It’s been an eventful year for developments in the legal and regulatory framework surrounding cyber risk.
We saw the first enforcement action by ASIC against an Australian financial services licensee which did not have adequate cybersecurity and cyber risk management controls and frameworks in place (ASIC v RI Advice Group Pty Ltd [2022] FCA 496).
Then, in the second half of 2022, we saw the largest data breaches ever to take place in Australia, pushing cyber security into the spotlight like never before. The scale of the Optus breach in September and the Medibank breach in October was un-precedented, with reports of personal data of potentially up to 11 million (Optus) and 9.7 million (Medibank) Australians exposed.
Questions are rightly being asked about every organisations cyber security posture:
the adequacy of their defences and response plans
how they are storing personal information they collect
how secure their data is
how long it should be kept
The Federal Government moved to enact significant reforms to the Privacy Act 1988 (Cth), which we outline below. A broader review of the Privacy Act is continuing, together with consideration of other aspects of the law surrounding cyber events by the Attorney General’s Department, including whether a statutory tort for serious breach of privacy should be introduced and whether ransom payments should be prohibited under Australian law.
The Privacy Legislation Amendments (Enforcement & other Measures) Bill 2022 (opens a new window) passed both houses of government on 28 Nov 2022.
The most significant amendment is the significant increase in the maximum penalties available against corporations for breach of s.13G of the Act to:
Three times the value of the benefit that the company directly or indirectly obtained from the contravention (if this can be calculated); or
30% of the adjusted turnover of the company during the period of the contravention; or
$50m
This is an increase from a previous maximum penalty was $2.2m.
The increased penalties seek to send a clear deterrent message to corporate Australia, that cyber security must be adequately addressed and serious penalties are now at play.
Developing case law in the next few years will be key to precisely what situations amount to a breach of s13G: “serious interference with the privacy of an individual” or repeated acts or practice “that is an interference with the privacy of one or more individuals”.
The amendments to the Act also saw additional information gathering and enforcement powers for the OAIC, including power to:
issue notices requiring production of documents and requiring a person to answer questions about an actual or suspected eligible data breach the steps taken by the entity and the steps taken to notify individuals affected (s.26WU).
issue infringement notices, with associated civil penalty provisions for failure to comply with such notices (s.66(1)).
consider a criminal infringement and refer a matter to the Commonwealth Director of Public Prosecutions if conduct constitutes a system of conduct or pattern of behaviour (s.66(1AA)).
assess compliance with the Notifiable Data Breach scheme, including the extent to which an entity has adequate processes and procedures in place to assess eligible data breaches (s.33C).
require an entity to engage a suitably qualified independent adviser to review the acts or practices engaged in and to assist it to take steps to ensure conduct constituting an interference with privacy is not repeated or continued (s 52(1A)).
publish notices and determinations about specific breaches of privacy.
The OAIC may also now share information and disclose certain information to other regulatory and enforcement bodies.
These amendments are clearly aimed at giving the OAIC similar powers to other corporate regulators, increasing the level of information the OAIC can require and scrutinise to assess compliance with the notifiable data breach scheme and providing more transparency to the public.
Cyber insurance policies will be called on to respond to expected increased legal fees and potentially, to civil penalties.
Investigations, Representative Complaints and Class Actions to watch
In addition to the eventual determinations that arise from the Optus and Medibank breaches, the ongoing OAIC case against Facebook over the Cambridge Analytica scandal could be the first large case testing contravention of s13G. This is currently subject to Facebook’s High Court challenge to the viability of the case against it, on jurisdictional grounds, arguing they do not carry on business or collect personal information in Australia.
While the increased penalties and other amendments will not be available against Optus and Medibank, the OAIC is conducting investigations into:
whether each took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access or disclosure; and
whether each took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles. (opens a new window)
In addition, these breaches will likely lead to the development of the framework for class actions arising out of cyber breaches. Maurice Blackburn has commenced a representative complaint to the OAIC against Optus for breach of the Privacy Act, seeking compensation on behalf of affected customers. It has also commenced a similar representative complaint with the OAIC against Medibank, seeking compensation.
The Commissioner has power under s 52 Privacy Act to make a determination regarding the alleged breach and the amount of compensation to be paid to affected individuals. This has, to date, been the main avenue for seeking compensation arising from a cyber breach. It remains to be seen whether class action funders and lawyers will test the boundaries of the class action regime and seek to launch direct proceedings in the Courts.
Claimants may still face challenges in establishing significant compensable loss but given the scale of these breaches and number of individuals affected, even a small amount awarded to each, together with legal fees, could lead to large potential losses. Insurers and insureds will be looking closely at the way these investigations and litigation develop and the losses that are established.
Finally, there is the ongoing spectre of Directors’ & Officers’ risk arising from a cyber breach. Increased regulatory oversight and focus is likely to extend to actions against directors in the future. In addition, shareholder class actions arising out of a cyber breach, while not yet tested in Australia, could well be the next key area to watch.