Litigation and Investigations

Overview

The high-profile data breaches affecting Optus (September 2022) and Medibank Private (October 2022) ushered in a new era for data breach litigation in Australia. These incidents, which exposed the personal and sensitive health information of millions of Australians, have resulted in multiple class actions and intense regulatory scrutiny, highlighting the escalating legal and financial risks for organisations that fail to adequately protect data. The Optus breach involved the theft of personal information and identity documents. The Medibank attack was a ransomware incident where, after the company refused to pay a ransom, attackers progressively released sensitive health claims data onto the dark web.

Both incidents triggered formal investigations by the Office of the Australian Information Commissioner (OAIC). In June 2024, the OAIC commenced civil penalty proceedings against Medibank for alleged breaches of the Privacy Act 1988 (Cth). The Australian Prudential Regulation Authority (APRA) also responded by increasing Medibank's capital adequacy requirement due to identified weaknesses in its information security environment.

Data Breach Class Action Proceedings

Medibank Consumer Class Action

This is a consolidated action on behalf of affected customers.

• Causes of Action: The extensive claims allege: breach of contract; breach of an equitable duty of confidence; negligence; breaches of the Privacy Act (including Australian Privacy Principles 1.2, 1.3, 1.4, 6.1, 6.2, 11.1, and 11.2, as well as the preceding National Privacy Principles); breaches of state-based health records legislation (in VIC, NSW, and ACT); and breaches of the Private Health Insurance (Prudential Supervision) Act 2015 (Cth).
• The action alleges Medibank failed to meet appropriate industry standards (such as ISO27001, the NIST Cybersecurity Framework, and the Essential Eight) by failing to implement reasonable security measures. Specific alleged failures include:
  • Authentication and Access: Lacked multi-factor authentication (MFA) for access to its network and failed to enforce "least privilege" or "just-in-time" access controls.
  • Network Security: Failed to properly segment its networks using tools like "jump boxes" to prevent an attacker's lateral movement.
  • Monitoring and Detection: Lacked adequate systems (including firewalls and up-to-date threat intelligence) to detect and monitor for malicious traffic, unusual behaviour, or large-scale data exfiltration.
  • Data Management: Failed to have adequate systems to delete personal information that was no longer required.
• The class seeks damages for distress, frustration, and anxiety; equitable compensation; aggregate damages for the entire group; and a mandatory injunction requiring Medibank to destroy or de-identify customer information it no longer needs.
• The proceeding is Zoe Lee McClure v Medibank Private Limited, VID64/2023.

Medibank Shareholder Class Action

• This action is brought on behalf of investors, alleging breaches of continuous disclosure obligations under the Corporations Act 2001 and misleading conduct. The claim argues Medibank failed to disclose known weaknesses in its cybersecurity posture, causing financial loss to shareholders when its share price fell after the breach was revealed. It claims that Medibank failed to disclose the inadequacy of its cybersecurity systems, including alleged non-compliance with APRA's Prudential Standard CPS 234, leading to an artificially inflated share price and causing financial loss to investors when the share price dropped by approximately 18% after the breach was revealed.
• The proceeding is Robert Laird Kilah & Brendan Francis Sinnamon v Medibank Private Limited, S ECI 2023 01227. See interlocutory judgments within these proceedings including Kilah & Anor v Medibank Private Limited [2024] VSC 152 (28 March 2024) and Kilah & Anor v Medibank Private Limited (No 2) [2024] VSC 519 (2 September 2024).

Optus Consumer Class Action

• This consolidated action alleges breach of contract, negligence, breach of confidence, and contraventions of the Privacy Act, the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), and the Australian Consumer Law (ACL) (on this point, see, e.g., Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 (16 April 2021) in which the Federal Court of Australia (Thawley J) ordered Google LLC to pay $60 million in penalties for making misleading representations to consumers about the collection and use of their personal location data). It alleges Optus failed to protect customer data by, among other things, not preventing the extraction of large volumes of data and not having adequate change management processes to ensure system changes did not create vulnerabilities.
• The class seeks damages for emotional distress and the costs associated with responding to the breach, as well as injunctions for the deletion of data.
• The proceeding is Peter Julian Robertson & Anor v Singtel Optus Pty Limited & Ors, VID256/2023.

Privilege in Cyber Incident Contexts

A critical legal issue emerging from this litigation is the extent to which forensic reports commissioned after a cyberattack are protected by legal professional privilege (or LPP).

