In the last financial year, the Australian Cyber Security Centre (ACSC) received more than 67,500 cyber crime reports, which equates to one incident every eight minutes, from governments, large companies, critical infrastructure operators, small businesses, families and individuals. 

Whilst some BigLaw partners have expressed the “pressing need” for the establishment of a specialist Cyber Panel, the Labor government recently revealed an overhaul of the country’s cyber security strategy, focusing on increased education and tougher penalties.

If organisations fail to protect consumer and client data under Australian privacy laws, regulators now have the power to enforce penalties in relation to cyber security risk — with a number of notable claims already brought to the courts.

Speaking to Lawyers Weekly, Brendan Read, partner at advisory and investment firm KordaMentha, said that “cyber class action matters are unfolding at pace”.

“In the US and Canada, in particular, class actions against corporations following breaches of sensitive personal and business data are increasing,” he said.  

“Class actions greatly magnify the financial and reputational losses caused by cyber breaches. Payouts to consumers and shareholders are running into the hundreds of millions of dollars. The sheer size of the damages paid out overseas is a clear signal that similar lawsuits will be seen in Australia and that Australian organisations should be moving quickly to mitigate the risks. Once a precedent is set here, we expect the floodgates will likely open.”

Allens partner Monisha Sequeira echoed a similar sentiment and said that whilst there has been a slow start to data breach class actions in Australia, the potential for these sorts of class actions is increasing.

VIEW ALL

“Reports of class action firms and funders considering these representative complaints and class action claims is on the rise. After all, cybersecurity incidents and data breaches often affect large groups of people and the sum of individual losses can be significant. Overseas cases both foreshadow what could happen in Australia, but also highlight some of the different circumstances in our jurisdiction,” she said.

“Cyber incident and data breach class actions have proliferated in the US, with class action lawsuits clustering around the same high-profile breaches. We have seen a variety of class action claims in the US — from failures in cyber risk management, to data breaches, to securities class actions for alleged false and misleading market disclosures made by organisations about their cybersecurity practices or which downplayed the severity of cyber incidents. Many of these claims have settled for significant amounts.”

Although the expected number of cyber-related class actions is lower than originally anticipated, Jason Symons, cyber risk and insurance partner at Mills Oakley, said it’s still something lawyers in this space need to be on the lookout for.

“While we have not seen the flurry of cyber-related class actions we may have expected back in 2018–2019, the risk is still there, and an influx could be on the horizon. There are so many factors that go into whether a plaintiff firm and litigation funder pursue a particular kind of class action, and to commence a cyber-related one at this time may pose too great a risk,” he said.

“There are many unknowns, most notably whether a tort for invasion of privacy would be recognised by an Australian court. It may be the case that funders are awaiting the current review of the Privacy Act to see whether such a statutory tort will be introduced, or a direct right of action, and in turn a cyber or privacy-related class action has greater prospects of success.”

The Attorney-General’s review of the Privacy Act, due to present a report to the government by the end of the year, proposes changes to Australian privacy law that are focused on strengthening privacy protections for individuals and improving transparency and accountability in data handling practices. 

Valeska Bloch, Allens head of cyber, said this “has signposted an expansive set of proposed changes to Australian privacy law, including a direct right of action for individuals to bring claims for a breach of the Privacy Act and a potential statutory tort of privacy”.   

“But organisations don’t only have to contend with an incredible volume of regulatory reform. Regulators are closely scrutinising data handling and cyber risk management practices and they are also becoming more prescriptive about their expectations,” she said.

“On top of this, organisations are increasingly being required to attest to their cybersecurity and data handling practices — whether to regulators, customers or the market — and to notify regulators of cyber incidents. This means that organisations need to be particularly careful to ensure that those attestations and notifications are not misleading or deceptive.”

Additionally, organisations are increasingly being required to implement cyber security and data-handling practices and notify regulators of cyber incidents. An increase of scrutiny can also be seen within the ASIC v RI Advice Group case, the first time ASIC has exercised its powers in relation to the management of cyber security risk.

Financial services company RI Advice was found to have breached the law by failing to protect confidential client information from a spate of cyber attacks over a seven-year period — a landmark case Mr Read said set a “precedent for all regulators to pursue similar cases and increases awareness among boards, shareholders and consumers about the responsibilities organisations have to implement minimum security standards”.

