Data breaches involving individual’s personal, medical and financial/credit information can result in reputational damage and financial losses, particularly where the breaches result in identity theft. The Australian privacy law provides for an individual affected by a data privacy breach to seek compensation from the organisation involved in the breach. The individual may also have claims for the data privacy breach based on breach of contract, negligence and/or contravention of the Australian Consumer Law.
Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2016-2018 by the Office of the Australian Information Privacy Commissioner (“Privacy Commissioner”) in relation to privacy breaches and some of the factors taken into account by the Privacy Commissioner in awarding compensation and costs. Although the reported individual compensation awards have not been significant to date, ranging from $1,000 to $20,000 for each privacy breach, the overall compensation that may be payable by an organisation could be in the hundreds of millions, particularly where the breach involves the data of a large number of individuals.
The recent reported Marriott International’s data security incident involving its Starwood hotels guest reservation database may have compromised the personal information of up to 386 million guests, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. The combination of information varies by guest.
Marriott International, in its update of 4 January 2019, reported that it believed that the data involved in the data security incident involved approximately 8.6 million unique payment card numbers which were encrypted and approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers[i]. The data security incident involves personal information of Australian residents who have been guests at Marriott/Starwood hotels.
A class action has already been commenced in the US District Court, Maryland District against Marriott International in relation to the data breach incident, alleging negligence, breach of confidence and deceptive and unfair trade practices and claiming compensation for the injury suffered including anxiety, emotional distress, loss of privacy, non-economic and economic loss[ii].
Katarina Klaric, Principal at Stephens Lawyers & Consultants, predicts that in 2019 there will be a significant increase in the number of class actions commenced in Australia against companies claiming compensation for data security breaches involving personal and confidential information of individuals.
Compensation under the Privacy Act 1988 (Cth)
Under the Privacy Act 1988 (Cth), individuals have the right to make complaints to the Privacy Commissioner if they believe that their privacy has been breached by an organisation.[iii] The Privacy Commissioner must then investigate the complaint and make a finding about whether the individual’s privacy has been breached.[iv] If the Privacy Commissioner finds that there has been a privacy breach, the Commissioner has the power to make a determination that certain remedies be provided to the individual whose privacy has been breached, including requiring the organisation to pay compensation to the individual whose privacy has been breached.[v]
In recent cases, the remedies awarded by the Privacy Commissioner have included the following:
- An apology.
- A requirement that the agency adopts and implements particular remedial measures in response to privacy breaches.
- A requirement that the agency reviews its privacy/information handling policies and procedures and conduct staff training.
- A requirement that the agency reviews new remedial measures adopted and reports the findings of that review to the OAIC.
- Compensation for non-economic loss ranging from $1,000 to $20,000.
- Reimbursement of reasonably incurred expenses ranging from $3,000 to $5,830.[vi]
The Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the Act. Depending on the type of breach, the fine can range from $525,000 to $2.1 million for a body corporate and from $105,000 to $420,000 for any other entity.[vii]
If an entity is fined for a privacy breach or breach of the credit reporting provisions, then an individual who has suffered loss or damage as a result of the breach can make an application to the Federal Court or the Federal Circuit Court for a compensation order for loss or damage suffered including injury to feelings and humiliation and economic loss.[viii]
RECENT PRIVACY BREACH CASES – DAMAGES AWARDS
CASES – 2016-2018
‘LS’ and ‘LT’ (Privacy) [2017] AICmr 60
Date of Decision: 26 June 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Requested:
- Clinical notes for the respondent’s treatment of the complainant
- Hospital records for the complainant’s inpatient treatment
- Written passages by the complainant
- Second opinion reports
- Character references
Privacy Breach:
Respondent was a consultant psychiatrist.
Complainant was a patient of respondent between 2003 and 2013.
Respondent administered electroconvulsive therapy (ECT) on the complainant.
In 2014, the complainant made a complaint to the Medical Board of Australia (Board) about the administration of the ECT.
As a part of the Board’s investigation, the respondent provided a response to the Board which included personal information relating to the complainant’s treatment by the respondent.
The complainant requested access to the personal information provided by the respondent to the Board. The respondent refused to provide the complainant with access to the information.
