Compliance risk arises both from actions and words
10 min read
Over the past four months, four data breach class actions have commenced against Optus and Medibank. Prior to that, only one data breach class action had ever been brought in Australia—it ultimately settled for the (relatively) negligible amount of approximately $275,000.1
And yet, these latest proceedings will face many of the same challenges that previously deterred data breach class actions. What’s especially interesting is that plaintiff firms haven’t waited for the likely introduction of a new direct right of action that individuals could bring for a breach of the Privacy Act 1988 (Cth) (expected later this year or early next), which would smooth the path for data breach class actions in the future.
The proceedings will be test cases requiring courts to assess whether certain technical and operational cybersecurity controls and practices are necessary to comply with regulations that are largely principles-based. The plaintiffs may also face challenges in establishing compensable loss.
They also emphasise that both compliance with…
