Data Breach – the first “Class Action” complaint made against Optus

• Many Australian businesses must disclose when they have been affected by a data breach
• While reputational damage is a critical risk for businesses, there is also the threat of monetary penalties of up to $2.1 million and orders of uncapped compensation
• A representative complaint – similar to a class action – has been made against Optus on behalf of a group of individuals affected by an alleged breach in 2019.

Data breaches have become increasingly common over the past few years in Australia. The names of trusted businesses, big and small, have been tarnished with reports of failing to secure personal information resulting in a data breach – Optus, Facebook, PageUp, BUPA, Commonwealth Bank (CBA), the list continues.

The introduction of the Notifiable Data Breaches (NDB) scheme in 2018 has exposed the prevalence of data breaches because eligible breaches now must be notified to both affected individuals and the Office of the Australian Information Commissioner.

NDB scheme – what is it?

Generally speaking, businesses with an annual turnover of more than $3 million and government agencies are required notify affected individuals and the OAIC when:

1. there is unauthorised access to, or disclosure of, personal information held by an organisation or agency, or loss of personal information occurs where unauthorised access or disclosure is a likely cause (a breach);
2. individuals are likely to suffer serious harm as a result of the breach; and
3. despite the remedial action taken by the organisation, they have not been able to prevent the likely risk of serious harm to the individuals.

Entities with an annual turnover of less than $3 million may also be required to comply with the NDB, including if they:

• provide a health service (this captures almost all businesses in the health, wellbeing and medical space);
• provide services to the Commonwealth Government; or
• are related to another organisation that has an annual turnover of more than $3 million.

Optus as a case study – what happened?

In a highly publicised example of how a data breach unfolds, in October 2019, it is alleged by lawyers acting for affected individuals, Maurice Blackburn, that SingTel Optus Pty Ltd. (trading as Optus) wrote to almost 50,000 customers to inform them their personal information had been mistakenly provided to Sensis (White Pages) and made publicly available online.

Maurice Blackburn alleges that the names, address, mobile numbers (and for some, home phone numbers) were published in the White Pages without the consent of the customers. Optus told customers that their information had been:

• listed online at whitepages.com.au;
• potentially printed in the local printed White Pages;
• listed with operator directory assistance; and
• possibly listed in other smaller online directories.

It has been reported that when the breach was identified, the information published online was removed, but for obvious reasons the information that was printed could not be removed from circulation.

What recourse do individuals have?

While it is commonly said there is no “right to privacy” in Australia, that is not technically correct. Organisations and government agencies that are required to comply with the Privacy Act 1988 (Cth) (Act) must handle individuals’ personal information in accordance with the requirements of the Act and the Australian Privacy Principles (APPs). The APPs impose strict obligations on businesses and government agencies to maintain the security of the personal information and to only collect, use and disclose personal information in specific ways to protect that information.

While there is no specific privacy-based cause of action available to individuals by which a person can claim damages through the courts in Australia, the OAIC holds a wide range of enforcement powers where a complying entity breaches the Act and the APPs. This includes issuing financial penalties of up to $2.1 million for organisations, ordering injunctions and compensation orders and accepting enforceable undertakings from infringing businesses.

Individuals can make a complaint to the OAIC, and the OAIC has the power to also launch its own investigations.

The Act also allows a number of individuals to make a joint complaint to the OAIC. This is known as a “representative complaint”. A representative complaint is brought in a way similar to a class action in a court proceeding, whereby cases affecting large groups of people are pursued and heard together, rather than requiring single complaints to be lodged individually.

In what is believed to be the first use of this right under the Act, Maurice Blackburn has filed a representative complaint with the OAIC against Optus for a breach of the Act. The complainant alleges Optus failed to take proper steps to protect its customers’ privacy, including by disclosing their personal information that was originally collected for one purpose for another purpose (i.e., placing their information in phone directories) – allegedly without the individuals’ consent.

The complaint will be investigated by the Australian Information Commissioner and Privacy Commissioner. If the complaint is substantiated, remedies that may be available to members of the representative group include an award of compensation, reimbursement of expenses incurred in making the complaint and the investigation of the complaint and an order that Optus must take certain steps to redress any loss or damage that has been suffered. The potential value of an order for compensation is not capped.

This is not Optus’ first brush with the OAIC. In 2015 the OAIC accepted an enforceable undertaking as a result of a series of related privacy incidents in 2013 and 2014.

What should businesses be doing?

This should serve as a reminder for all businesses to ensure the security and proper use of personal information they hold. Regardless of the outcome of this representative class action, Optus’ name has again been publicly used alongside the words “data breach”, undoubtedly leaving customers questioning the security of their personal information held by Optus.

We are experienced in assisting businesses with practical approaches to securing the personal information and responding to actual or suspected data breaches. Moving quickly, seeking appropriate advice and acting transparently are critical in the circumstances of a suspected breach.

Call our Privacy and Data Protection team to discuss your privacy needs.