Surging Cyber Incidents: Regulatory Activity and Class Claims in Australia

Australia has experienced a pronounced increase in regulatory activity as well as class claims stemming from cyber incidents in recent months.

Companies are now at material risk of flow-on class claims arising from a cyber incident as plaintiff law firms and litigation funders have turned their attention to cyber incidents. There are certain sectors where this will be particularly acute, including the healthcare and insurance industries and government, given higher compensation may be available for economic loss and emotional harm suffered due to sensitive data being breached.

Our table below identifies the key features of different claims that have been commenced in recent months following high-profile data breaches. Key takeaways include:

• Class claims for affected individuals may be made to the OAIC under the Privacy Act’s representative complaints mechanism, or brought in courts under the traditional class actions regime as consumer claims alleging causes of action under contract, negligence, misleading or deceptive conduct and duties of confidentiality.
• Shareholder class actions are now another area of exposure for companies. The recent one brought against a major Australian health insurance provider shows this risk is no longer theoretical.
• Questions arise as to how consumer class actions will interact with concurrent regulatory investigations and complaints to the OAIC in respect of the same conduct. There are unresolved questions about whether these processes should be permitted to run in parallel given they arguably are seeking to compensate the same group:
  • So far, in proceedings being case-managed in the Federal Court, there has been an unwillingness to stay consumer class actions on account of a parallel representative complaint being dealt with by the OAIC. This includes because of practical resource restrictions on the OAIC, which may mean that matters take a long time to resolve, as well as the fact that the OAIC does not have the same powers as the Federal Court.
  • At least in one case, the OAIC had expressed an initial view that it would not investigate certain representative complaints where it considered that a class action will provide appropriate remedies to affected persons. However, the OAIC subsequently changed its position and is now proceeding with investigations of those complaints.
• There are currently difficulties for class action promoters in establishing that group members have suffered recoverable loss in traditional class action proceedings. However, anticipated major reforms to Australia’s privacy law regime would enable class action proceedings to be commenced for breaches of privacy, where non-economic loss is more easily recoverable. These changes will likely materially drive up class action risk. Our detailed commentary on the proposed reforms is available here.

Steps you can take now

A company’s initial response to a cyber-attack can be crucial to containing legal risk and preventing flow on litigation, and mitigating companies’ potential financial exposure if a claim does arise.

Here are three steps you can take now to prepare:

1. Seek proactive reviews and assessments of the current state of the evidence that your company would rely upon if an issue arose and it had to defend itself. Our team can assist with testing the evidence that your company would point to in demonstrating that it is identifying and responding to cyber risks appropriately.
2. Ensure that appropriate privilege protocols are ready to be deployed. There may be real challenges in establishing and maintaining legal professional privilege around investigation reports relating to cyber-incidents. Consider preparing a draft privilege protocol in advance to ensure that clear guidance can be followed at the outset by key personnel involved in any initial response to cyber-attacks and work done as a result.
3. Have a multi-disciplinary team on standby. Ensure that your proposed response team for any cyber-attack includes cyber law experts working together with a team of litigators, so that the potential for follow-on litigation risk can be appropriately managed upfront.

Claims and regulatory action: key features

Type	Nature of claim	Key features
Representative complaint	Claim made to OAIC for breach of Privacy Act on behalf of multiple customers involving the same underlying conduct	Greater flexibility of compensation awards compared with court proceedings – OAIC has previously awarded monetary compensation for non-economic loss (distress, embarrassment, anxiety). Compensation determinations by the OAIC are not enforceable, so if a company disagrees with the outcome it is up to complainants to enforce the determination in the Federal Court which effectively hears the matter afresh. No costs jurisdiction: legal costs incurred in the representative complaint process are not recoverable.
Consumer class action	Court proceeding on behalf of individuals whose personal information has been compromised due to a data breach	Currently no right to bring a direct claim in Australian courts for breaches of the Privacy Act (such claims can only be made to the OAIC), so actions involve allegations of: breaches of contracts with consumers and terms relating to the way in which data would be kept private or secure. misleading or deceptive conduct arising from representations about IT systems and compliance with regulatory obligations. breaches of equitable obligations of confidence owed to the relevant consumers. breach of a duty of care owed to customers. Unclear how loss or damage will be established, and whether damages for non-economic loss (emotional distress) are available. Note proposed reforms to introduce direct right of action for breach of Privacy Act and statutory tort of serious invasion of privacy – if passed, these causes of action will be pleaded in future cyber class actions.
Shareholder class action	Court proceeding on behalf of shareholders in listed entity who purchased shares in particular timeframe.	Involve allegations that the relevant company: engaged in misleading or deceptive conduct by making representations regarding the company’s cybersecurity measures or approach to data-handling practices; and/or breached the company’s continuous disclosure obligations by failing to disclose “material information”, eg failure to disclose a system or process deficiency. Real questions as to what would or should have been disclosed earlier and how to assess share price drop associated with announcement of an actual cyber incident (where risk has crystallised).
Other regulatory action	Regulatory investigation that may lead to enforcement proceedings Even if no civil penalty proceedings, possibility of onerous enforceable undertakings requiring significant investment by companies to ensure compliance	OAIC: investigates breaches of the Privacy Act, which may lead to civil penalty proceedings for serious or repeat interferences with privacy. ASIC: has brought enforcement proceedings against financial services licensees for failure to have adequate cybersecurity documentation, controls and cyber resilience in place, amounting to a breach of licensees’ obligations under s 912A of the Corporations Act: see our article on the ASIC v RI Advice case here. APRA: may investigate APRA-regulated entities for compliance with standards eg CPS 234 and impose increased capital adequacy requirements if it considers there are weaknesses in an entity’s information security environment. ACCC: investigations likely to focus on consumer impact, including eg misleading statements about data handling practices and monitoring of compliance with Consumer Data Right regulatory obligations (jointly with OAIC).