Data breaches usher in a new era for Australian class actions

Laurel Henning, Senior Correspondent, MLex Pacific

Recent major data breaches in Australia, suffered by telecom operator Singtel Optus, health insurer Medibank Private and financial services company Latitude Financial have led to a wave of class-action lawsuits exploring new ground in the country’s legal system. With no established playbook for class actions linked to cyberattacks in Australia, the success or failure of plaintiffs in convincing courts of their loss or damage will be key to any future lawsuits. Competing law firms filing similar class actions will also have to convince judges of the merits of their case and will likely see pressure to consolidate.

The long-term consequences of last year’s Singtel Optus and Medibank Private data breaches are starting to come into focus.

The late-2022 mass-data breaches put the data of millions of Australians at risk, saw increases to maximum penalties for privacy breaches fast-tracked through parliament and are now the subject of multiple class-action lawsuits (see here, here and here).

Meanwhile, a more recent data breach suffered by Australian financial services company Latitude Financial is now the subject of a joint investigation by Australian and New Zealand privacy regulators and has become the biggest-ever data breach in New Zealand (see here ). Two Australian law firms, Gordon Legal and Hayden Stephens and Associates, have announced they’re working together on a class action for those affected.

But the lawsuits before the Federal Court of Australia, lodged by Optus and Medibank Private customers, will be the first of their kind when it comes to class actions linked to data breaches.

“We’re not operating from a rulebook when it comes to cyber and data breach actions,” Melissa Gladstone, a Sydney-based partner at law firm Herbert Smith Freehills, told MLex. “These are novel claims in Australia, although we have seen many examples overseas where the legal framework is different.”

While a shareholder class action might point to a stock-price drop to prove loss on behalf of claimants, it’s an open question as to how lawyers will set about quantifying the loss of customers resulting from privacy breaches.

And with a review of Australia’s Privacy Act underway that could introduce a “statutory tort” for individuals relating to data breaches, lawyers are anticipating a potential spike in the number of class-action lawsuits, with cyberattacks showing no sign of slowing in Australia (see here).

Loss and damage challenges

Two types of class actions are currently working their way through Australia’s courts.

First, there’s a shareholder case filed to the Supreme Court of Victoria on behalf of Medibank Private investors, which falls squarely within the traditional territory of a shareholder class action.

Class members accuse the company of having inadequate systems and processes in place to deal with — in this case — a data breach. This alleged inadequacy, which could have affected a shareholder decision prior to the subsequent impact on price, wasn’t notified to the market and shareholders were left watching their investments dwindle.

Shareholders’ losses can be quantified easily in this case, lawyers argue.

But in the Optus and Medibank class actions now making their way through the Federal Court of Australia, the loss or damage alleged under privacy and consumer law breaches will be harder to quantify.

Is the personal loss linked to the availability of medical information and the emotional distress that leak has caused? Or has the data breach caused a claimant to move house or change employment? These could be quantifiable losses, lawyers argue, but they will be riddled with challenges.

“We will be closely watching this first wave of data breach class actions — if plaintiffs encounter obstacles establishing loss and damage, these types of cases may become unpalatable to pursue,” Gladstone said.

And the uncertainty for Optus, Medibank and, any day now, Latitude is greater here, Gladstone argues, than it would be in a more traditional class action.

On top of the open question of loss to customers, companies will also be engaging with regulators. Evidence given during a regulatory investigation could eventually become public in a class-action case and prompt further claims.

“It's a web of uncertainty and risk," Gladstone said.

Competing class actions

Should plaintiffs be successful in establishing a case over loss or damage, the chances of more law firms coming forward to file competing claims will increase — an issue that looks set to frustrate judges.

Earlier this month, Federal Court of Australia Judge Jonathan Beach temporarily paused one of the two Medibank class actions before him, asking why he should tolerate two cases going forward that focus on a single event (see here).

Beach was frustrated further by Medibank lawyers’ concern that the Office of the Australian Information Commissioner, or OAIC, had said it would pursue a separate class action claim, having previously said it wouldn’t (see here).

Beach said the insurer’s legal team shouldn’t apply to him for the court case to be put on hold if they haven’t yet asked the OAIC to pause its proceedings, which could also result in compensation to consumers. The web of legal action grows ever larger for Medibank.

Lawyers in the second class action put before Beach argued the first group claim to reach the court shouldn’t automatically get to proceed.

“Multiple proceedings create a real risk of increased costs, inefficiency and prejudice for defendants,” Gladstone told MLex. “In this case, of course, there is the added element of it not being a ‘plain, vanilla, commercial class action.’”

One solution to Beach’s frustrations would be consolidation.

“It is not as streamlined as if there were one case with one set of lawyers, but a ‘cooperation agreement’ between the respective plaintiff’s lawyers is ordinarily in place to counter inefficiency, increased costs and duplication and includes a dispute resolution mechanism,” Gladstone said.

In the Medibank cases, lawyers have until August to negotiate on potential consolidation. If they fail to agree, there will be a hearing before the court on contested multiplicity.

Where plaintiffs object to consolidation, a solution could be to keep separate case numbers that are listed on the same docket — an effective merging of the cases in all but name.

The challenges over competing lawsuits in Australia are perhaps exacerbated by a lack of US-style race to certification before a case can begin and the absence of a deadline. The only limit is a statute of limitations.

‘The issue of the moment’

"It is hard to think of many organizations that do not hold some form of data,” Gladstone said.

“The risk of class actions is most acute for those holding personal information and for listed companies, who may also face a ‘traditional’ shareholder class action related to any market reaction following news of a data breach,” she said.

Privacy lawyers speaking with MLex have mentioned increased corporate concerns over exactly what data they hold, attempts to map that data and secure it or destroy it, if it’s no longer needed.

“Data breach risk is front of mind, companies are trying to mitigate risks in a changing technological and regulatory landscape,” Gladstone said. “It's the issue of the moment.”

Cyberattacks and data breaches show no signs of slowing down in Australia since the Optus and Medibank breaches and subsequent Latitude breach in March.

And with a potential introduction of a statutory tort for individuals suffering an invasion of privacy, a clearer basis would be in place for asserting loss and damage arising from data breach incidents.

Class-action lawsuits could be set not only to grow, but explode.

Related Portfolio(s):

Data Privacy & Security - Latitude Financial - 2023 data breach (Australia & New Zealand)
Data Privacy & Security - Medibank Private - 2022 data breach (Australia)
Data Privacy & Security - Singtel Optus - 2022 data breach (Australia)
Data Privacy & Security - Legislative moves to update 1988 Privacy Act (Australia)

About MLex

MLex is an investigative news agency solely focused on uncovering regulatory risk across the globe, and is uniquely positioned to provide exclusive, real-time market insights, news and analysis. MLex closely monitor the activities of governments, agencies and courts to identify and predict the impact of proposals, decisions and rulings. MLex's unique content is developed by a network of journalists across 13 international bureaus.

To find out more about MLex services contact your relationship director or sign up for a free demo or trial.