Legal issues arising from the Medibank data breach

Michael Williams, a partner at Gilbert + Tobin and intellectual property practice lead, said the key legal issues arising from the Medibank hack in October, which has compromised the sensitive information of almost 10 million customers, relate to compliance with the Privacy Act, the way systems were breached and potential liabilities as well as compensation.

“The issue of potential compensation is the subject of a class action being considered, and it depends on whether there is a recognised legal duty to keep that information protected,” said Williams.

“At the moment, laws are still evolving around the extent to which there are private rights enabling customers to claim compensation for data breaches,” he said.

REvil, the criminal group behind the attack, stole data on Medibank employees as well as 9.7 million current and former customers, including sensitive health information relating, in some cases, to drug addiction, mental health and abortion.

Williams explained that it is unknown whether courts are going to recognise people’s individual rights of action. Moreover, issues may present around compensation as some members of the class action will have suffered specific damage while others may only have a general concern about their data being made public.

“In other legal jurisdictions, it remains a contentious issue whether people who are the victims of a cyber breach have to demonstrate that they’ve actually suffered a loss or whether it’s presumed,” said Williams.

“That aspect is still developing in Australia, which means it may only be through a case like this that courts will determine where the relevant boundary is between claims that can be made for loss, and those that can’t be recovered because there hasn’t been a loss suffered.”

Williams said what differentiated the Medibank data breach from the Optus hacking incident in September is that it concerns sensitive personal health data and is likely more difficult to compensate.

“You can replace a passport; you can’t really replace what’s happened with your private medical history that may have been made public,” he said.

“I don’t think it’s clear yet how the court can compensate people for having private information about their medical history released which can’t be pulled back.”

While the Federal Government is considering a ban on paying ransoms, Williams said the issue is more complicated. “Anecdotally, there’s a lot of evidence that people suffering small personal cyber-attacks and ransomware attacks are paying the money,” said Williams.

“While I’m certainly not advocating for that as a universal position, the fact that people do it in practice because that’s the only way they can secure or access data that’s been compromised personally indicates it’s not such a black and white issue.”

Williams also highlighted the difficulty in deciding where a ban on ransoms should sit within the legal framework: “It wouldn’t necessarily be in the Privacy Act, which is designed to do something quite different, and therefore is it going to be a new criminal offence?

“If so, it’s an odd one because it criminalises self-help steps taken by victims or associates of victims who are trying to minimise the harm they suffer. Is that really something that is going to happen: prosecuting the victims of cyber breaches?”

Williams stated that this incident may lead to significant policy changes and be the impetus required to shift the way in which we respond to cyber breaches.

“For a long time, our government has tended to focus on this as being a business-preventable situation,” he said.

“Now there’s more of a recognition that this is bigger than an individual company’s responsibility.

“Simply blaming companies, who are also victims, each time there is a cyber-attack is probably missing a point that it’s an unequal battleground between the cybercriminals and the companies.”

Associate Professor Michael Duffy, Director of Corporate Law, Organisation and Litigation Research Group at Monash Business School, told LSJ that companies need to look at their internal procedures and conduct. This includes considering whether they should be asking for the information in the first place.

 “Obviously in many cases, they need to [ask] and the government wants them to ask for that information but, in some cases, they may be asking for things they don’t need,” said Duffy.

“For example, people asking for a licence when you’re just booking accommodation, is that vital or not? That is a question for corporations to think about if there is increasing risk of being hacked.”

Another interesting factor being raised by privacy experts is that the hack may involve state actors. While the alleged hackers are not directly state actors, there is cause to believe that Russia has failed to enforce laws against them.

“If there is a state power behind the hack, that means you’re potentially dealing with incredibly powerful actors in terms of possible technology,” said Duffy.

“That increases the level of risk and the need for corporations to act in a manner that foresees the possibility of hacks in the future and tries to minimise the potential loss.

“That might even include storage of data in a manner that’s not linked to the internet.”

Two law firms, Bannister Law Class Actions and Centennial Lawyers, have joined forces to bring a class action against Medibank Private.

To date, they have received over 21,000 expressions of interest in joining the class action. Adjunct Professor George Newhouse, principal solicitor at Centennial Lawyers, said they continue to receive approximately 5,000 expressions of interest a day. “There are a number of people that need urgent assistance,” said Newhouse.

“Those who are frightened of stalkers or violent ex-partners may need to move house, and that cost should be borne by Medibank. There are individuals whose relationships or jobs could be at risk if medical records relating to abortions, addiction or mental health crises become public.”

Newhouse outlined the aim of the class action: accountability, and obtaining compensation for Medibank customers.

“At the heart of this case is a breach of privacy by Medibank and its subsidiaries in breach of their own privacy policy,” said Newhouse. “A business that holds people’s most sensitive and confidential records has to do better.”

Newhouse called for a radical overhaul of the Privacy Act and argued it fails to encourage corporations to invest in better security. He also said we need tougher laws to ensure that data breach notifications are more robust.

If you are a member of the public seeking information on how to connect and work effectively with a legal practitioner, or you just want a better understanding of your legal rights, visit www.lawfullyexplained.com.au