Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
National

The Optus customer data breach could lead to a class action lawsuit. What might that look like?

As the shockwaves from the massive Optus customer data breach ripple across Australia, there are already rumblings of a class action lawsuit.

In Melbourne, law firm Slater and Gordon said on Tuesday it was investigating whether a deficiency in Optus's management of data had led to the personal information of nearly 10 million current and former customers being leaked.

"At this stage, we consider that affected customers may have claims against Optus for, among other things, failing to properly store and secure customer data and allowing it to be accessed by a bad actor," the firm's Ben Zocco said.

"Since announcing the investigation yesterday we've had many thousands of customers register their interest to participate in any proceedings."

Here's what experts say a class action could mean.

What's a class action about?

Michael Duffy, an associate professor and director of a corporate law and litigation group at Monash University, said class actions are a way for groups of people to seek remedies to a problem that affects them all.

"If there is a large class action... then they have the right through a representative to sue someone or some entity that they believe has breached [the law]," he said.

"The representative party would represent the whole group to try and obtain a remedy , which is probably compensation, but possibly other remedies as well."

Class actions can seek compensation for people with varying connections to the person or entity being sued, such as investors in this year's class action against Star Entertainment Group, or protesters, who this month launched a class action against the Victorian government.

Who could join an Optus class action?

Dr Duffy said class actions can involve "anything from seven people upwards".

In Optus's case, it could involve thousands of people.

"Class actions are opt out, so you are nominally covered by a class action if you fall within the group definition," Dr Duffy said. 

Dr Duffy said customers may need to come forward at a later stage in the class action to indicate their actual loss or damages incurred as a result of the data breach.

"Customers have something called an obligation to mitigate their loss," he said.

"If you're claiming loss or damage, you need to keep records of what you've lost in damages and how you might prove that."

What's the key issue in this case?

If Slater and Gordon decides to pursue the class action, it would be representing the people affected by the data loss.

The firm would be aiming to show that Optus's data management led to the personal information about its customers being leaked.

Slater and Gordon would then likely try to claim compensation to remedy the losses that Optus's customers have experienced.

Michael Douglas, a senior lecturer at the University of Western Australia Law School said it's hard to predict the specific claims of the class action.

"It will depend on what exactly the lawyers say is the legal basis of the claim," he said.

How likely is it a class action would succeed?

Dr Duffy said there was not much precedent for class actions like this, making it difficult to say whether it was likely to succeed. 

"It hasn't been a big area for class actions, privacy law and privacy breaches," he said.

Dr Duffy also said it was not yet clear if the law had been breached.

He said if breaches of federal privacy legislation and civil penalty orders had occurred, "there is provision for people who have suffered loss and damage as a result of such breaches to seek compensation".

Dr Duffy said if it could be proven that Optus was negligent in a manner that caused loss and damage to customers, this could also be grounds for damages.

While a number of states have pledged to waive fees for replacement driving licences, affected customers may have to take further steps to update and secure other personal data.

However Michael Douglas said demonstrating the harm Optus customers suffered as a result of the data breach could be challenging.

"Unless someone has used this information to take their stuff, to make money or use their identity in some fraudulent damaging way, it's going to be really hard to succeed," he said.

What laws would be used as the foundation of the class action?

Mr Douglas said it's not entirely clear what legal principles a class action against Optus would rely on. 

"In Australia, privacy is not protected to the same extent that it's protected in other parts of the world," he said. 

"Although Australia does have privacy laws, which regulate how companies like Optus must deal with our personal information, those laws in my opinion don't provide much teeth for persons who suffer an invasion of privacy to sue."

He said recent enquiries into possible law reforms have focused on Australian privacy laws.

"The mere invasion of privacy is a wrong that should sound in a judicial response, but there's a gap in our law and we're still waiting for the Federal Government to act in this area," he said. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.