What is Legal Professional Privilege?

Legal professional privilege is a fundamental legal principle that protects confidential communications from disclosure in legal proceedings. For the privilege to apply, the communication or document must have been made for the dominant purpose of either:

• A lawyer providing legal advice to a client ("advice privilege"); or
• Use in existing or reasonably anticipated litigation ("litigation privilege").

The purpose must be dominant, not just a substantial or equal purpose. A key test is whether the document would have been created irrespective of the need for legal advice. The onus of proving the dominant purpose rests on the party claiming privilege.

Cyber incidents present unique challenges for maintaining LPP because the response involves multiple, concurrent objectives. Forensic investigation reports are often created for several purposes, including:

• Understanding the root cause to contain the incident and remediate systems.
• Complying with obligations to regulators (i.e., the OAIC and APRA).
• Managing communications with customers, investors, and the public.
• Assessing legal exposure and preparing for litigation.

McClure v Medibank Private Limited [2025] FCA 167 (7 March 2025)

This decision provided a more nuanced outcome, demonstrating that privilege can be maintained if investigations are structured carefully. Three broad reports by Deloitte were not privileged because they had multiple, equally dominant non-legal purposes, including public and investor relations, and managing Medibank's relationship with the regulator, APRA. The court also found Medibank had waived privilege over one report's recommendations by disclosing its intention to implement them in an ASX announcement.

Conversely, the Court upheld privilege over narrower technical reports from CrowdStrike, Threat Intelligence, and communications with CyberCX and Coveware. The evidence established these were commissioned directly by Medibank's lawyers for the dominant purpose of enabling legal advice on specific issues like regulatory notifications and ransom payment legality. The Court also found that Medibank waived privilege over the recommendations in one Deloitte report by publicly announcing its intention to implement them in an ASX release.

Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 (27 May 2024)

The Full Federal Court ruled that a forensic report prepared by Deloitte for Optus was not privileged. The Court found that Optus’s public statements indicated the report was for multiple purposes, including public relations, and the evidence did not establish that the legal purpose was dominant.

Maintaining Privilege

• External lawyers should be the ones to formally engage forensic experts, with clear engagement letters specifying the dominant legal purpose.
• Organisations should have a cyber incident privilege policy and protocol in place before an incident occurs.
• Where possible, commission separate reports for distinct legal and non-legal purposes (e.g., one confidential report for the legal team and a separate one for operational remediation).
• Carefully manage all public statements (including internal communications and ASX announcements) to avoid referencing a non-legal purpose for an investigation, which can undermine or waive a privilege claim.

Regulatory Investigations and Determinations

Investigations by bodies such as the Office of the Australian Information Commissioner (OAIC) are a critical part of the response to major data breaches or controversial data handling practices. These investigations test the subject's compliance with statutory obligations, particularly the Privacy Act 1988 (Cth), and can result in significant determinations (i.e., directions for entities to change their practices and publicise their non-compliance).

The recent Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230 (29 October 2024) provides some guidance on the application of Australian Privacy Principles (APPs) to facial recognition technology (FRT) used in a retail setting.

Between November 2018 and November 2021, Bunnings used an FRT system in 63 of its stores in NSW and Victoria. The system captured the facial image of every person who entered the store via CCTV. These images were converted into a biometric template (a vector set) and compared in real-time against a database of individuals Bunnings had previously identified as posing a risk due to past incidents of theft or violence. If no match was found, the image and template of the customer were deleted within milliseconds. If a potential match occurred, an alert was sent to a specialised security team for human verification and response. The investigation was initiated by the OAIC in July 2022 following a report from consumer advocacy group CHOICE.

The OAIC's investigation focused on whether Bunnings' use of FRT complied with several key APPs under the Privacy Act 1988 (Cth) (see Privacy Law).

• Collection of Sensitive Information (APP 3.3): Facial images and biometric templates are considered 'sensitive information' under the Privacy Act, which requires that an entity must not collect such information unless the individual consents or a specific exception applies.
• Notification of Collection (APP 5.1): An entity must take reasonable steps to notify individuals that their personal information is being collected, the purposes of collection, and the consequences if it is not collected. Bunnings relied on in-store signage which stated, "Video surveillance, which may include facial recognition, is utilised".
• Open and Transparent Management (APP 1.2 & 1.3): An entity must take reasonable steps to implement practices and systems to ensure compliance with the APPs (APP 1.2) and must maintain a clear and up-to-date privacy policy detailing its data handling practices (APP 1.3).

