As readers of this blog know, data breach, cyber, and privacy-related issues have become a new important area of securities class action litigation in the U.S. In the following guest post, Andrew Miers, Jason Symons, and Shonagh Rasmussen of the HWL Ebsworth law firm review the possibilities or this type of securities lawsuit in Australia. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Australia is renowned for having a very fertile securities class action and litigation funding environment (see here). Concern as to the frequency and severity of shareholder class actions is such that an Australian Law Reform Commission inquiry into shareholder class actions is currently underway.
Unlike the emerging trend in the US, however, Australia is yet to see a specifically data, cyber or privacy breach related shareholder action. In this article, we consider whether such a class action is possible. We conclude that there are a number of developments that could combine to increase the likelihood of such a type of class action arise in Australia in the not too distant future.
Growing awareness of cyber risks
Following the trend worldwide, in the last three to four years, there has been an ever increasing awareness in Australia of cyber risk issues, from government to the corporate sector to private individuals. The Australian federal government in 2016 propounded a “Cyber Security Strategy”, including allocating more funding and ministerial responsibility to cyber security initiatives. Cyber risk issues, mentioned only occasionally in the press as recently as five years ago, now features almost daily in the media.
Greater regulatory attention to disclosure of cyber risk to investors
With this greater awareness of risks has come greater regulatory scrutiny. A number of Australian regulators have taken an increased interest in cyber risk. For the purpose of this article, we focus on the Australian Securities and Investments Commission (ASIC) (in effect, the equivalent of the Securities and Exchange Commission in the US).
ASIC has in recent years positioned itself as being something of a corporate cyber regulator and has had a lot to say about “cyber resilience” in the last three years. And just as the SEC in the US has had a renewed focus on corporate disclosure to investors of cyber security issues (see here and here) so too ASIC has given some degree of guidance for listed entities on disclosing cyber risk.
While ASIC has not published a separate detailed guidance solely on the question of disclosure in the way the SEC has, it did publish its “Cyber Resilience: Health Check” report in March 2015 dealing more generally with legal obligations on companies with respect to cyber risks and picking up similar themes to those emphasised by the SEC.
In effect, ASIC has said that there are a whole host of existing legal obligations where companies need to be thinking about cyber risk. None of those obligations mention the word “cyber” but, like the SEC, ASIC has read cyber risk into what is required.
There are a number of requirements that ASIC points to when it comes to listed entities and their disclosure of cyber risks.
First, there are the continuous disclosure requirements imposed on listed entities in the Corporations Act 2001 (Cth) and the Australian Stock Exchange (ASX) Listing Rules requiring a company to immediately disclose any information that would have a material effect on the price or value of its securities. An alleged failure to abide by these obligations, often accompanied by allegations of misleading or deceptive conduct (for example, for failing to correct previous disclosures made once they become outdated), is what ordinarily forms the foundation of shareholder class actions[i]. ASIC has said such information that has a material impact on the price of securities may include a cyber attack.
Second, ASIC points to the general periodic reporting requirements that all companies, particularly listed entities, are faced with.. ASIC says that directors should take into account cyber risks when giving information in their annual reports that shareholders would reasonably require to make an informed assessment of the entity’s operations, financial position and future prospects. ASIC also says that for listed entities, cyber risks and resilience may need to be taken into account in an assessment of material business risks to be disclosed in the annual operating and financial review.
The most recent word from ASIC on such disclosure is the following:
“In the operating and financial review (OFR), listed companies should disclose information on risks and other matters that may have a material impact on the future financial position or performance of the entity. This could include digital disruption, new technologies, climate change, Brexit or cyber security.”[ii]
Companies seem to be getting the message that disclosure of cyber risks is important judging by our informal high level review of the annual reports of the ASX top 100 companies for the financial year ended 30 June 2017[iii]. Applying the simple methodology of checking for the phrases “cyber” and “cyber security”, 63% of these companies gave some degree of disclosure about cyber risk.
Mandatory data breach notification
Australia has also recently introduced mandatory data breach notification, in place since 22 February 2018. The “Notifiable Data Breaches Scheme” (NDB Scheme) under the Privacy Act 1988 (Cth) has required companies with a turnover of at least $3 million to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when there has been an ‘eligible data breach’ (that is, a breach of personal information likely to result in serious harm to the relevant individuals).
