Following its data breach of millions of customers, Medibank has been hit with numerous class actions, the most recent of which was filed by global plaintiff firm Quinn Emanuel Urquhart & Sullivan on Wednesday (29 March).

Similarly, following its own data breach, Optus is also facing two class actions, from both Maurice Blackburn and Slater and Gordon, both announced in September last year.

From Professor Swinson’s perspective, this space has been growing for a number of years, to say the least.

“Lawyers have been saying that privacy and cyber security is going to be the next growth area, and I’ve heard people say that for over 20 years. And when the Privacy Act came in more than 20 years ago, people thought that would lead to growth. And it led to growth in relation to compliance issues, people getting their house in order, doing the compliance work, but there were very few large lawsuits,” he explained.

“But now we’ve ransomware and the large cyber security attacks, we are seeing large numbers of the population impacted, and that makes lawsuits worthwhile. And in the past six months, there’s been a representative action in the privacy commissioner’s office [against Optus], the OAIC. There’s a representative action for Medibank in the privacy commissioner’s office. And Baker McKenzie started a class action in Federal Court against Medibank Private just recently.”

Following the announcements of these cyber breaches, Mr Swinson said he thought Australia was “very well prepared” compared to other countries in regard to cyber incidents, despite these massive breaches.

“Ransomware and cyber attacks have been going on for many years. It’s just that we’ve had some big incidents that have affected a lot of Australians, and it’s got a lot more attention recently. But it’s been something that’s been on the agenda for at least five to 10 years, and so these are not unique. They’re ongoing. And in fact, a large number of businesses have been impacted, but maybe not many consumers have been impacted as a result,” he added.

VIEW ALL

“There’s a number of factors all going together to impact this area. One is technology is becoming more and more important in the way we do business. So, companies that previously weren’t technology-focused are now using technology a lot. Second, the cyber security threat landscape is populated by criminals. This is not a typical negligence case where you do something wrong and you trip over yourself. This is something where you are being attacked by malicious, well-resourced, smart criminals.

“They’re skilled, well-resourced. And the threat is dynamic. It’s not something that is the same today as it is tomorrow. You build your wall; they work out how to get over the wall. You add barbwire to the wall, they work out how to get over the barbwire. The criminals keep evolving their mechanisms to deal with security, and so that makes security much harder.”

This means cyber security is something that needs to be an ongoing effort for companies — but in many businesses, there is often confusion as to which department is responsible for the upkeep of such security.

“Different businesses treat it differently, and it’s hard to get everyone talking together to deal with the threats. So, it’s new for most businesses, and they’re trying to work out who’s in charge. And directors may not be across these issues, and so it’s an area where directors should be across them, but it’s new to most directors, and it’s hard, and so directors are confused,” Professor Swinson added.

“There’s no general consensus around what adequate risk management is either. There are many different things that need to be done. And so, there’s no consensus as to what you should be doing. Should you be spending $100,000, $1 million, [or] $10 million on cyber security? They’re difficult decisions to make. So, it’s a difficult environment.”

In terms of Australia being well prepared, however, Professor Swinson said this comes from having a very strong computer industry across the country — but that SME businesses still remain more at risk than larger firms.

“If you’re looking at the banks and financial institutions as a whole, very high-quality cyber security. Where the gap might be, it might be the smaller businesses, the medium-sized businesses, businesses that haven’t fought about cyber security,” he outlined.

“Small law firms should be taking this seriously. There [are] risks there, and we’re seeing more and more attacks on smaller law firms, small accounting firms, real estate agents and so on. The small and medium-sized businesses are probably, the same around the world, not doing it as well as they should, and so that’s where we are going to see more and more damage.

“I think we’re definitely going to see more cyber security incidents, and we are going to definitely see more lawsuits coming out of cyber security and privacy breaches. It’s a growth area, and if you’re a lawyer interested in this area at all, I think there’ll be a shortage of jobs for experienced privacy lawyers. There are people already getting ready for privacy policies and privacy analysis, but incident response in relation to privacy breaches, I think, is a growing area.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Professor John Swinson, click below: