-- NicholasHodgkinson - 03 December 2024

Litigation

Managing personal data exposes businesses to the risk of cyberattacks and data breaches. A data breach happens when personal information is accessed or disclosed without authorisation or is lost. Data breach litigation is on the rise in Australia, with the 2021–2022 Optus and Medibank cyber incidents resulting in both class actions and heightened regulatory scrutiny in the space.

• In September 2022, Optus experienced a major data breach affecting up to 10 million customers, exposing sensitive personal information such as names, addresses, and passport numbers. The breach was initially attributed to either a complex cyber attack or human error, with the hackers demanding a ransom before later apologising.
• One month later, hackers linked to the Russian "REvil" group gained access to Medibank’s network, stealing sensitive data from 9.7 million Australians, including medical and personal information. Despite multiple security alerts, Medibank failed to adequately respond, leading to the leak of this data on the dark web after the company refused to pay a ransom.

Class Actions

Introduction

A class action is a claim brought by seven or more individuals who are affected by the same issue. Class actions can be brought at the federal or state level.

As of December 2024, three separate data breach class actions were underway:

• one consumer (Zoe Lee McClure v Medibank Private Limited (Federal Court of Australia, VID64/2023, commenced 6 February 2023)) and one shareholder claim (Robert Laird Kilah & Brendan Francis Sinnamon v Medibank Private Limited (Supreme Court of Victoria, S ECI 2023, consolidated 6 September 2023)) against Medibank, and
• a consumer claim against Optus (Peter Julian Robertson & Anor v Singtel Optus Pty Limited (Federal Court of Australia, VID256/2023, commenced 20 April 2023)).

These proceedings bring attention to key issues under legislation such as the Privacy Act 1988 (Cth), the Australian Consumer Law (ACL) (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) and the Corporations Act 2001 (Cth), while also emphasising the growing focus on corporate responsibility in managing cybersecurity risks.

Common Themes

• Each of the three claims similarly pleads that the defendants were subject to a set of regulatory requirements in respect of their handling of data handling and cyber security, that the defendants breached those regimes, and that said contravening conduct amounted to a contractual breach, a misleading or deceptive representation, or with respect to the shareholder class action, a breach of continuing disclosure obligations.
• A separate class action is being investigated against a financial services provider, Latitude Financial, in relation to security breaches which compromised the personal information of customers. An individual who initiated a claim in the Federal Court of Australia over this breach had his case struck out in June 2024, as he failed to demonstrate any actual loss or damage, citing only the risk of potential harm (see Saffari v Latitude Financial Services Australia Holdings Pty Ltd [2024] FCA 573).

Breaches of Privacy Act 1988 (Cth)

The class actions against Medibank and Optus focus on allegations of failing to protect personal information as required by section 15 of the Privacy Act, which prohibits an organisation from doing an act, or engaging in a practice, that breaches the Australian Privacy Principles (APPs) — breach of which is also pleaded. Specifically, the allegations relate to:

Contraventions of Australian Consumer Law and Consumer Rights

• The class actions also allege misleading or deceptive conduct, primarily for breaching representations made in privacy policies regarding the protection of customer data, namely, that the defendants would comply with applicable regulatory obligations and policies and treat information securely.
• Similar claims have been brought by the Australia Competition and Consumer Commission in past cases (see, e.g., ACCC v Google LLC (No 2) [2021] FCA 367 in which the Federal Court (Thawley J) found that the regulator had partially made out its allegations that Google made misleading representations to consumers about the collection and use of their personal location data through Android devices, namely through ‘Web & App Activity’ and ‘Location History’ settings, and ordered Google LLC to pay $60 million in penalties).
• The plaintiffs variously claim damages for distress, embarrassment and anxiety of having their personal information published; the cost and time associated with addressing the consequences of the data breach.

Shareholder Class Actions

Medibank in conjunction with the misleading and deceptive conduct alleged in the shareholder class action also faces claims that it violated its continuous disclosure obligations under the Corporations Act, specifically sections 674 and 675, and breaches of APRA CPS 234, which stipulates that the board of directors of an APRA-regulated entity, including all banks and financial institutions, general insurers and private health insurers, is responsible for:

• ensuring the entity maintains information security — and an information security capability — in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity, and
• clearly defining the information security-related roles and responsibilities of the board of directors, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions, and
• complying with any relevant additional security obligations for entities in the financial services sector in existing APRA prudential standards and practice guides relevant to cyber security, including a notification requirement to APRA for material information security incidents.

This failure is said to have caused Medibank’s share price to be inflated beyond its true value, or its value had the breaches not occurred. The plaintiff claims loss by reference to Medibank's 18% share price drop and pleads market-based causation and, in the alternative, reliance.

Regulatory Action

OAIC Investigation and Civil Penalty Proceedings

• Regulatory action is the enforcement by public sector agencies of controls and restrictions to ensure compliance with the law.

• In addition to the two class actions, Medibank is also defending a representative complaint lodged with the Office of the Australian Information Commissioner (OAIC), as well as civil penalty proceedings commenced by the Australian Information Commissioner (AIC) following an investigation initiated after the data breach (see Australian Information Commissioner v Medibank Private Limited (Federal Court of Australia, VID497/2024, commenced 5 June 2024)). Broadly, the AIC alleges that Medibank failed to take reasonable steps to protect the personal information it held, given the company’s size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm to individuals in the event of a breach. Earlier in the year, the Federal Court (Beach J) dismissed an application by Medibank for an interim injunction to prevent the AIC from making a determination regarding the representative complaint and its own investigation (Medibank Private Limited v Australian Information Commissioner [2024] FCA 117).

• In its Notifiable Data Breaches Report: January to June 2024 the AIC encouraged organisations with Privacy Act obligations to implement layered security controls, enforce multi-factor authentication and strong password management policies, ensure role-based access to information, regularly review accounts with excessive permissions, oversee third-party providers‘ information security capabilities, and appropriately allocate. resources to privacy and cybersecurity efforts.

Related Topics

• Directors’ Duties: Recent cases have intensified scrutiny of the duties of directors to manage cybersecurity risks. Directors are subject to a series of duties owed to the company, shareholders and others by way of the Corporations Act as well as under the general law. Additional duties may arise under continuous disclosure obligations imposed upon directors of publicly listed companies. In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (Rofe J) the Federal Court of Australia held that the failure to implement adequate cybersecurity measures can constitute a violation of directorial obligations under the Corporations Act 2001 (Cth), and commented that in order to manage cyber risk appropriately, companies will need to assess the risks they and third parties face and take steps to mitigate those risks (see, e.g., Corporations Act sections 912A(1)(a)–(h) as they applied to RI Advice Group).
• Developments in Privacy Law: Until recently, and notwithstanding that the Privacy Act did not provide individuals with a direct right to seek compensation where organisations breach the APPs when handling their personal information, there was no enforceable right of action for breach of privacy in Australia, and no obvious civil cause of action that an individual might bring when a data breach occurred. However, the passing of the Privacy and Other Legislation Amendment Act 2024 (Cth), and with it the introduction of a new statutory tort for serious invasions of privacy, may increase the viability and volume of data breach class actions in Australia.

Resources

• Valeska Bloch et al, ‘Takeaways from the Recent Optus and Medibank Data Breach Class Actions’, Allens (Web Page, 2023).
• Robyn Chatwood et al, ‘Acting Against Unknown Hackers: A Groundbreaking Australian Data Breach Case’, Dentons (Web Page, 2024).
• ‘Current Class Actions‘, Federal Court of Australia (Web Page, 2023).
• Laurel Henning, ‘Data Breaches Usher in a New Era for Australian Class Actions’, LexisNexis (Web Page, 2023).
• ‘Optus Data Breach Representative Complaint‘, Maurice Blackburn Lawyers (Web Page, 2023).
• ‘Medibank Private Group Proceedings (Class Action)‘, Supreme Court of Victoria (Web Page, 2023).
• ‘Optus Data Breach Class Action‘, Slater & Gordon Lawyers (Web Page, 2023).