12 October 2021

Cybersecurity Class Actions

This article written by Kirsten Bowe and Rebecca Slater.

In recent years we have seen a sharp increase in the prevalence and impact of cybersecurity incidents.  In our recent Directions survey, managing IT and cyber risk was the leading issue of material concern for respondents.  And if trends in the United States are any indication, there could be reason for concern.  Trends in Australian fashion, music and film often mirror those of the United States.  This can also be true of legal trends.  Can Australia look to the US to predict what is coming in the cybersecurity (or data breach) class action space?

A (short) history lesson

The tort of privacy was developed in the US in the late 1890s off the back of increasing circulation of newspapers and rapid technological advancements, including the handheld camera.  The Kodak company introduced the first mass market camera in 1901, at a price point accessible to the general public.  Journalists and ordinary people were able to photograph other people in public places for the first time. 

Fast-forward to 2021 – and the Australian Attorney-General’s Department is considering the introduction of a statutory tort of privacy as part of its review of the Privacy Act 1988 (Cth).  From the bench, Justice Keane has recently commented that it “would not be surprising” for the High Court to accept a common law tort of privacy along US lines.

The US also led on the tort of negligence, which was developed in the US in the 1920s.  The tort of negligence found its way to Australian courts some 10 years later.      

How about class actions?  “Equity Rule 48” was passed in the US in 1833.  This allowed for “representative litigation” to be carried out when a multitude of similar individual cases had been filed, in the interests of both justice and convenience.  Unsurprisingly, this coincided with the Industrial Revolution.  New manufacturing processes were advancing faster than workplace safety measures.  This resulted in many workers suffering similar injuries.  These workers were of limited means, and unable to sue individually.  The 1950s were also a key period for class actions in the US.  Civil rights and environmental activists used class actions to provide visibility to their causes.  A key case during this period was Brown v Board of Education of Topeka, which held that segregated schools were unconstitutional. 

The first class action regime was enacted in Australia in 1992, when Parliament amended the Federal Court of Australia Act 1976 (Cth) to enable class actions to be run in Australia.

Current cybersecurity lawsuits in the US

In the US, a lawsuit arising from a data breach may rely on a number of different causes of action.  Where a service provider is involved (for example, a cloud provider that stores customer data for a hospital), the individual affected by the data breach may sue either or both the service provider and the data controller (in our example, the hospital).

Allen v Blackbaud Inc. is an example of a class action suit against an IT service provider.  Blackbaud describes itself as “the world’s leading cloud software company powering social good”.  It manages servers for not-for-profit organisations, educational institutions and organisations in the healthcare space.  It was subject to a three-month ransomware attack which began in February 2020.  (Ransomware is a form of malware that locks down a system of individual files until a ransom is paid.  Often the attacker takes a copy of some or all of the files before locking them and threatens to publish or sell them on the dark web if the ransom is not paid.)  The attack exposed the personal information of students, patients, donors, and other individuals – all of which were customers of Blackbaud’s customers.  Blackbaud paid the ransom, and was then sued.  The class in the resulting class action suit is comprised of individuals whose data was accessed (and not Blackbaud’s “direct” customers, such as universities).  The suit identified the following deficiencies in Blackbaud’s response to the breach:

  • Blackbaud did not provide the affected individuals with timely notice of the breach. It notified users months later in July and August 2020.
  • It failed to identify all of the information that had been accessed. Initially, Blackbaud had claimed that bank account information, social security numbers, usernames and passwords had not been compromised.  This was corrected by Blackbaud in a Form 8-K filing in September 2020.
  • Blackbaud had not properly monitored its IT systems, and this had delayed its awareness of the incident.

The affected “customers of customers” relied on the following causes of action: negligence, breach of privacy, breach of contract (both express and implied), and violations of relevant state data breach legislation.  Damages were claimed for the costs of ongoing credit monitoring and potential future losses arising from identity theft.

