The Privacy Amendment (Enhancing Privacy Protection) Amendment Act 2012 (the Amendment Act) was enacted on 29 November 2012 and is due to commence in March 2014. The Amendment Act introduces potential civil penalties of up to A$1.7 million for serious contraventions of the Privacy Act.
However, the development with potentially greater impact for those with an interest in class actions in Australia would be the enactment of legislation requiring organisations to report breaches of security measures taken to protect personal information. Laws of this kind have been in force in the United States since 2003. Based on the U.S. experience, such laws have the potential to induce a proliferation of class actions. Plaintiff lawyers often rely on facts contained in the mandatory notices to mount class action claims.
Recently, the Australian government received submissions in relation to a proposal to introduce such laws (submissions closed on 23 November 2012). If the government was minded to introduce legislation on mandatory data security breach reporting, it is conceivable that it may do so in the first half of 2013 with a view to passing the legislation prior to the 2013 federal election.
Class actions in the United States
Presently in Australia there is no statutory duty to report breaches of personal data security measures, either to the Privacy Commissioner or to affected individuals, whereas in the United States, mandatory data security breach legislation has been in operation since 2003. Now, 47 of the 50 states in the United States have enacted such legislation. In Australia, the absence of a mandatory duty means that Australian organisations report serious breaches of data security to the Privacy Commissioner and to affected individuals on a voluntary basis.
Typically, these security breach reporting laws require organisations who have suffered data security breaches to notify a regulator and also the affected individuals. The usual rationale for notifying the affected individuals is to allow them to take “self-help” measures to mitigate their potential losses, such as cancelling their credit card if their credit card details have been compromised by a merchant or payment processor who had retained a copy in their records.
Much litigation has been spawned from the mandatory data breach reporting obligation owing to early notification of breach and relative ease in identifying the affected individuals. The mandatory notice can often lead to immediate legal actions being taken on behalf of the affected individuals. Such occurrences are also ripe for class actions because in many data breach scenarios, a large number of individuals are potentially affected, but each of them typically suffers only a small financial loss. Plaintiff law firms in the United States regularly commence class actions within days of the notification of data security breaches, seeking to recover losses on behalf of all affected individuals.
Listed in the table below are some of the U.S. entities involved in class action cases resulting from a data breach:
Click here to view table.
Potential developments in Australia
If mandatory data security breach reporting was introduced in Australia, it is possible that class actions would be commenced here in cases similar to those in the United States. Alternatively, a representative complaint could be pursued before the Privacy Commissioner.5 However, the representative complaints regime in the Privacy Act has only been successfully deployed on one previous occasion.6
Data security breaches are not restricted to the United States. On 29 November 2012, the Australian media reported one of the largest credit card data thefts in our history, committed by a group of Romanian hackers. The AFP, together with the Romanian police, managed to track down the hackers and allege that they had gained illegal access to about 500,000 Australian credit cards through the IT systems of roughly 100 small Australian retailers. Of these, 30,000 were used to purchase goods worth more than $30 million.
Once the Amendment Act comes into effect in March 2014, a serious data security breach would, most likely, contravene section 13G of the Privacy Act and, if action was taken by the Privacy Commissioner, the organisation responsible would be exposed to civil penalties of up to A$1.7m.
In addition, regardless of whether any statutory duty to report privacy breaches exists, it is possible that, in some circumstances, organisations may owe a duty of care to affected individuals to notify them of certain serious breaches of data security, but no case has established such a duty. In fact, class actions in the United States almost always include a claim of negligence in relation to the failure to keep information secure (see table above).
A look into the future
The passage of mandatory data security breach legislation in Australia, coupled with the new enforcement powers for the Privacy Commissioner contained in the Amendment Act, has the potential to result in far more serious consequences for organisations doing business in Australia than has been the case since privacy laws were extended into the private sector in 2001, and also for the proliferation of representative complaints or class actions.