The Privacy Commissioner, Carly Kind, found that Bunnings had interfered with the privacy of individuals by breaching all four APPs under investigation.

• Breach of APP 3.3 (Collection of Sensitive Information):
  • The Commissioner rejected Bunnings' argument that it did not "collect" the data of non-matched customers because it was deleted almost instantly. The decision found that the momentary storage of the image and its biometric template on a server's RAM was sufficient to constitute "collection for inclusion in a record" under the Act.
  • Bunnings argued that even if it did collect the information, it was exempt because it was "necessary" to lessen a serious threat to safety or to take appropriate action against unlawful activity (the permitted general situations in s 16A of the Act).
  • The Commissioner rejected this, finding that while Bunnings faced real threats, the use of FRT was not "necessary". It was a disproportionate response, as it involved the "wholesale and indiscriminate collection" of sensitive information from hundreds of thousands of individuals to address the risks posed by a small number of known offenders, and less privacy-intrusive alternatives were available.
• Breach of APP 5.1 (Notice): The in-store signs were deemed insufficient. The Commissioner found that a general mention of "video surveillance" or that FRT "may be utilised" did not adequately inform individuals that their biometric information was being collected, the specific purposes of that collection, or the consequences, and therefore did not constitute reasonable notice.
• Breaches of APP 1.2 and 1.3 (Governance and Policy): The Commissioner found Bunnings failed to take reasonable steps to ensure compliance, noting it had not conducted a Privacy Impact Assessment (PIA) before deploying the technology. Furthermore, its privacy policy at the time did not mention the use of FRT or the collection of biometric data, breaching the requirement for a policy to be clear and up-to-date.

Bunnings was ordered to cease using the FRT system in breach of the Act and to destroy all personal and sensitive information collected via the system that it still held. It was also required to publish a prominent statement on its website detailing its use of the technology and its non-compliance with the APPs.

The decision is a significant warning for any organisation considering the use of FRT or other biometric technologies. It confirms that the OAIC will interpret the "necessity" test for collecting sensitive information without consent very narrowly, requiring businesses to prove that less privacy-intrusive alternatives are not viable, and also establishes a high bar for what constitutes adequate notice and transparency for such technologies.

It is noted that the OAIC has also commenced civil penalty proceedings against Australian Clinical Labs (ACL) in the Federal Court following a 2022 cyber-attack. The OAIC alleges that from February 2020 to March 2023, ACL seriously interfered with the privacy of millions of individuals by failing to take reasonable steps to protect personal information from unauthorised access, in breach of APP 11.1.

Industry Materials

• Laurel Henning, 'Data breaches usher in a new era for Australian class actions', LexisNexis (Web Page, 19 June 2023).
• Valeska Bloch et al, 'Takeaways from the Optus and Medibank data breach class actions', Allens (Web Page, 7 June 2023).
• Andrew Maher, Andrew Burns, Lachie Watson, 'Mixed results in Medibank class action on privilege claims over investigation reports', Allens (Web Page, 9 April 2025).
• Neil Martin, '''More accountability, please!' say cybersecurity experts in wake of continued data breaches', UNSW Sydney (Web Page, 2 June 2025).
• Dean Gerakiteys, Grace Griffiths and Samantha Chiu, 'Hand em' over! Lessons from Medibank on maintaining legal professional privilege in the age of cybercrime', Clayton Utz (Web Page, 22 April 2025).

Related Topics

• Directors’Duties: Recent cases have intensified scrutiny of the duties of directors to manage cybersecurity risks. Under section 180 of the Corporations Act 2001 (Cth), directors are required to exercise due care and diligence, including overseeing robust cyber risk management frameworks. In the aftermath of these breaches, directors may face personal liability for governance failures related to cybersecurity​. See, e.g., Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) where the Federal Court of Australia (Rofe J) held that the failure to implement adequate cybersecurity measures can constitute a violation of directorial obligations under the Corporations Act 2001 (Cth).
• Privacy Law: Privacy Act 1988 (Cth) – Comprehensive overview of Australian Privacy Principles and data protection obligations.
• ConsumerLaw: Australian Consumer Law (ACL) – Covers the key provisions related to consumer protections and misleading conduct.