Australia’s banks and insurers are concerned at a plan that would make it easier for individuals impacted by data breaches to sue or seek financial compensation.
Premiums for cyber insurance and director liability products in Australia could rise if consumers are afforded clearer legal avenues to seek compensation for a data breach or cyber incident, insurers have warned.
The ability for consumers “to seek remedies or compensation for cyber security incidents” is currently limited in Australia, but that could change if a “direct right to action” is introduced.
Home Affairs said [pdf] in July that a “right” could be built into consumer or privacy laws, and lead to “standards” being set for payouts to people impacted by a breach.
But the proposal has been met with alarm from banking and insurance groups, concerned at the precedents it would set, and at the potential for liability to discourage disclosure of incidents in the first place.
The Insurance Council of Australia warned that insurance premiums would rise if data breach victims were given easier ways to sue attacked companies that hold their data.
“We urge the government to approach with caution any measures that would place upwards pressure on … lines of insurance, which have faced significant increases in claims costs, and therefore premiums, in recent years,” the council’s CEO Andrew Hall wrote. [pdf]
“[Home Affairs’ consultation] includes a proposal to amend the Privacy Act. Where a cyber attack occurs, the amendment would give affected individuals the legal right to sue businesses that hold their personal information.
“This is likely to increase the associated risk for that business, introduce uncertainty in insurers’ risk assessments, and increase claims costs.
“If implemented, these factors could increase premiums for certain insurance products, including D&O [directors and officers] insurance, across the Australian economy.
“The Insurance Council therefore strongly encourages the Department of Home Affairs to consider broader insurance implications of any cyber security changes to Australian regulations.”
Hall said existing data breach disclosure obligations were satisfactory – without raising the prospect of payouts.
“These already have the effect of enabling consumers to ask questions, request further information in relation to a cyber attack and seek re-assurance on steps taken by an organisation,” he wrote.
The Australian Banking Association is equally concerned, saying the recourse proposals create “complex questions that cross multiple legal or regulatory regimes”.
It raised concerns about the threshold for suing a company that is breached, as well as the extent to which “operational incidents” – system outages that aren’t caused by a threat actor – could also become targets for compensation.
“If the threshold is negligence, consumers and entities would also benefit from guidance about what may amount to negligence in the context of cyber security,” the association wrote. [pdf]
“Cyber attacks are unavoidable regardless of precautionary measures and ongoing investment in system resilience, and the impact of cyber attacks will differ.
“As such, consider whether consumers should be required to establish a loss of their personal information or data, as well as financial loss linked to the loss (and how may this be done), or whether the threshold for taking court action be evidence of a systemic failure to meet minimum cyber security standards and/or failure to protect personal information that results in serious harm.”
The ABA warned that linking liability to “regulatory reports of cyber incidents … could have a chilling effect on early and proactive engagement with regulators and impacted or potentially impacted data subjects.”
It – like the Insurance Council of Australia – was also concerned at the potential for a rise in premiums.
“The [cyber insurance] market is recognised as already ‘hardening’,” the association said.
“This can have consequential impacts on the cost of doing business and impact supply chains.”
Not everyone is against the idea of clear compensatory recourse for customers impacted by data breaches.
Cyber security experts at the University of Queensland suggested [pdf] that “clear, appropriate legal remedies for victims” could be welcome.
“Clear legal remedies are a much better idea, as if it is just generalisable without clarity then you are waiting for a risk-taker plaintiff or one case to define what that is and not every dispute gets to that point,” UQ wrote.
“Having that clarity around what constitutes a breach will help minimise that risk and can provide greater guidance to people in need.
“One issue in this space is that a consumer will not choose to go through a lengthy trial, and probably class action lawsuit will be the most viable option but generally people will agree on a small amount (e.g. $1000) to settle and avoid legal action.
“Australia is not much of a litigious society but having a legislation and definition to help clear the boundaries is better than nothing.”
UQ also added that “some type of small claims tribunal for cyber security may be an option.”