The NDB Scheme does not necessarily result in the details of data breaches becoming public knowledge – the company only has to publish the notification on its website if it is not practicable to individually notify all individuals, and the OAIC does not publicise details of the breaches, only quarterly statistics on an anonymous basis. However, there is no doubt that the new legislation is giving greater prominence to, and public awareness of, data breaches. In the case of a large scale breach in particular, the sheer number of people notified, combined with word of mouth and social media, means that the breach notification in effect becomes public knowledge.
Active interest by litigation funders in privacy related actions
We are also now seeing litigation funders show greater interest in privacy related actions. In July this year, we saw the commencement of what is understood to be the first funded privacy breach-related representative action in Australia, funded by the largest litigation funder in Australia, IMF Bentham. The action takes the form, not of a class action in the courts, but a representative complaint lodged with the OAIC on behalf of 300,000 Australian Facebook users whose data was caught up in the Cambridge Analytica scandal.
While this action is not a shareholder action, but rather a privacy breach action by those whose personal information was used, what it does at least indicate is that litigation funders are now starting to take an interest in privacy-related actions. When combined with the fact that litigation funders in Australia are already very active with shareholder actions, this could be quite a lethal mix and perhaps we could see the very type of shareholder action triggered by a privacy breach that we are now seeing in the US.
The missing ingredient: Impact on share prices
There have been a number of studies undertaken in relation to the impact of a data breach on a company’s share price in the US and the UK[iv], however no studies have been undertaken in Australia. The simple reason is, there is not a large enough sample size yet of publicly known data breaches involving listed entities.
The statistics thus far released by the OAIC since the commencement of the NDB Scheme on 22 February 2018 indicate it had received 305 notifications by 30 June 2018. Of those, a total of 194 notifications, almost two thirds of all breaches reported, have been in relation to less than 100 people (and 71 of those related to only one person’s data).
With respect to genuinely large scale breaches, being those affecting more than 10,000 people, there were only nine in total. This was comprised of eight in the 10,000 to 100,000 range and only one breach involving more than a million people. It is not clear, however, how many of those might have involved a listed entity.
So even after the commencement of the NDB Scheme, we still do not have that many breaches that are of the scale and size that are likely to impact a company’s share price. Certainly, we are not aware of any breaches notified to the OAIC also being disclosed to the ASX because of a belief that the breach was likely to be material effect on the share price.
Although we are yet to see an Australian company suffer an obvious share price plunge consequent on revealing a data breach, we have seen in recent times share price falls, and subsequent class actions, when other major regulatory or compliance issues become publicly known. Thus, it is entirely conceivable that, as there becomes more activity around data breach notification and as regulatory focus continues to increase in this area, a data or cyber breach (possibly accompanied by regulatory action or investigation) could have an impact on a company’s share price. If so, and particularly if there is a suggestion of some alleged failure to disclose the incident or issue, we may well have a confluence of factors leading to data or cyber breach-related shareholder class actions in Australia.
Andrew Miers, Partner, HWL Ebsworth
Jason Symons, Partner, HWL Ebsworth
Shonagh Rasmussen, Senior Associate, HWL Ebsworth
(The authors also wish to acknowledge the contributions of Jonathan Tapp, Matthew Harding, Julian Amato and Cassandra Gill to the ideas and research behind this article.)
[i] A key proposal put forward by the Australian Law Reform Commission in its current inquiry into class action proceedings is that the Australian Government should commission a review of the legal and economic impact of continuous disclosure and misleading and deceptive conduct provisions including having regard to the propensity for corporate entities to be the target of funded class actions and the availability and cost of D&O insurance.
[ii] John Price, ASIC Commissioner, “ASIC update: Informing and engaging shareholders”, Australasian Investor Relations Association 2018 – Annual half-day seminar, 7 June 2018
[iii] At the time of writing, companies are in the midst of disclosing their 30 June 2018 financial results but not all results have yet been reported, hence our focus on the previous financial year.
[iv] See for example the study undertaken in the US by Comparitech, with the results published in July 2017 (see here) which focussed on 24 companies publicly listed on a major stock exchange (most the NYSE) which had suffered data breaches involving 1 million records or more and a study undertaken in the UK by Ponemon Institute and Centrify, with the results published in May 2017 (see here) with a wider sample of 113 companies that had experienced a data breach involving customer or consumer data.