Most torts in Australia are regulated by the common law, although some are subject to state or territory legislative regimes (e.g. defamation). Negligence is the most litigated and most complex tort in Australia and its principles are contained in both case law and civil liability legislation.
Background
The tort of negligence may occur if and when a person (e.g. an incorporated business) owes another person (e.g. customer) a duty of care in handling their personal information or data, that duty is breached in the event of a cyber security incident, and the breach causes the second person harm or loss.
As of January 2020, there has not been a successful cyber security-related class action in Australia. However, data breach class actions overseas (e.g. Target, Yahoo, Home Depot, Wendy’s, AvMed and Anthem) may provide guidance on how proceedings may unfold in Australia.
Negligence is the failure to take reasonable steps to prevent foreseeable risks of harm to another entity, and may include either acts or omissions. The key elements are:
Defendant owes the plaintiff a duty of care.
Defendant’s conduct breaches the duty owed to the plaintiff by not meeting the requisite duty of care (‘fault’ element, judged according to a reasonableness standard).
Breach actually caused the harm, in that it is reasonably foreseeable and not too remote (that is, it must be within the scope of the defendant’s liability).
No defences are available (however, damages will be reduced if contributory negligence is satisfied).
Duty of care
A duty of care exists where it is reasonably foreseeable that the decisions of the defendant may cause harm or damage to the plaintiff. A duty of care must automatically be provided where there is a commercial relationship or undertaking between the parties (such as via contract) and an undertaking by the defendant to act for the plaintiff.
The requirements of a duty of care for corporations are usually industry specific (such as the financial services industry) or data specific (such as personal information). Obligations are often found in four main areas:
Federal and state laws and regulations
Government policies and enforcement actions
Common law fiduciary duties
Common law obligations, such as an implied duty to provide ‘reasonable care'
A person may be negligent if they fail to safeguard personal data in circumstances where that data would then be vulnerable to cyber-attack. If a person suffers actual loss due to data breach caused by negligence, they may also have a claim for breach of contract, the Australian Consumer Law or an equitable claim for breach of confidence.
Breach of duty of care
Sections 5B and 5C of the Civil Liability Act 2002 (NSW) provide that a person is negligent if their conduct is less than the standard of reasonable care. For instance, a person who gives financial advice to a client must exercise reasonable care in the provision of the advice: Australian Securities and Investments Commission v Dover Financial Advisers Pty Ltd[2019] FCA 1932.
Other states and territories have equivalent legislation - see, for example, Wrongs Act 1958 (Vic).
Causation
Section 5D of the Civil Liability Act 2002 (NSW) outlines general principles associated with causation and section 5E explicates the requisite onus of proof.
Under common law, a value judgment of common sense and policy considerations must operate in addition to a strict 'but for' test: March v E & MH Stramare Pty Ltd[1991] HCA 12; (1991) 171 CLR 506.
An intervening act (‘novus actus interveniens’) occurs where a circumstance or event breaks the chain of causation so that the original perpetrator of the act is no longer liable. Haber v Walker [1963] VR 339 clarifies that an intervening act must be either a voluntary human action or a causally independent event which is so unforeseeable to the point where it is basically a coincidence.
In a situation of multiple sufficient causes, all negligent defendants incur concurrent liability.
In a situation of successive causes, the defendant is only liable for events that stem from the original tortious event and not natural events that would have occurred otherwise.
Remoteness
Section 5D of the Civil Liability Act 2002 (NSW) provides that damages are too remote when harm or loss experienced by the plaintiff was not ‘reasonably foreseeable’ by the defendant. A plaintiff cannot recover damages that are too remote.
Hughes v Lord Advocate[1963] UKHL 1; [1963] AC 837 acknowledges that foreseeability refers to the general type of injury rather than the way it occurred, or the extent of harm suffered. This case established the eggshell skull rule which provides that a defendant is liable for damage caused regardless of whether the plaintiff is very fragile and thus has been affected by substantial or unforeseeable damage. This may be relevant if a cyber-attack is launched against especially vulnerable or weak computer systems.