Data breaches involving individual’s personal, medical and financial/credit information can result in reputational damage and financial losses, particularly where the breaches result in identity theft. The Australian privacy law provides for an individual affected by a data privacy breach to seek compensation from the organisation involved in the breach. The individual may also have claims for the data privacy breach based on breach of contract, negligence and/or contravention of the Australian Consumer Law.
Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016-2018 by the Office of the Australian Information Privacy Commissioner (“Privacy Commissioner”) in relation to privacy breaches and some of the factors taken into account by the Privacy Commissioner in awarding compensation and costs. Although the reported individual compensation awards have not been significant to date, ranging from $1,000 to $20,000 for each privacy breach, the overall compensation that may be payable by an organisation could be in the hundreds of millions, particularly where the breach involves the data of a large number of individuals.
The recent reported Marriott International’s data security incident involving its Starwood hotels guest reservation database may have compromised the personal information of up to 386 million guests, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. The combination of information varies by guest.
Marriott International, in its update of 4 January 2019, reported that it believed that the data involved in the data security incident involved approximately 8.6 million unique payment card numbers which were encrypted and approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers[i]. The data security incident involves personal information of Australian residents who have been guests at Marriott/Starwood hotels.
A class action has already been commenced in the US District Court, Maryland District against Marriott International in relation to the data breach incident, alleging negligence, breach of confidence and deceptive and unfair trade practices and claiming compensation for the injury suffered including anxiety, emotional distress, loss of privacy, non-economic and economic loss[ii].
Katarina Klaric, Principal at Stephens Lawyers & Consultants, predicts that in 2019 there will be a significant increase in the number of class actions commenced in Australia against companies claiming compensation for data security breaches involving personal and confidential information of individuals.
Compensation under the Privacy Act 1988 (Cth)
Under the Privacy Act 1988 (Cth), individuals have the right to make complaints to the Privacy Commissioner if they believe that their privacy has been breached by an organisation.[iii] The Privacy Commissioner must then investigate the complaint and make a finding about whether the individual’s privacy has been breached.[iv] If the Privacy Commissioner finds that there has been a privacy breach, the Commissioner has the power to make a determination that certain remedies be provided to the individual whose privacy has been breached, including requiring the organisation to pay compensation to the individual whose privacy has been breached.[v]
In recent cases, the remedies awarded by the Privacy Commissioner have included the following:
- An apology.
- A requirement that the agency adopts and implements particular remedial measures in response to privacy breaches.
- A requirement that the agency reviews its privacy/information handling policies and procedures and conduct staff training.
- A requirement that the agency reviews new remedial measures adopted and reports the findings of that review to the OAIC.
- Compensation for non-economic loss ranging from $1,000 to $20,000.
- Reimbursement of reasonably incurred expenses ranging from $3,000 to $5,830.[vi]
The Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the Act. Depending on the type of breach, the fine can range from $525,000 to $2.1 million for a body corporate and from $105,000 to $420,000 for any other entity.[vii]
If an entity is fined for a privacy breach or breach of the credit reporting provisions, then an individual who has suffered loss or damage as a result of the breach can make an application to the Federal Court or the Federal Circuit Court for a compensation order for loss or damage suffered including injury to feelings and humiliation and economic loss.[viii]
Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016-2019 by the Office of the Australian Information Privacy Commissioner in relation to privacy breaches. [See Our Summary and Review]
Authored by Katarina Klaric and Emma Contebardo
© Stephens Lawyers & Consultants. December 2018.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Marriott International, Original notice of Starwood Guest Reservation Database Security Incident issued by Marriott International on 30 November 2018 and updated on 4 January 2019 https://answers.kroll.com/?gclid=CNimmt284t8CFY3S1AodI3YNVQ&gclsrc=ds
[ii] Bell and Claffy v Marriott International, Inc. Case 8:18-cv-03684-PX (30 November 2018), https://www.scribd.com/document/394570724/Complaint-Against-Marriott-by-Morgan-Morgan#from_embed?campaign=SkimbitLtd&ad_group=88665X1541752X324bd36c0c01054ac57da6966c6a3c39&keyword=660149026&source=hp_affiliate&medium=affiliate .
[iii] Privacy Act 1988 (Cth), s 36.
[iv] Privacy Act 1988 (Cth), s 40(1).
[v] Privacy Act 1988 (Cth), s 52(1) and 52(1A).
[vi] OAIC Determinations webpage https://www.oaic.gov.au/privacy-law/determinations/
[vii] Privacy Act 1988 (Cth), s 6 and s 80W; See Crimes Act 1914 (Cth) s 4AA for the amount of a penalty unit.
[viii] Privacy Act 1988 (Cth), ss 25-25A.