers working from rogue states adds to this risk, and is a real and present danger. Listed companies also need to understand that, in addition to class actions about loss from release of private data, shareholder class actions are another risk if data breaches lead to large share price falls. More warnings and general disclosure to share markets about that possible risk will help reduce the latter potential liability,” he said.
“Companies must act reasonably in accordance with reasonably foreseeable risk. This means, obviously, good technology and processes to protect data. It may also cause them to pause to consider how much private data they really reasonably need to ask for in the first place.”
And moving forward, in-house legal teams and cyber lawyers will increasingly be able to bring cyber security risk issues to the board room in order to better protect their organisations and clients, Mr Symons added.
“In-house legal counsel for organisations regulated by the Privacy Act should familiarise themselves with OAIC representative complaints or seek external advice so that the risk of a class action can be assessed and form part of their risk framework if necessary. If a class action for their particular business is more likely, maybe because of the kinds of personal information held, the organisation needs to consider taking steps to reduce that risk, possibly by minimising the sensitive personal information held as much as possible.
“Big corporations, if not already, must now see the connection between a data breach and a potential class action. This includes for both public and private corporations. Corporations cannot stop breaches entirely, so they must evaluate the level of cyber risk they are prepared to accept, and a potential class action may now weigh into that equation,” he concluded.
“In turn, that risk assessment exercise may now require further investment in cyber security. We do not yet know whether poor cyber security caused the Medibank breach, but corporations, even with strong cyber security, can always invest more in better incident planning and being as ready as possible for a potential data breach.”