Victim of a cyber attack? Stakeholders split over right to sue

Joseph Brookes
Senior Reporter

The federal government has received mixed feedback on its cyber regulation proposal to make companies more liable to consumers for losing their data in an attack.

Insurers and banks have balked at the proposal, saying it would drive up insurance costs and create complex legal issues for the already regulated industry.

The federal government is considering giving consumers a direct “right to action” against organisations that lose data.

But some experts have backed better recourse for consumers  – which has previously been recommended by the consumer regulator – saying it would clarify consumers’ rights and allow them to be exercised.

In July, Home Affairs Minister Karen Andrews unveiled a discussion paper outlining a number of cybersecurity policies and strategies first announced in the 2020 strategy.

The government has already moved ahead with several initiatives from the 2020 strategy, including legislation to protect critical infrastructure and to allow police to access and modify people’s online activity.

The latest discussion paper explores cybersecurity regulations and incentives, including a cybersecurity code under the Privacy Act for personal information and clear recourse for consumers.

The government is already considering a “direct right to action” for privacy breaches in its ongoing review of the Privacy Act. The cyber paper notes privacy law has the “greatest potential” to set broad cyber security standards, and a right to action could be applied to cyber security breaches involving personal information.

“This would mean that in certain circumstances victims of cyber security incidents involving personal information could take businesses who have not taken reasonable steps to protect this personal information (which may include through implementing adequate cyber security practices) to court and seek damages,” the discussion paper said.

It also notes the right to action could include “standards” for penalties and consumer compensation.

In response, insurers and Australia’s banks have warned rising premiums and complex legal issues could follow the right to action and penalties.

The Insurance Council of Australia (ICA), the representative body of nearly all private sector general insurers, said giving individuals the legal right to sue companies that compromise their personal information in a cyberattack would drive up the cost of insurance, including directors and officers (D&O) liability and professional indemnity insurance.

“This is likely to increase the associated risk for that business, introduce uncertainty in insurers’ risk assessments, and increase claims costs…If implemented these factors could increase premiums for certain insurance products, including D&O insurance, across the Australian economy,” the ICA submission said.

“The Insurance Council therefore strongly encourages the Department of Home Affairs to consider broader insurance implications of any cyber security changes to Australian regulations.”

The Australian Banking Association (ABA) warned a direct right to action would raise complex legal issues and more detail is needed on thresholds of liability given cyberattacks are “unavoidable”.

The group agreed the recourse could lead to increased costs of cyber insurance and suggested it could also deter banks from reporting to regulators or warning customers about breaches.

“If liability is linked to regulatory reports of cyber incidents, this could have a chilling effect on early and proactive engagement with regulators and impacted or potentially impacted data subjects,” its submission said.

The ABA concluded giving consumers a direct right to action to seek compensation may produce “very limited benefit” for them and impact innovation in the sector. It recommended any right to action be introduced after more clarity from government and support for businesses’ cyber resilience.

Innovative Research Universities (IRU), a coalition of eight comprehensive universities, said organisations should not be punished for suffering a cyber attack.

“The IRU members observe that cybercrime is perpetrated by criminals, and often criminals with extraordinary capability, significant resources and global reach. In efforts to support consumers, laws should not be enacted that punish the organisations that are themselves the victims of global cyber criminals,” the IRU submission said.

The University of Melbourne said it agreed with the consumer regulator’s call to strengthen the Privacy Act after its landmark inquiry into digital platforms, which includes introducing direct rights for individuals.

But the university added consumers also need the right to withdraw their data if firms are not engaging properly with cyber protections, which would help reduce their risks before an attack.

“To put it another way, if you want to have a voluntary-based scheme for most cybersecurity protections, then you must make it easy, costless and information searchable for consumers, and their data, to exit from a company and their product should that product not meet reasonable consumer expectations,” the University of Melbourne submission said.

The University of Queensland said clearer legal remedies would be welcome and lessen consumers’ reliance on case law.

“Australia is not much of a litigious society but having a legislation and definition to help clear the boundaries is better than nothing. There is no clarification around the right of action for privacy breaches or any implications there will be a damage. Some type of small claims tribunal for cyber security may be an option,” its submission said.

Home Affairs told InnovationAus it intends to post all public submissions to the discussion paper next week. The submissions reported in this article were sourced directly from organisations who have already made theirs public.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories