A class action against Optus could easily be Australia's biggest: here's what is involved

With the Optus data breach exposing almost 10 million current and former customers to identity theft, law firms are circling for what could end up being the biggest – and most valuable – class action case in Australian legal history.

A settlement could well be worth billions, eclipsing the current record of $494 million^[1] paid to 10,000 victims of Victoria’s 2009 Black Saturday bushfires.

Two class-action specialists, Maurice Blackburn^[2] and Slater & Gordon^[3], are considering suing, and it’s possible others will follow. (Maurice Blackburn also has another case against Optus on its books over a 2019 data breach involving 50,000 customers.)

To proceed they’ll need to sign up at least seven people – one of whom acts as the “representative” or lead plaintiff. This shouldn’t be hard. They’ll then need to file a statement of claim for financial, economic or other loss.

Multiple class actions are possible if those claims pursue different issues. Or the firms could work together, as they have in the past.

Things to know about class actions

There have been about 700 class actions in Australia in the past 30 years. Class actions can be pursued through state or federal courts. Most go to the Federal Court, which has been empowered to hear class actions since 1992.

Less than 5%^[4] of Federal Court actions have progressed to a judgement. About 60% have ended in a court-approved settlement, with the balance dismissed or discontinued.

The most common type of class action is by shareholders for loss of earnings. These account for about a third of Federal Court class actions.

The biggest shareholder settlement so far is $200 million, paid by Centro Property Group to almost 6,000 shareholders in 2012 over misleading and deceptive conduct by Centro’s board. This followed the Australian Securities and Investments Commission successfully prosecuting^[5] Centro (also in the Federal Court).

Class actions account for less than 1% of claims lodged with the Federal Court, but their scale and complexity means they take a disproportionate amount of court time, as well as media attention.

Because of their cost, many class actions are funded by third parties as a type of business venture. This enables the law firms running the action to sign up plaintiffs on a “no win, no fee”. The litigation funder then takes a share of the settlement (as does the law firm for its legal fees).

Read more: Regulations needed for litigation funders who can't pay out when cases fail^[6]

According to Australian Law Reform Commission^[7] data for settled cases, the median percentage of any settlement going to plaintiffs is 57%, with law firms taking 17% and funders taking 22%.

What would a class action against Optus involve?

Based on what is currently known, there are two main ways a class action (or class actions) could proceed against Optus.

First, it could argue negligence, with the scope of liability outlined in state or territory legislation. Second, it could argue breach of privacy, in contravention of the federal Privacy Act^[8], in the Federal Court.

To succeed in negligence, a court would have to find Optus had a duty of care to its customers to protect their personal information, that it breached its duty, and that customers suffered damage or loss.

Read more: How not to tell customers their data is at risk: the perils of the Optus approach^[9]

To succeed on a breach of privacy, the Federal Court would have to find that personal information held by Optus was subject to unauthorised access or disclosure, or lost, and that the company failed to comply with the “privacy principles” enshrined in the Privacy Act.

Read more: Optus says it needed to keep identity data for six years. But did it really?^[10]

A second basis for a class action in the Federal Court could be to argue a breach of the Telecommunications Act^[11]. This legislation says carriers and carriage service providers “must to do their best” to protect telecommunications networks and facilities from unauthorised interference or unauthorised access.

What are the precedents?

The closest precedent in Australia to a successful class action for a mass breach of privacy is a 2019 case in the NSW Supreme court. This involved a claim by 108 NSW ambulance service employees against the NSW Health Department.

The employees, represented by the firm Centennial Lawyers^[12], had their personnel files sold to a personal injury law firm by a contractor (who was convicted of unlawfully disclosing information and carried out community service for the crime).

The court ordered NSW Health to pay the sum of $275,000 in compensation^[13]) – $10,000 for the lead plaintiff and about $2,400 for the others.

How much could the Optus case be worth?

Given the Optus data leak is established, there’s a strong basis to believe a class action would be successful.

If so, a court could award compensatory damages for the time and cost of replacing identification documents, as well as exemplary (or punitive) damages, to send a message to corporations handling citizens’ private information.

In determining damages, a court will take into account what efforts Optus has made to remedy the leak, mitigate the potential impact on those affected and pay for the costs of replacing drivers’ licences, Medicare cards or passports.

Though the economic loss per customer may be relatively small, multiplied by the potential class-action pool size – up to 10 million plaintiffs – compensatory damages could easily be billions of dollars, even without exemplary damages.

That makes this a hugely attractive prospect for a law firm or class-action funder.

References

1. ^{^} $494 million (www.abc.net.au)
2. ^{^} Maurice Blackburn (www.lawyersweekly.com.au)
3. ^{^} Slater & Gordon (www.slatergordon.com.au)
4. ^{^} than 5% (www.alrc.gov.au)
5. ^{^} successfully prosecuting (www.smh.com.au)
6. ^{^} Regulations needed for litigation funders who can't pay out when cases fail (theconversation.com)
7. ^{^} Australian Law Reform Commission (www.alrc.gov.au)
8. ^{^} Privacy Act (www.legislation.gov.au)
9. ^{^} How not to tell customers their data is at risk: the perils of the Optus approach (theconversation.com)
10. ^{^} Optus says it needed to keep identity data for six years. But did it really? (theconversation.com)
11. ^{^} Telecommunications Act (www.legislation.gov.au)
12. ^{^} Centennial Lawyers (www.centenniallawyers.com.au)
13. ^{^} $275,000 in compensation (www8.austlii.edu.au.ezproxy.newcastle.edu.au)