A review of recent US cybersecurity lawsuits reveals the following trends:

  • Class action suits are common where a data breach impacts multiple people or businesses.
  • Many class action suits are being filed off the back of ransomware attacks.
  • Where a service provider (for example, a cloud provider) is the cause of the breach, the limitation of liability provision in the relevant contract will be analysed. In many cases, the relevant provision will not have contemplated a cybersecurity incident.  This has raised some interesting questions.  For example, US courts have been asked to consider whether loss of data should be regarded as a loss of property.
  • It can be difficult to identify the responsible entity (i.e. the entity that caused the harm) where a service provider has a complex corporate structure.
  • It is difficult to know what harm may arise in the future due to a data breach today. In light of this, many claims are for potential future losses or to cover the costs of ongoing monitoring activities.
  • However, plaintiffs bringing such claims may not have sufficient standing. US federal courts may not have jurisdiction to hear “speculative”, “conjectural” or “hypothetical” claims.  This means that, for example, the mere possibility that a plaintiff’s credit may suffer if a hacker opts to sell or release this information to those able and willing to exploit it cannot impart the requisite standing.
  • Most (but not all) class action settlements for cybersecurity breaches have a global cap on damages.
  • There have been instances in the US where the cybersecurity expert engaged to identify and close out the vulnerability has been sued.
  • Shareholders of US companies are suing directors for data breaches.
  • Similar to the trend we are seeing in Australia, regulators are bringing lawsuits against large, often multinational, companies who have suffered a data breach.
  • It is tricky, and consequently rare, to go after a hacker. They are difficult to locate, and even if they can be tracked down, jurisdictional issues are likely to arise.
  • In many cases, it appears that the standard of care expected of both organisations and service providers is high.

What’s happening in Australia?

Recent experience in Australian class actions suggests that regulatory action often leads to increased private litigation risk.  In recent years, we have seen both the ACCC and the OAIC commence regulatory action against the likes of Facebook and Google.  High-profile data breaches are also on the uptick, and data breaches overall were trending higher in 2020.  Class actions generally are increasing in prevalence in Australia.

Australia’s first privacy-related class action was brought by NSW Ambulance officers in November 2017.  A contractor unlawfully accessed personal information of 130 officers and sold the information to personal injury law firms.  The claimants alleged that NSW Ambulance was liable for breach of confidence, breach of contract, misleading or deceptive conduct and invasion of privacy.  The NSW Supreme Court approved a $275,000 settlement in that case.  This case did not involve a cybersecurity breach.

There has been an increase in the number of cybersecurity class actions being investigated by Australian law firms. 

The same law firm that represented the ambulance officers is currently investigating a class action against Service NSW in relation to the theft of the personal information of 103,000 customers by hackers in a phishing attack on employee email accounts. 

The causes of action available to US plaintiffs have been canvassed above.  The legal bases for Australian cybersecurity class actions have not yet been considered by the Australian courts.  There is currently no tort of privacy in Australia and no private right of action for a breach of the Privacy Act 1988 (Cth).  However, the High Court indicated in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd that it may be receptive to arguments that a common law right of privacy should be recognised in the future.  In the event of a data breach, other causes of action available to an Australian claimant may include (depending on the circumstances of the breach): breach of contract, negligence, breach of confidence and claims based on general statutory obligations (for example, misleading or deceptive conduct or breach of a company’s continuous disclosure obligations).

The Australian Government’s ongoing review of the Privacy Act 1988 (Cth) has sought public consultation on the potential to introduce a direct right of action for individuals as well as a statutory tort of privacy.  The Issues Paper published by the Attorney-General appears to lean towards the introduction of a direct right of action as the appropriate mechanism to deal with serious breaches of privacy.  Such a mechanism would give standing to classes of individuals to bring an action against regulated entities for widespread or systematic cybersecurity incidents.

When cybersecurity class actions begin to be litigated in Australia, the courts will need to determine the standard of care (ie. what constitutes reasonably prudent cybersecurity practices).  In 2021, security is not absolute, hacking attacks are increasingly in prevalence and sophistication, and industry standards are continually evolving.  What reasonable steps should organisations (including service providers) be taking to prevent security breaches?  If current US trends find their way to Australia, the standard of care will be high.  Organisations and IT service providers will be expected to be informed and proactive in relation to managing cybersecurity risks.

Key contacts

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The rules regarding an employer’s use of “default” superannuation funds are about to change.

    29 October 2021

    An exposure draft has been released of a Bill that would require the development of a new binding code under the Australian Privacy Act to impose enhanced compliance obligations on social media...

    26 October 2021

    From 11 November 2021, the Fair Work Commission (FWC) will be able to make stop sexual harassment against employers or individuals.

    26 October 2021

    Operators of wind farms have new obligations for annual reporting to the EPA as well as ongoing monitoring over the life of the wind farm.

    26 October 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.