“For lawyers and their clients, one of the most interesting findings in this case was that RI Advice was aware of the security issues and had taken action to remedy security deficiencies. Despite this, the court found that it had not acted quickly enough to address security problems and that it ought to have had a better, faster detection and remediation program in place,” he said.  

“RI Advice now faces hefty costs and serious reputational damage, with the court ordering it to not only pay $750,000 to cover ASIC’s legal costs but also engage cybersecurity experts to commandeer its risk management strategies and provide written progress reports to regulators at regular intervals.

“Overseas, a recent class action lawsuit against US mobile carrier T-Mobile ranks among the most damaging. The telco has agreed to a USD350 million settlement after a staggering 76 million customers had their sensitive data exposed in August 2021. At this time, the settlement is the second largest for a data breach in US history, after Equifax’s $700 million payout in 2019. The telco is also required to pay an additional USD150 million to upgrade data security and has suffered negative reputational consequences that may take years to properly quantify,” he continued.

In 2021, the Department of Home Affairs was found to have interfered with the privacy of 9,251 asylum seekers, including their period of immigration detention, boat arrival details and why they were “unlawful non-citizens”. Class members had to provide information to the Office of the Australian Information Commissioner (OAIC) regarding loss and damage; and the commissioner subsequently awarded damages not only for economic loss, but for non-economic loss too, including for general anxiousness, trepidation, concern or embarrassment.

The OAIC also currently has ongoing proceedings with Facebook, having filed a claim in the Federal Court in March, alleging the social media platform committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

According to Ms Sequeira, Evans v Health Administration Corporation is Australia’s only cyber class action to date.

“It was commenced in the Supreme Court of NSW in 2017 on behalf of employees of the NSW Ambulance service after a contractor working for the service obtained access to and sold the sensitive health and personal information contained in employees’ files. The matter settled before trial for $275,000,” she said.

“The employee class claimed a breach of confidence (and misuse of confidential information); a breach of contract; misleading or deceptive conduct under the Australian Consumer Law; and a breach of the tort of invasion of privacy.”

Cases like these — in addition to mandatory reporting laws being in full force — mean there is “significant potential” in the increase of cyber-related class actions, according to Mr Symons.

“When you consider the Ambulance NSW class action, the ongoing action by the OAIC against Facebook, and the recent RI Advice decision, there is significant potential. We can’t forget too that the class action may be ‘cyber-related’ or ‘privacy-related’ when commenced via other well-established avenues — such as the continuous disclosure and misleading or deceptive conduct laws if the breach impacts the share price of a listed entity.

“Activity in the US in the class action space over recent years warns us that cybersecurity incidents can ground class actions. This only reinforces just how critical the assessment and management of cyber risk and incidents is for organisations today,” he said.

“We know that any organisation can be a victim of cyber-crime because data breaches can result from poor cybersecurity or human error. Data breaches usually impact a large number of people, so they are well suited for class actions. Organisations that hold personally identifiable information (PII) for a broad range of individuals are particularly at risk. How the organisation manages an incident, particularly with regard to public disclosures is vitally important when we take into account the risk of a class action.”

The claims also mean that the growing expectation that data and cybersecurity should be front of mind in executive decision making and that failures to meet minimum standards, monitor defences and take swift and appropriate action to remedy any issues identified may have consequences beyond the fines and other measures imposed by “cyber specific” laws, added Mr Read.

“For lawyers generally, whether specialising in class actions or not, our advice is to ensure clients are aware of their obligations under existing legal and regulatory frameworks to monitor, test, remediate and report cyber security issues to the relevant authorities. Remember, this may involve including cybersecurity as part of compliance with other laws — RI Advice shows that failing to take swift action on a known security issue had a consequence under the general corporations law, rather than any specific security legislation,” he said.

“For many of your clients, this may mean advising them to elevate cyber security at the senior management and board levels, as well as undertaking more regular auditing of vulnerabilities and defences, Education is also a key component, and encouraging organisations to invest in programs to increase cyber awareness among employees will help boost defences. Cyber crime continues to evolve, as does the governing legislation. Firms are given no option but to analyse their cybersecurity posture and evaluate risk management policies and frameworks.”