elevenM’s Georgia Potgieter explores the growing risk of large-scale litigation for data breaches, and what organisations should do about it.
In a world of increasing data breaches, it’s become critical for businesses to be mindful of the risks of large-scale litigation – such as recent data breach class actions relating to both the Optus and Medibank data breaches. I had the opportunity to work on both class actions in my previous role and learned that understanding and mitigating these risks is a crucial yet complex process.
In this post I share some of my learnings.
Value at stake
In other countries, particularly the US, we have witnessed the rise of class actions from data breaches, leading to substantial settlements. For instance, the telecommunications company T-Mobile faced a class action that cost USD$350 million to settle, not to mention additional expenses associated with legal fees and ongoing reputational harm.
At this stage it’s unknown how much an Australian data breach class action might achieve in terms of settlement. What we do know from the Optus and Medibank events is that both companies reportedly experienced over $1 billion loss in share value. This has opened the door for a shareholder class action (with proceedings commenced in Medibank’s case) in addition to the privacy-centered proceedings.
Assessing the potential for class actions
Although successful precedents of data breach class actions in Australia are limited, it is plausible to anticipate their increasing prevalence. Several factors contribute to this likelihood:
- Growing awareness and public concern: As individuals become increasingly conscious of their rights regarding data privacy and security, they are more likely to demand accountability from organisations that fail to adequately protect their personal information. This heightened public concern can pave the way for class actions seeking compensation for victims of data breaches.
- Legal framework and precedent: The Australian legal framework provides avenues for class actions, including through the Federal Court. As data breach cases are litigated, the legal foundation for affected individuals to seek remedies through class actions may gain strength.
- Privacy law reform: Support for a direct right of action and a statutory tort for serious invasion of privacy are being considered in the current round of privacy law reform changes. If/when this comes into force it could set both legal and social precedent of privacy issues being addressed through litigation.
- International influence: Precedents set by significant data breach class actions in other jurisdictions, particularly the US, can impact the landscape in Australia. High-profile cases like T-Mobile and Equifax have resulted in substantial settlements, creating expectations for similar outcomes within Australia.
Mitigating the risk of class actions
Mitigating the risks associated with class actions can be a challenging task for businesses, especially when costs are high and the future is uncertain. To address this, organisations in Australia can take practical steps, including:
- Robust data protection measures: Implementing comprehensive data protection measures such as strong security protocols, encryption, access controls, and regular audits can minimise the likelihood of a data breach occurring in the first place.
- Compliance with privacy regulations: Adhering to relevant privacy regulations, such as the Australian Privacy Principles (APPs) under the Privacy Act 1988 and the notifiable data breaches scheme, is crucial for large organisations to be able to demonstrate their commitment to privacy.
- Incident response readiness: Developing a robust incident response plan that includes prompt breach detection, mitigation, and notification procedures is essential. Timely and transparent communication can help mitigate the potential impact of a breach and demonstrate a proactive approach to resolving the issue.
- Swift remediation readiness: Offering swift remediation options allows organisations to limit potential damages that could be subject to claims in class actions, thereby reducing both financial liabilities and reputational risks. Evaluating remediation costs can also aid in assessing the risk associated with specific data breaches.
While the risk of class actions related to data breaches in Australia is still evolving, it’s likely we can expect an increase in such actions in the future. Growing public concern, an evolving legal framework, and international influence from settlements observed in the US all contribute to this possibility.
To mitigate the risk of class actions, organisations should prioritise data protection measures, comply with privacy regulations, and develop effective incident response plans. By doing so, businesses can strive to safeguard individuals’ personal information, minimise the impact of data breaches, and maintain trust in an increasingly data-centric world.