Data breach laws to drive class actions: IIA

A growth in class action lawsuits against companies revealing data breaches is a likely outcome of the Government’s new laws governing data breach notification, according to the chairman of the Internet Industry Association.

Patrick Fair, also a partner at law firm Baker & McKenzie, told iTnews the mandatory data breach notification legislation introduced into Parliament on Wednesday and set to go live next March would potentially expose companies to class action lawsuits.

“[Affected companies] have to write a notice and send it to each data subject and the Privacy Commissioner and anybody else at serious risk of harm, and those notices provide an immediate class of people who might want to seek compensation through a class action,” he said.

“It facilitates a claim against the organisation.

“It’ll depend on the breach, but it’s certainly going to be something that gets tried out in a way that it hasn’t before, because organisations have been able to manage the issue in private.”

The Government is aiming to make the new mandatory data breach notification legislation live in March next year alongside the introduction of the new Privacy Act 2012.

The data breach laws would force companies to notify the Federal Privacy Commissioner and affected consumers when data breaches occur, or when an organisation is at “real risk” of a breach.

Those organisations that fail to take “reasonable steps” to secure customer data prior to a breach could face penalties of up to $1.17 million for repeat and serious offenders. Serious individual offenders face fines of up to $340,000.

Small-scale offenders face fines of up to $170,000 for organisations and $34,000 for individuals.

Fair said the legislation was fairly ambiguous as to what constituted “real risk” of harm - defined in the legal documents as “not remote”.

The draft legislation categorises harm in three categories: financial, economical or reputational.

Fair said there would be many instances, such as a breach involving credit card details, where there would be no question of a risk. But the wording of the legislation was murky enough to make it difficult for organisations to decide whether they needed to make notification.

“It’s particularly problematic with this law where the penalties are very high and the threshold is quite low,” he said. 

“If you hear the phrase ‘real risk’, you think probable or likely risk. Or some serious possibility of it. But the definition of the act is ‘not remote’.

"So they mean ‘real’ in the other sense, in that it’s just ‘not remote’. And boy that’s a pretty low threshold as well.”