On 29 November 2012, the Australian media reported one of the largest credit card data thefts in its history, committed by a group of Romanian hackers. The AFP, together with the Romanian police, managed to track down the hackers and allege that they had gained illegal access to about 500,000 Australian credit cards through the IT systems of roughly 100 small Australian retailers. 30,000 of such accounts were used to purchase goods worth more than $30 million.
While this incident has made headlines throughout the country, there is no mandatory obligation on the affected Australian retailers themselves to notify cardholders of this data breach. However, if the same incident occurred in the United States, it would trigger a set of further obligations, including the need to report a security breach.
Mandatory data security breach legislation has been in force in the United States since 2003. Financial services businesses in particular have experienced costly litigation following the distribution of notices to individuals affected by data security breaches. Class actions have frequently been the vehicle used by plaintiff lawyers to obtain substantial settlements, relying on facts contained in the mandatory notices. Recently, the Australian government received submissions on the introduction of such laws (submissions closed on 23 November 2012), which would likely have greater impacts than the recent enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (due to commence in March 2014). If the government was minded to introduce legislation on mandatory data security breach reporting, it is conceivable that it may do so in the first half of 2013 with a view to passing the legislation prior to the 2013 federal election.
Present position in Australia
Presently in Australia there is no statutory duty to report breaches of personal data security measures, either to the Privacy Commissioner or to affected individuals. It is possible that, in some circumstances, organisations may owe a duty of care to affected individuals to notify them of certain serious breaches of data security, but no case has established such a duty. Some organisations voluntarily report serious breaches of data security to the Privacy Commissioner and to affected individuals. According to the government discussion paper, the Commissioner received reports of 56 data breaches in the 2010-11 financial year and opened investigations into 59 breaches that were not notified.
The U.S. experience
Currently, 47 of the 50 states in the United States have enacted mandatory data security breach legislation. Typically, these laws require organisations who have suffered data security breaches to notify a regulator and also the affected individuals. The usual rationale for notifying the affected individuals is to allow them to take “self-help” measures to mitigate their potential losses, such as cancelling their credit card if their credit card details have been compromised by a merchant or payment processor who had retained a copy in their records.
In many data breach scenarios, a large number of individuals are potentially affected. But each of them typically suffers only a small financial loss. Plaintiff law firms in the United States regularly commence class actions within days of the notification of data security breaches, seeking to recover losses on behalf of all affected individuals. Typically, the claims rely on facts admitted in the notices sent to affected individuals. Data security breach cases have resulted in some substantial settlements in the United States, as illustrated by the examples in the following table:
Click here to view table.
Implications for financial services organisations
If mandatory data security breach reporting was introduced in Australia, it is possible that class actions would be commenced here in similar cases. In this regard, the potential legislative reform may be particularly concerning to financial services organisations due to the sensitivity of the personal information they hold about their customers and the fact that despite robust security measures it is almost inevitable that data security breaches will occur from time to time. From March 2014 onwards, a serious data security breach would, most likely, contravene section 13G of the Privacy Act and, if action was taken by the Privacy Commissioner, the organisation responsible would be exposed to civil penalties of up to A$1.7 million. Claims could, however, be based in the law of negligence, breach of contract (eg the banker’s duty of secrecy) or, potentially, for misleading conduct if a representation had been made to customers that their information would be held securely. All of these claims could be pursued by plaintiff lawyers without the need for intervention by the Privacy Commissioner.
The passage of mandatory data security breach legislation in Australia, coupled with the new enforcement powers for the Privacy Commissioner contained in the amended Privacy Act, has the potential to result in far more serious consequences for financial services organisations doing business in Australia than has been the case since privacy laws were extended into the private sector in 2001.