Data breach laws exposing firms to new litigation risks

Speaking to SMSF Adviser, Rigby Cooke Lawyers partner Julia Cameron said most of the attention surrounding the introduction of the Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 has been on the financial penalties capable of being awarded to affected parties.

However, where the breach is sufficiently serious and causes loss and damage to individuals, affected individuals may have additional rights and remedies to pursue damages against breaching organisations, warned Ms Cameron.

“These additional rights include filing a complaint with the Australian Information Commissioner (Commissioner) which can result in a determination requiring the organisation to pay compensation for any loss or damage to affected individuals,” she explained.

“In assessing loss and damage for the purpose of calculating compensation, the Commissioner will consider injury to feelings and humiliation suffered by the complainant.”

While there have not yet been any determinations by the Commissioner awarding compensation for an eligible data breach under the NBD scheme, she said, it is only a matter of time before compensation for a data breach is ordered by the Commissioner.

“There is no recognised common law or statutory action in Australia for breach of privacy, despite recommendations arising out of the Australian Law Reform Commission’s 2014 report ‘Privacy in the Digital Era’ for the adoption of a Commonwealth statutory cause of action for serious invasions of privacy,” she said.

“However, there is the possibility that an eligible data breach may entitle an affected party to pursue an action in negligence against an organisation who has committed a breach where the organisation is found to have a duty of care to maintain adequate security of personal information and it is foreseeable that loss and damage would flow from a breach.”

Class actions for cyber security breaches are yet to be pursued in Australia, she said, but are becoming commonplace in the US, following the introduction of data breach laws.

“Additionally, if an organisation has contractual obligations to its clients, for example, as part of a fee or retainer agreement, that require the organisation to maintain the privacy of the client’s personal information, the client may be entitled to pursue a breach of contract action where it, or a party to whom the organisation has disclosed the information, commits an eligible data breach which causes loss and damage to the individual,” she cautioned.

“While professional services firms may think the new laws have limited bearing on their operations, many firms are failing to properly understand the amount of personal information they hold about individuals, how to best secure that information and how to respond when a breach occurs.”

Ms Cameron said she is seeing instances of firms who are being caught out where management has taken a proactive approach to mitigate privacy risk by having compliant policies and plans in place, but they haven’t properly trained their staff or implemented a culture of privacy.

“In these circumstances, having a privacy policy on your website or data breach response plan that doesn’t, for example, take into account the organisation’s new CRM software, will effectively be useless if a breach occurs where acting swiftly can materially reduce your risk,” she warned.

In order to mitigate the risk of a data breach, she said, firms need to ensure they understand what personal information they hold, ensure its privacy policy, have collection notice and data breach response plans in place and up to date, and make sure employees actually implement and comply with the policies by properly training employees in the organisation’s privacy policies.

“It is also critical that organisations examine their contracts with service providers and other parties with whom client personal information is shared to ensure there are back to back obligations on those parties to deal with the information in accordance with the Privacy Act and where appropriate, to seek indemnities for loss and damage from those parties where they are the source of the relevant breach,” she said.

“Firms also need to consider whether they have adequate cyber insurance in place and understand if the policy includes cover for liabilities and losses flowing from a breach, including monetary penalties.”