Breach of Australian Privacy Principles (APP) 12.5 and 12.9 by:
- Breach of APP 12.5 – Respondent failing to consider what steps, if any, may have addressed any concerns as to the effect of access on the complainant’s health, having regard to the circumstances and meeting the needs of the entity and the complainant
- Breach of APP 12.9 – Respondent failing to provide the complainant with a written notice setting out the reasons for refusal and mechanisms to complain about the refusal
Damages Award:
$1,000 for non-economic loss
The complainant provided information to the OAIC that she experienced “pressure” from “this protracted frustrating process”.
‘LP’ and The Westin Sydney (Privacy) [2017] AICmr 53
Date of Decision: 7 June 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Privacy Commissioner found that ‘personal information’ was disclosed, not sensitive information or health information
The phone call disclosed that the complainant was unhappy with the room downgrade and regarded it as ‘obviously unacceptable’.
Privacy Breach:
The Westin Sydney recorded a telephone conversation involving the complainant, without the complainant’s knowledge and in doing so, obtained the complainant’s personal information unfairly, in breach of APP 3.5.
Damages Award:
$1,500 for non-economic loss
‘LA’ and Department of Defence (Privacy) [2017] AICmr 25
Date of Decision: 17 March 2017
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the complainant’s hospital admissions for a period from the 1970s to 1980s
Privacy Breach:
Breach of APP 6 by disclosing information that was collected for a particular purpose, for some other purpose, without the consent of the complainant
Complainant was employee of the Royal Australian Air Force
The Department of Defence released the personal information to the complainant’s son, upon receiving a request from the complainant’s son for access to the information
Damages Award:
$12,000 for non-economic loss
$3,420 for expenses reasonably incurred
The disclosure of information included disclosure of the complainant’s entire medical history including a prior gambling addiction, which had an adverse effect on the complainant’s psychological health and family relationships.
‘KB’ and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 81
Date of Decision: 25 November 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information:
Credit information of a person who was not the complainant was included on the complainant’s credit report, because the complainant and the person whose credit information was included on the complainant’s credit report had a similar name and lived in the same apartment building
Privacy Breach:
Veda had breached sections 20N(1), 20N(2), 20P and 20S(2) of the Privacy Act 1988 (Cth) by:
- Failing to take such steps as were reasonable in the circumstances to ensure that credit information it collected about the complainant was accurate, up-to-date, and complete
- Failing to take steps as were reasonable in the circumstances to ensure that credit reporting information it disclosed was, having regard to the disclosure, accurate, up-to-date, complete and relevant
- Using or disclosing credit reporting information that was false or misleading in a material particular
- Failing to give each recipient of the incorrect information written notice of correction within a reasonable period
Veda confused two individuals (the complainant and another person with a similar name who lived in the same apartment building) and included all of the second person’s poor credit information (including details of a judgment debt of $7,000) on the complainant’s credit report
This impacted on the complainant’s ability to conduct business as per usual, because his credit cards were blocked as a result and suppliers would not supply goods to him for his business until they received payment from him
Damages Award:
$10,000 for non-economic loss
$5,830 for expenses reasonably incurred
‘JO’ and Comcare [2016] AICmr 64
Date of Decision: 21 September 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the complainant’s workers’ compensation claims to Comcare regarding workplace injuries sustained by the complainant whilst working for the Department of Defence and the Department of Human Services
The information disclosed included:
- Complainant’s name
- Complainant’s postal address
- Complainant’s email address
- Complainant’s injury dates
- Registered dates
- Claims status: accepted/rejected
- Claims status: open/closed
Privacy Breach:
Comcare breached APP 6 and 11 by:
- Disclosing information about workplace injuries at the complainant’s current employer to his former employer and an insurance company
- Failing to take reasonable steps to protect the complainant’s personal information from unauthorised disclosure
Damages Award:
$3,000 for non-economic loss
‘IY’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 44
