The Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), which received assent on 22 February 2017, proposes a number of amendments to the Privacy Act 1988 (Cth) that could act as a trigger for Australian class actions in the data breach space.
The proposed amendments, which are yet to be proclaimed, will require entities regulated by the Privacy Act to notify the Australian Information Commissioner and affected individuals of any “eligible data breach”.
In the US, notifications provided under equivalent legislation have tended to closely coincide with the filing of data breach class action complaints.1
Data breach class actions – the US experience
Mandatory data breach notification laws exist in the majority of US states.
The Californian law, on which many other states’ laws are based, requires businesses and government agencies that own or license computerised data that includes personal information and which suffer a data breach to notify State residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person.2 “Personal information” in this context includes an individual’s name together with other prescribed identifying information including driver’s licence or social security number as well as user names, passwords and other information that would allow access to online accounts.
The notification laws in several states, including California, confer private rights of action on individuals who suffer injury as a result of a failure by an entity to comply with its notification obligations. Assuming prompt notification is provided in accordance with the applicable laws, individuals may have claims available under state consumer trading laws, negligence and/or breach of privacy.
High profile data breach class actions have included claims against Target, Home Depot and Avid Life Media Inc, the owner and operator of the Ashley Madison website. While the Target and Home Depot claims largely concerned loss suffered as a consequence of fraudulent charges and negative impacts on credit ratings of affected customers, the Ashley Madison claims extended to emotional distress as a result of reputational damage associated with the leaks.
The changes proposed by the Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth)
The proposed mandatory notification provisions will require that entities regulated by the Privacy Act which have reasonable grounds to suspect that they have suffered an “eligible data breach” to notify the Australian Information Commissioner, individuals at risk from the breach and (if practicable) individuals to whom the information relates more generally.
An “eligible data breach” includes a breach whereby there is unauthorised access to personal information and a reasonable person would conclude that the access would be likely to result in serious harm to individuals to whom the information relates.3 Notification is to be provided as soon as practicable.
The provisions will apply to Australian government agencies and private sector organisations, including foreign corporations with an “Australian link”, for example, online businesses that have pages targeted at Australian users and which collects the personal information of Australian residents.
Depending on the circumstances, potential causes of action for class action plaintiffs may include claims in negligence, breach of contract and/or misleading or deceptive conduct and breach of confidence.
The potential for Australian class action development in this area is likely to depend largely on whether any Australian based business suffers a breach on the scale of the Ashley Madison, Target and Home Depot breaches. Assuming it does, the mandatory notification amendments may assist with the ready identification of a plaintiff class.
- Bryan Cave LLP, “2016 Data Breach Litigation Report”, at p 4.
- Damian Grave & Helen Mould (eds), 25 Years of Class Actions in Australia 1992 – 2017 (2017), p 400.
- Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth) schedule 1, s 3.