Gilchrist Connell partner discusses the legal recourses for affected consumers
Due to the recent hacking of Optus, many of the telco company’s former and current customers had their personal data exposed. The ACCC reported that scammers have already used the compromised information to go after vulnerable victims, and in order to protect themselves, customers are taking their concerns to regulators.
“Affected individuals who have had their personal information stolen have already made complaints to the Office of the Australian Information Commission (OAIC) and the Telecommunications Industry Ombudsman (TIO). There will be more to come,” Nitesh Patel, head of cyber at Gilchrist Connell, told Australasian Lawyer.
“As you would expect from a cyber incident that has resulted in a data breach of this scale, there will be significant legal impacts for Optus. The question marks raised about how the incident has been handled and the scrutiny by the industry of Optus’ environment have effectively raised the stakes for them.”
Patel pointed out that class actions could be filed against the company on behalf of a group of victims, although such a case is unprecedented for most part.
“The ability of an individual or class of individuals affected by a data breach to bring a claim is largely untested in Australia. This is in part because there is no general right of privacy or direct right of action for individuals to bring a claim due to an interference with their privacy,” he explained.
While the need to demonstrate a quantifiable loss due to the hack (financial or otherwise) is generally a barrier, Patel noted that individuals have made it known that they have already incurred considerable expenses as a result of having to change passports and drivers’ licences and to implement data breach responses.
Optus will also have to prepare for more than just individual complaints.
“Slightly further afield, Optus will be dealing with a range of contractual queries and disputes by clients (including larger corporate clients who may have imposed specific data security obligations into agreements) and sponsors as they consider the implications of this incident,” he said.
“Any disputes that are not resolved could result in further litigation. Corporate clients of Optus should also consider if any of their security incident and data breach notification obligations have been triggered. Corporate clients, like affected individuals, will look to hold Optus liable for any loss and damage they suffer as a result of the incident.”
In addition, the telco company could be taken to court by regulators based on their data handling practices, “given the general dissatisfaction expressed by a number of prominent government and industry figures about the suspected cause of the incident and the handling of the response to date,” Patel pointed out.
“This incident will very likely give rise to enquiries and investigations by a number of regulators. These investigations will not necessarily be confined to the incident at hand and could look at Optus’s cyber security and information handling practices more broadly,” he said.
“The investigations may lead to a range of outcomes including fines and penalties, undertakings, determinations and directives requiring Optus to take steps in response to the incident or improve their practices. It may also result in court action that could assert Optus’ data handling practices constituted misleading and deceptive conduct among other things.”
Cyber risk mitigation for law firms and organisations
While the Optus hack has been the centre of media attention thus far, it is “it is not the first major cyber incident in Australia and will not be the last,” Patel warned.
“The development of cyber law needs to stay on the agenda so necessary reforms can be made to better protect the privacy of Australians and to improve Australia’s cyber resilience,” he said.
Patel cautioned both corporations and law firms to be mindful of mitigating cyber risk to avoid such breaches, citing the ACSC’s Essential Eight as “a great baseline.”
“Law firms just, like any other business that relies on technology and the internet, need to take steps to mitigate cyber risk. We are an attractive target for malicious actors because of the value and sensitivity of the data we hold but also because of the regular dealings with significant sums of money. Because of this, law firms should see themselves as a high-risk profession and take suitably significant steps,” he explained.
“Organisations should have a tested incident response plan ready to act upon if there is a cyber incident or data breach. The plan should at minimum identify key internal and external response team members and their roles, internal and external communications strategies, key legal and regulatory obligations and preliminary postures on critical decisions (including around ransom demands).”