While Australian courts have not yet been faced with a cyber security class action, the increase in high-profile data breaches and cyber attacks globally indicates it will only be a matter of time.
The recent class action filed in Oregon against credit information agency Equifax Inc. in the United States suggests it may be sooner rather than later before a similar class action is brought in Australia.
The Oregon class action differs from many other US data breach class actions because it relies on negligence, rather than a tort of privacy or statutory obligation. The action alleges Equifax owed a duty of care to the individuals whose data it held to maintain adequate technological safeguards to protect that data from unauthorised access. It is alleged that Equifax knew, or should have known, that failure to do this would eventually result in a massive data breach. The damage alleged to be suffered is the cost for third party credit monitoring services fees to mitigate the risk that stolen data will be used to fraudulently obtain credit or financial products in the names of the persons whose data was stolen.
There is nothing to suggest that a claim like this is untenable in Australia. In our two main class action jurisdictions, the Victorian Supreme Court and the Federal Court, the law merely requires a group (or class) of seven. Those seven group members must have claims arising out of similar or related circumstances, which give rise to common issues for the court to decide.
Where multiple people have their data ‘leaked’ or ‘ransomed’ in the same cyber security incident, these threshold criteria would likely be met. It’s irrelevant if group members have suffered different amounts of loss, or even claim different types of relief from the court. Similarly, it’s no bar that members have handed over their data for different purposes or transactions.
It seems likely that Australian courts would recognise a duty of care to maintain adequate cyber security if it is foreseeable that compensable loss and damage would flow from a cyber security incident. The allegation in the Oregon case – that a failure to maintain adequate cyber security would eventually result in a data breach – is consistent with the longstanding views of cyber security experts.
A more difficult question is what standard of care is owed and whether it was breached in a particular instance. For example, there is a well-founded practice of running a major IT system one patch behind (known as N minus 1), to minimise the potential for business interruption from untested patches. While it is unlikely there will ever be a set formula, we would expert courts to balance the following considerations in determining whether there has been a breach of the standard of care owed:
the nature or sensitivity (and the amount) of information the company collects;
the consequences for an individual if there is a breach;
the burden on the company of implementing greater safeguards; and
the industry ‘norm’, if any.
Where a company falls short of the relevant standard of care, a further difficulty may be identifying the compensable damage that has been suffered. In the Oregon case, the claimed damage is the cost of credit monitoring. However, mitigation is a key component of the law of negligence. The cost of credit monitoring is a mitigation cost in itself (reducing rather than removing a risk) and one that a defendant in Equifax’s position may choose to offer the affected persons (indeed, Equifax has made this offer, though it has been subject to criticism).
The risk of a cyber-attack affects every business collecting and storing data and running technological systems. ASIC reported in April 2017 that 80% of companies expect an increase in cyber risk over the next year, and that risk is also borne by the persons and companies who trust their data to service providers. There is likely to be a strong push towards compensating those people and companies for financial loss, inconvenience and risk suffered as a result of a breach, particularly if that can be quantified as damages.
With high-profile cyber attacks on the rise, the law’s expectations of directors and officers tasked with overseeing management of these risks will only grow higher. Cyber security risk is a company-wide problem that needs strategic and operational leadership. Directors and officers will need to be able to justify the allocation of resources to systems and processes to protect their companies, their clients and themselves from the significant liabilities cyber attacks can expose them to.