Cyber breach fall out-preparing for third party claims22 May 2017
In Insurance Matters Issues 9 and 10 we looked at how a company prepares for a cyber breach and the types of losses that businesses can directly experience following a breach. In this article, we look at the actions that may be brought against a company by others following a cyber breach—otherwise known as third party claims.
The most common third party claim arises out of a breach of the Australian Privacy Principles (APP), for failing to properly hold personally identifying information on behalf of individuals. If there is a direct financial loss as a result of the theft of personally identifying information, a claim for the recovery of the loss can be brought against the company.
Can an individual bring a claim for compensation if there is no direct financial loss?
Currently there is no private cause of action for the tort of breach of privacy in Australia, but a claim can be brought by an individual as a complaint under the Privacy Act 1988 (Cth) and is dealt with by the Office of Australian Information Commission (OAIC). The Act also allows for a representative complaint to be brought.
When responding to a complaint, the Commission is empowered to:
- make enquiries
- attempt to conciliate the complaint
- conduct an investigation
- accept an enforceable undertaking, and
- make a determination on the complaint.
A determination by the Commission can also include a financial determination. When making a determination the Commissioner is guided by the Guide to privacy regulatory action published by the OAIC, which states the following principles:
- where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course
- awards should be restrained but not minimal
- in measuring compensation, the principles of damages applied in tort law will assist, although the ultimate guide is the statute
- aggravated damages may be awarded in an appropriate case, and
- compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.
Awards of compensation by the Commission, as a generalisation, range between $5,000 and $20,000 and are not subject to thresholds for an award as would be the case under, for example, the Competition and Consumer Act 2010 (Cth) (CCA) or the Civil Liability Act 2002 (NSW).
Will there be a tort for breach of privacy?
In the Australian Law Reform Commission (ALRC) Report into Serious Invasions of Privacy in the Digital Era, the ALRC "recommended that the Commonwealth should create a private right to sue for a serious invasion of privacy".
The recommended cause of action bears many similarities to the cause of action first proposed by the ALRC in 2008. As recently as March 2016, the NSW Standing Committee on Law and Justice produced a report entitled Remedies for serious invasion of privacy in NSW (Standing Committee Report). While the law reform process has looked at intentional acts, the Standing Committee Report has also included cyber breaches that allow access to personally identifying information as a pre-cursor to the proposed cause of action.
What other third party claims can potentially arise?
The Ashley Madison cyber breach in 2015 has been the genesis for a number of class actions against Ashley Madison and its parent company. However, in the Australian context, unless there is direct financial loss resulting from a cyber breach, the type of claim that could be brought is still unclear—with the exception of a privacy complaint.
One of the class actions issued against Ashley Madison (all of which were stalled because the Plaintiffs were required to identify themselves as someone other than "John Doe") was brought by a group of plaintiffs who paid an additional fee to be de-identified when they had tired of the services rendered.
Similarly, if a claim is brought in Australia involving misleading and deceptive conduct, it is difficult to know how damages will be assessed for each individual unless there is a quantifiable loss. If the consequence of misleading or deceptive conduct is personal injury, no claim can be made because of s 137C of the CCA.
A claim can be brought for breach of a guarantee concerning the provision of a service under schedule 2 of the CCA, however, damages will be assessed under part VI of the CCA, with thresholds of between 15% and 33% of a most extreme case applied to claims for damages for non-economic loss.
What to expect in the near future?
Even if the tort of breach of privacy does arise in the future, unless there is a direct financial loss, it is unlikely that affected persons will suffer personal injury of such a magnitude that it will allow their condition to be assessed within the current tort framework. The types of third party claims that may be brought in the future include:
- liability in negligence or contract for failing to properly protect personal information against cyber-attacks or misuse (e.g. customer information)
- fines on companies or individual directors imposed by regulators such as the Information Commissioner or ASIC, and
- claims by third parties arising from failing to disclose market sensitive cyber-risk information in prospectuses or disclosure documents, or to comply with continuous disclosure obligations (relevant to listed companies).
It is anticipated this area of law and the types of claims available following a cyber breach will evolve quickly, beyond the current third party claims concerning direct financial loss and complaints before the Commission.
Notification and response costs
Even though there may be no direct claim for damages by affected persons, there are still significant costs that a company—without adequate insurance at the time of a cyber breach—may incur. These include the cost of responding to a cyber breach, notification costs (if notification of affected persons is required) and the cost of addressing complaints.