While companies are responsible for keeping clients’ data secure, class actions around data breaches would face significant hurdles in Australian law.
A paper from allied law firms Allens and Linklaters says plaintiffs’ biggest obstacle is establishing how they have suffered economic loss.
Data breaches have become common locally and overseas, but no class actions have been successfully brought in Australia.
The law firm says class actions require a suitable cause of action, and Australia lacks an actionable right to privacy.
Shareholder class actions against companies whose stock is affected by data breaches are a possible route to claims, because that could quantify economic losses.
Plaintiffs could claim a company broke continuous disclosure obligations, but the data breach would have to be big enough to satisfy a court that such obligations applied.
Shareholders could similarly claim the company knew or ought to have known of deficiencies in its systems for handling personal information but failed to disclose them.
They could also base a claim on misleading or deceptive conduct in relation to company statements about handling personal information, which would be revealed as false by the data breach. But quantifying the loss incurred would be difficult. They would need to establish that they relied on those company statements and, by doing so, suffered a loss.
Plaintiffs could run a class action based on breach of contract, but they would have to establish that they suffered an economic loss as a result. They may struggle to attribute the breach to a specific failing by the company.
A breach-of-contract claim is most likely to succeed when brought by a business in the supply chain that can quantify losses incurred, the paper says.
Plaintiffs could claim negligence by an organisation, but compensable loss is again likely to be the most significant hurdle.
Allens and Linklaters suggest complaints to the Office of the Australian Information Commissioner may help law firms build cases.
In the US, successful class actions have been launched by financial institutions or credit card companies that suffered breach-related expenses such as reimbursing customers for fraud-related transactions.
A class action has been launched against NSW Ambulance in connection with a data breach, and Allens and Linklaters expect to see other actions soon.