Thursday, 4 August 2022 The spectre of class actions for data breaches is looming over Australian business. Considering the pace at which these matters are unfolding internationally, it is highly likely to be a case of when, not if, similar lawsuits will be seen here. In the US and Canada, in particular, class actions against corporations following breaches of sensitive personal and business data are increasing. Payouts to consumers and shareholders are running into the hundreds of millions of dollars - a clear signal Australian organisations should be moving quickly to mitigate the risks. Class actions greatly magnify the financial and reputational losses wielded by cyber breaches. Once a precedent is set here, the floodgates will likely open. Exacerbating the impact on companies, these events make headlines, diminish consumer confidence and potentially send stock values plummeting, adding to the already high cost of paying ransom demands and simply mopping up after a cyber attack. Among the most recent international cases, the class action lawsuit against US mobile carrier T-Mobile ranks among the most devastating. The telco has agreed to a US$350 million class action settlement after a staggering 76 million customers had their sensitive data exposed in August 2021. The settlement carries the potential to be the second largest for a data breach in US history, after Equifax’s US$700 million payout in 2019. As if the tarnished public reputation and financial loss suffered by T-Mobile was not great enough, the telco is also required to pay an additional $150 million to upgrade data security.1 Such scenarios are particularly worrying for Australian company directors. Not only is it highly likely such cases will occur here, there now exists the very real potential for company directors to become targets of legal action and suffer great personal expense themselves. The federal government has also flagged interest in increasing the liability of company directors, with reforms outlined in a recent discussion paper that would make them personally responsible for cyber-attacks.2 With mandatory reporting laws now in full force, organisations and their board members should already be highly motivated to tighten cyber defences. From July 8, following an initial three-month grace period, companies deemed as managing critical infrastructure have been required to report critical cyber incidents to the Australian Cyber Security Centre (ACSC), a branch of the Australian Signals Directorate, or face fines beginning at $11,100.3 Australia has also just witnessed its first prosecution for inadequate cybersecurity measures in the case of RI Advice. As sophisticated cybercrime proliferates exponentially in Australia, statistics, as well as laws, dictate the wisdom of strengthening cyber defences as much as possible. The Australian Institute of Criminology puts the cost of cybercrime for the nation’s economy at $3.5 billion a year, with another $597 million spent annually on dealing with the consequences.4 Against this backdrop of rising cybercrime, the looming threat of class actions occurring in Australia, and company directors becoming personally liable should have directors and senior management elevating cyber risk management to the highest priority. Clearly, cyber risk management is as imperative as any other corporate goal – what good are impressive share prices and glowing profits if a company’s tech defences are so weak it can lose operational control in seconds? Once a hacker gains access to a company’s software system they can disable operations at any time, render management and workers powerless and unleash their threats to steal data, lock systems down indefinitely and demand ransoms in return. The very public nature of these incidents, due to the increased regulatory scrutiny and reporting requirements, further adds to the risk. The reality is that corporate Australia has no choice but to address their cyber position to even have a chance of mitigating, let alone preventing, data breaches and damage bills that could quite possibly be too large for many to withstand. [1] Find Out if You're Owed Money From T-Mobile's $350 Million Data Breach Settlement - CNET [2] Strengthening Australia’s cyber security regulations and incentives (homeaffairs.gov.au) [3] Infrastructure operators must now report cyberattacks within 12 hours to govt - News - IoT Hub [4] Estimating the cost of pure cybercrime to Australian individuals | Australian Institute of Criminology (aic.gov.au)