Date of Decision: 30 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
The complainant’s driver’s licence, Medicare card and a copy of a telecommunications contract signed by the complainant
Privacy Breach:
TeleChoice breached APP 11.1 and 11.2 by:
- Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
- Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed
A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria
The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place
TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident
Damages Award:
$3,500 for non-economic loss
‘IX’ and Business Service Brokers Pty Ltd t/a TeleChoice [2016] AICmr 42
Date of Decision: 30 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
The complainant’s name appeared on the A Current Affair program about the abandonment of TeleChoice customer information on footage of a manila folder spilling out of the shipping container’s entrance onto the ground
Privacy Breach:
TeleChoice breached APP 11.1 and 11.2 by:
- Not taking reasonable steps to protect the complainant’s personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
- Not taking reasonable steps to destroy or de-identify the complainant’s personal information which it no longer needed for any purpose for which it could have been used or disclosed
A journalist discovered a number of documents including personal TeleChoice customer information in open shipping containers on publicly accessible bushland in Hastings, Victoria
The journalist featured a story on A Current Affair about TeleChoice abandoning customer information in a public place
TeleChoice immediately made a voluntary data breach notification to the OAIC and offered an enforceable undertaking to the OAIC to address the privacy incident
Damages Award:
$3,500 for non-economic loss
‘IV’ and ‘IW’ [2016] AICmr 41
Date of Decision: 27 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Medical diagnosis of the complainant of ‘delusional depression’
Privacy Breach:
Breach of APP 6.1 and 10.2 by disclosing complainant’s personal information to six (6) individual third parties
Respondent was a medical doctor who disclosed the information by email to six individual third parties. Complainant was also a recipient of the email
Damages Award:
$10,000 for non-economic loss
The Privacy Commissioner had regard to the following factors when determining the amount of non-economic loss to award:
- The sensitive nature of the personal information that was disclosed
- The fact that as a patient of the respondent’s, the complainant was in a position of vulnerability
- The fact that the disclosure was made to six third parties
- The responsibility of the respondent as a medical professional to have a sound understanding of his privacy obligations
‘IR’ and NRMA Insurance, Insurance Australia Limited [2016] AICmr 37
Date of Decision: 27 June 2016
Heard By: Australian Privacy Commissioner, Timothy Pilgrim
Type of Personal Information Disclosed:
Details of the insurance policies held by the complainant with NRMA Insurance, which included the following information:
- Policy types
- Policy numbers
- Details of the complainant’s car make, model, year and registration number
- The complainant’s full property address
Privacy Breach:
NRMA had breached APP 6 and 11 by disclosing the complainant’s personal information to a third party, which was a person with whom the complainant shared one home building insurance policy.
Damages Award:
$3,000 for non-economic loss
The complainant claimed that she suffered distress and anxiety as a result of the disclosure. However, the Privacy Commissioner considered that financial information may be considered ‘more sensitive’ than other information and the disclosure was overtly made to a known party and as such, a modest amount of damages should be awarded.
Authored by Katarina Klaric and Emma Contebardo
© Stephens Lawyers & Consultants. December 2018.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Marriott International, Original notice of Starwood Guest Reservation Database Security Incident issued by Marriott International on 30 November 2018 and updated on 4 January 2019 https://answers.kroll.com/?gclid=CNimmt284t8CFY3S1AodI3YNVQ&gclsrc=ds
[ii] Bell and Claffy v Marriott International, Inc. Case 8:18-cv-03684-PX (30 November 2018), https://www.scribd.com/document/394570724/Complaint-Against-Marriott-by-Morgan-Morgan#from_embed?campaign=SkimbitLtd&ad_group=88665X1541752X324bd36c0c01054ac57da6966c6a3c39&keyword=660149026&source=hp_affiliate&medium=affiliate.
[iii] Privacy Act 1988 (Cth), s 36.
[iv] Privacy Act 1988 (Cth), s 40(1).
[v] Privacy Act 1988 (Cth), s 52(1) and 52(1A).
[vi] OAIC Determinations webpage https://www.oaic.gov.au/privacy-law/determinations/
[vii] Privacy Act 1988 (Cth), s 6 and s 80W; See Crimes Act 1914 (Cth) s 4AA for the amount of a penalty unit.
[viii] Privacy Act 1988 (Cth), ss 25-25A.