Retailers at risk of class actions for data breaches
Australia’s struggling retail sector can expect to be targeted by consumer class actions if they fail to protect their customer’s personal information.
Looming regulation will require all businesses to report any data breach “that is likely to result” in serious harm to an individual.
The growth in online shopping will make retailers and consumer brands that hold customer’s financial details at high risk of the increased reputational and commercial damage the new mandatory reporting regime could bring.
From early next year, unless an exception applies, any retailer with turnover of more than $3 million holding customer data, such as credit card details, will be required to not only report a successful cyber-attack to the Office of the Australian Information Commissioner (OAIC) but potentially inform all affected individuals and make a public apology.
Failure to do so or repeated non-compliance could see civil penalties of up to $1.8 million imposed but also leave them at risk of a further class action.
In May, Target in the United States, paid out $US18.5 million to the US government and was close to settling a class action taken by 200,000 consumers, after hackers accessed 40 million credit and debit card details held by the retailer.
The rise of litigation funders in Australia over the past couple of years, coupled with a very well developed class action scheme in Victoria and NSW, makes it almost a certainty that the retail sector here will face legal action if it fails to adequately respond to a cyber attack.
The risk of some businesses seeking to bury or badly handling a data breach and thereby risk further action, is highlighted by the OAIC. The regulator is expecting to see mandatory notifications double every year, suggesting the current scale of cyber-crime is grossly under reported.
Outside of the immediate regulatory impact of the new legislation, the longer-term reputational and commercial risk for retailers should also be front of mind.
Faced with global competitors like Amazon which has the resources to ring fence their data, many smaller-scale Australian retailers may face their customers choosing to vote with their fingers and not click on a site that’s faced single, or multiple mandatory breach reports.
Larger-listed retailers could also face major commercial fall-out. Target in the US, which is not connected to the Australian chain, has reportedly spent US$200 million to date managing its one-time data breach in 2013.
Commonwealth government agencies, private sector and other entities are also covered by the legislation which comes into force from February 2018. Yet retailers and brands that invest so much in building their profile and customer trust, risk being the most high-profile casualties of the mandatory reporting regime.
For a retail sector that’s facing challenges on multiple fronts these new regulations are unlikely to be warmly embraced. Nor can they be ignored.
There are three steps any retailer or consumer facing brand should be undertaking right now.
Management and directors must take the lead: Data breaches are not an IT problem. They are now a major reputational and financial risk to any consumer-facing brand. Preparation and response should be driven by the top of the organisation. Ensuring robust breach response policies and processes are in place and actively adhered to is critical. Both executives and company directors should ensure they are immediately notified of any potential breach rather than half-way through or at the end of an investigation. Insurance should be reviewed now to cover costs from loss of goodwill and reputational harm from a breach given these are often excluded, and most organisations have not yet put in place cyber risk policies.
Beware the enemy within: That enemy may simply be employee carelessness in clicking on a suspicious link in an email that opens up system access to hackers. Robust cyber solutions coupled with appropriate training programmes to assist employees to be cyber aware will help organisations to identify any attempt by a employees to breach a system, even inadvertently, and are important in mitigating any external regulatory or consumer repercussions if a major breach does occur.
Don’t believe you’re the exception: Cyber criminals are relentless and inventive. It’s not a matter of if an organisation will be attacked, but when. Retailers and consumer brands should have policies on responding to and managing data breaches in place by the end of the year at the latest, but also consider the forms of public apology they may be prepared to give if needed. Simply saying you were let down by a third-party IT provider is no longer enough. Consumer forgiveness for any breach will very much be shaped by when and how a retailer responds.
Ben Allen is a litigation partner at global law firm Dentons and the head of Dentons Australia White Collar & Government Investigations team.