Class action risk on the horizon with the introduction of mandatory data breach reporting04 August 2017
Recently there have been several high-profile class actions in the United States (US) stemming from data breaches. In June 2017, class actions against Anthem Inc reportedly settled for $115 million (subject to court approval). The settlement included compensation to those affected as well as a fund for credit monitoring services to protect class members from future fraud.
There have been no comparable actions in Australia to date. However, the developments in the US coupled with the new Australian mandatory data breach notification regime may lead class action proponents and funders to attempt such actions here.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) established a mandatory data breach notification scheme in Australia. Its key provisions will come into effect on 22 February 2018. Once in force, entities to which the scheme applies will be obliged to notify eligible data breaches to the Australian Information Commissioner and, if practicable, to individuals to whom the relevant information relates or who are at risk from the breach.
It can be expected that, under the scheme, significant data breaches will ordinarily become public knowledge soon after they occur. Importantly, more information may be known about the type of breach, possible consequences and the class of people affected than previously. This information could help anyone considering bringing or funding a class action to better define the affected class and to determine the potential economic return from litigation. A number of the US data breach class actions were filed very soon after companies reported those breaches under equivalent mandatory reporting legislation.
It is unclear whether the US model will be viable in Australia. Key difficulties facing Australian class actions include how a data breach class would prove compensable loss, as well as the lack of a straightforward cause of action. However, legal uncertainty has not stopped class actions in other areas, such as securities, from becoming increasingly common.
It is likely that Australia will see test case litigation relating to data breaches before too long, informed by disclosures made under the mandatory reporting scheme. Companies, particularly those holding data for a large number of customers or employees, should ensure their risk management processes and insurance arrangements are tailored to mitigate this risk.