Many people have undoubtedly seen or heard about Facebook in the headlines lately. Facebook’s CEO Mark Zuckerberg was placed under the spotlight before senators at a Congressional hearing about “the Facebook”, due to collection of personal information by Cambridge Analytica, affecting up to 87 million users. Many millennials would cringe if they were asked if something on a floppy disk was the same as a social network. Cambridge Analytica has now placed its UK business into administration and will be commencing bankruptcy proceedings in relation to its US business as a result of the negative publicity attracted by this saga.
Given the advances in technology, there are now many repositories of personal information - health, hotels, telecommunications and online shopping accounts, just to name a few. Accordingly, personal and sensitive information is being stored increasingly in electronic formats. By the same token, that means electronically stored information is a target for data breaches.
The Facebook Cambridge Analytica incident is by no means an isolated incident. Other recent examples include:
- Commonwealth Bank of Australia - the possible loss of magnetic tape drives containing financial statements which had been designated to be destroyed
- Yahoo - where hackers stole information from over 500 million accounts in 2014, resulting in Yahoo receiving a US$35 million fine from the SEC for failing to disclose the breach
- Sony - where hackers stole information, erased data from systems and released movies ahead of schedule
- Ebay - where hackers accessed Ebay’s network which compromised its main database holding users’ passwords
With the number of data breaches on the rise and increasing public scrutiny, the question for businesses in Australia that hold personal and sensitive information is, what potential issues they may face and how data breach litigation may develop under Australian law.
The UK and the US
Data breach litigation has been an ongoing phenomenon for many years in the United States and the United Kingdom. Australia is still relatively new to the playing field, having only recently amended its privacy laws to include a mandatory notification for eligible data breaches under that regime. We have previously written on the new data breach notification regime that came into effect earlier this year in Australia. Despite this recent development, there are still many hurdles for individuals seeking to make claims due to their personal information having been compromised.
In the United Kingdom, a person who has suffered damage arising from a data breach has a statutory cause of action to sue the holder of that information. That position may be modified slightly, with the introduction of the Europe-wide General Data Protection Regulation (GDPR), which will come into effect on 25 May this year. Our ICT and Data Protection Team has previously discussed the effect of the GDPR. This will only be of concern for businesses which have operations in the European Union (and despite Brexit, the UK Parliament has stated its intention to retain the GDPR after it leaves the EU).
The leading case in the UK regarding mass data breaches is Vidal-Hall v Google Inc  EWCA Civ 311, which confirmed that a tort of misuse of private information exists.
In the United States, there is data breach legislation at both the federal and state levels and generally speaking, individuals are able to commence proceedings to recover damages arising out of injuries suffered from the data breach (however, this will depend upon the laws in the relevant state). A threshold issue for claimants in the US is standing (that is, the ability for a claimant to sue) which has been interpreted under the US Constitution as requiring concrete, actual or imminent loss. Currently, this question remains unresolved (and the US Supreme Court recently declined to review a decision that could have allowed it to clarify that issue for data breach claimants).
There is presently no specific personal statutory right under Australian law, comparable to the UK and US law, for a claimant to make a claim in respect of their privacy or a data breach. Currently, the Privacy Commissioner is the only person with standing to bring a claim under the Privacy Act 1988 (Cth). That being said, it is possible that claims by persons affected by a data breach could be formulated based on existing legal principles.
Almost two decades ago, the High Court of Australia declined to recognise the existence of a tort of privacy (see ABC v Lenah Game Meats Pty Ltd). However, it was suggested in that case that an action for breach of confidence may be available in appropriate circumstances. Depending on the circumstances of the breach, it may also be possible for an action to be brought for negligence.
The cases surrounding data breaches often fall into two categories. Assume you are a company in Australia hosting a wealth of data containing personal (or sensitive) information on a number of individuals and:
- information is lost by means beyond your control (whether by human error, a failure in governance, or the malicious actions of a third party such as a hacker). By hosting the information, you may have statutory notification obligations under the new privacy laws. Depending on the nature of the information and what has happened with the information, you may also be susceptible to claims from people to whom the lost information relates (see for example, the claims in the USA case Carefirst v Attias, No. 17-641 (2017) (cert denied));
- at some point and for whatever reason, an employee turns out to be disgruntled, steals the data and runs amok. As the company, you will likely have a cause of action against the disgruntled employee. However, at the same time, you may also be susceptible to claims from the people to whom the lost information relates (see for example, the claims in the English case Various Claimants v WM Morrisons Supermarket Plc (Rev 1)  EWHC 3113 (QB), where an employer was held to be vicariously liable for the acts of its employee).
A majority of the population are consumers of services and products which collect, use or disclose personal information. From a consumer’s perspective, if there is a data breach and personal information is compromised, a simple notification of an information breach occurring is hardly a satisfactory outcome. Consumers will expect a right to claim for loss and damage.
Where losses may be compounded significantly due to the potential scale of a data breach, the question of whether a broad group of claimants may be able to seek compensation for their loss, is raised. In this way, questions as to the formulation of any claims, the amount of any loss and the viability of group proceedings will be relevant. Further, the mandatory data breaches notification regime (if applicable) may have the effect of identifying a group of consumers that could constitute a “class” for the purposes of class action litigation.
As far as we are aware, there have been no reported mass data breach litigation cases in Australia. This is an area of Australian law that is still developing and it remains to be seen how Courts in Australia will develop the law. However, there is the potential for claims to arise, as we have outlined above.