subscribe to our newsletter
Data breach laws exposing firms to new litigation risks

Data breach laws exposing firms to new litigation risks

Cyber security
Miranda Brownlee
27 April 2018

With class actions for cyber security breaches now commonplace in the US, SMSF firms have been warned that serious data breaches may give affected parties additional rights to pursue compensation.

With class actions for cyber security breaches now commonplace in the US, SMSF firms have been warned that serious breaches occurring here in Australia may entitle affected parties to pursue compensation for damages beyond the penalties listed in the Privacy Act.

Speaking to SMSF Adviser, Rigby Cooke Lawyers partner Julia Cameron said most of the attention surrounding the introduction of the Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 has been on the financial penalties capable of being awarded to affected parties.

However, where the breach is sufficiently serious and causes loss and damage to individuals, affected individuals may have additional rights and remedies to pursue damages against breaching organisations, warned Ms Cameron.

“These additional rights include filing a complaint with the Australian Information Commissioner (Commissioner) which can result in a determination requiring the organisation to pay compensation for any loss or damage to affected individuals,” she explained.

“In assessing loss and damage for the purpose of calculating compensation, the Commissioner will consider injury to feelings and humiliation suffered by the complainant.”

While there have not yet been any determinations by the Commissioner awarding compensation for an eligible data breach under the NBD scheme, she said, it is only a matter of time before compensation for a data breach is ordered by the Commissioner.

“There is no recognised common law or statutory action in Australia for breach of privacy, despite recommendations arising out of the Australian Law Reform Commission’s 2014 report ‘Privacy in the Digital Era’ for the adoption of a Commonwealth statutory cause of action for serious invasions of privacy,” she said.

“However, there is the possibility that an eligible data breach may entitle an affected party to pursue an action in negligence against an organisation who has committed a breach where the organisation is found to have a duty of care to maintain adequate security of personal information and it is foreseeable that loss and damage would flow from a breach.”

Class actions for cyber security breaches are yet to be pursued in Australia, she said, but are becoming commonplace in the US, following the introduction of data breach laws.

“Additionally, if an organisation has contractual obligations to its clients, for example, as part of a fee or retainer agreement, that require the organisation to maintain the privacy of the client’s personal information, the client may be entitled to pursue a breach of contract action where it, or a party to whom the organisation has disclosed the information, commits an eligible data breach which causes loss and damage to the individual,” she cautioned.

“While professional services firms may think the new laws have limited bearing on their operations, many firms are failing to properly understand the amount of personal information they hold about individuals, how to best secure that information and how to respond when a breach occurs.”

Ms Cameron said she is seeing instances of firms who are being caught out where management has taken a proactive approach to mitigate privacy risk by having compliant policies and plans in place, but they haven’t properly trained their staff or implemented a culture of privacy.

“In these circumstances, having a privacy policy on your website or data breach response plan that doesn’t, for example, take into account the organisation’s new CRM software, will effectively be useless if a breach occurs where acting swiftly can materially reduce your risk,” she warned.

In order to mitigate the risk of a data breach, she said, firms need to ensure they understand what personal information they hold, ensure its privacy policy, have collection notice and data breach response plans in place and up to date, and make sure employees actually implement and comply with the policies by properly training employees in the organisation’s privacy policies.

“It is also critical that organisations examine their contracts with service providers and other parties with whom client personal information is shared to ensure there are back to back obligations on those parties to deal with the information in accordance with the Privacy Act and where appropriate, to seek indemnities for loss and damage from those parties where they are the source of the relevant breach,” she said.

“Firms also need to consider whether they have adequate cyber insurance in place and understand if the policy includes cover for liabilities and losses flowing from a breach, including monetary penalties.”

Data breach laws exposing firms to new litigation risks
smsfadviser logo
join the discussion

What do you plan to do in response to the new adviser education standards?

SUBSCRIBE TO THE
SMSF ADVISER BULLETIN

Get the latest news and opinions delivered to your inbox each morning

In this month's issue:

  • Time wrap
  • The tech bull run
  • From hobby to passion
  • Golden Years
  • An untimely reminder
  • Why change is so difficult
  • Key Strategies for equalising super