Businesses could face significant civil penalties if data breach class actions gain momentum.

Australian businesses are about to enter a new era of cyber security accountability, with new mandatory data breach legislation set to come into force by February 2018.

However, the changes could see a surge in cyber-based class action lawsuits – a trend that is already taking place in the US. Class actions are where a group of people who are affected by an incident – such as a data breach – sue the defendant together.

High-profile data breaches at Target, Home Depot and the Ashley Madison website over the last five years have all been subject to class actions.

So, could substantial civil penalties be on the horizon for SMEs that fail to protect sensitive information?

Complying with the new law

The Privacy Amendment (Notifiable Data Breaches) Bill requires Australian firms with over $3 million a year revenue to inform customers and the Privacy Commissioner that a data breach has occurred.

Businesses must notify relevant stakeholders within 30 days of becoming aware of the incident. Otherwise, they may be liable to a fine of up to $1.7 million. But enterprise owners could face significantly higher costs if class actions become as common in Australia as they have in the US.

High-profile data breaches at Target, Home Depot and the Ashley Madison website over the last five years have all been subject to class actions. These organisations agreed to pay US$18.5 million (AU$24.4 million), US$19.5 million and US$11.2 million, respectively, in settlements to consumers alone.

Equifax has just been hit with a 50-state class action lawsuit, comprising 240 individual class actions from across the country, according to CSO.

If successful, the case could result in massive compensation payments, severe reputational damage and mounting legal fees for the beleaguered credit information company.

Will class actions come to Australia?

Mandatory data breach legislation already exists in the majority of US states, and research from legal firm Bryan Cave found that class action filings are closely linked to public notifications that a cyber attack has occurred.

In other words, the risk of class action lawsuits rises alongside data breach transparency. Australian businesses will no doubt be concerned that the upcoming legislation will have a similar effect as in the US.

A recent ASIC study found that 80 per cent of ASX 100 companies believe cyber risk to their business will increase over the next year, but what about SMEs?

The good news is that small firms are less likely to face a class action lawsuit due to their size and financial resources. Nevertheless, SMEs should have a cyber security risk strategy in place to ensure they meet responsibilities set under the new data breach laws.

A comprehensive cyber insurance policy can help businesses cover the financial losses associated with a breach, including PR costs to tackle reputational damage. Talk to a member of the team at MGA Insurance Brokers today to discuss your needs.