Data Breach Class Actions

Over the course of 2024, the two data breach class actions (against Medibank and Optus) moved along slowly. Those proceedings, which we touched on in our 2023 Class Actions Wrap, were commenced by customers whose data was compromised in the cyber-attacks against each company that took place in 2022.

These actions are interesting for a number of reasons, including the fact that they are the first of their kind but also because both companies are facing a barrage of legal proceedings related to the data breaches, including:

  • Medibank’s bid to obtain an injunction restraining the Australian Information Commissioner (OAIC) from continuing its investigation until after the class action was resolved, which was dismissed in February,1
  • Civil penalty proceedings against Medibank, which were filed by the OAIC in June alleging breaches of the Privacy Act as a result of the data breach, and
  • Federal Court proceedings filed by the Australian Communications and Media Authority against Optus, alleging Optus failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access.

Partner Nicole Gabryk and special counsel Gavin Davies explore 'what's next' after the Medibank and Optus data breaches in a Trend Watch video above. They also previously provided an overview of the Optus and Medibank matters, and discussed privilege claims arising out of the data breaches in 2021-2022.

In the two class actions, it was privilege debates that took centre stage, with both Optus and Medibank facing challenges to privilege claims over forensic reports commissioned in the aftermath of the cyber-attacks. The issues at play in the privilege claims are largely the same, although they are at different stages:

  1. Optus: the challenge application was first heard in late 2023. Optus lost at first instance and then, early in 2024, lost again on appeal to the Full Federal Court.
  2. Medibank: the application was heard in June last year and judgment is still pending.

In both matters many of the usual privilege protections were in place. For example, the forensic reports (which were prepared by Deloitte in both cases) had been commissioned by external lawyers, there were communications protocols in place, and were signed by those that were “in the tent”.

However, around the same time as the lawyers were instructing Deloitte, the CEOs were making public statements about the forensic reviews. In Optus’s case, this included statements like; “[t]his review will help ensure we understand how it occurred and how we can prevent it from occurring again”.

The difficulty with the CEO’s comments is that they opened the door for group members to argue that the dominant purpose of the reports was not to assist with the provision of legal advice or for use in litigation (as is required to demonstrate a legitimate claim for legal professional privilege).

Optus resisted the application on the basis that there were multiple purposes, including those apparent from the press releases, but that the dominant purpose was indeed legal. In finding against Optus, one of the Court's major criticisms was that Optus did not provide any evidence from the CEO who had made the problematic comments and who the Court noted was the “driving mind and will of the company”. In view of those comments and the dearth of evidence from the CEO who made them, Optus was unable to establish the requisite dominant purpose and was ordered to hand over the reports.

In the Medibank case, Medibank (no doubt alive to the criticisms of Optus) did provide evidence from its CEO and it’s fair to say he faced some direct and challenging cross examination. It will be very interesting to see what, if any, difference this evidence makes to the Court’s decision.

[1] See our summary of the decision here

Wotton Kearney acknowledges the traditional custodians of the lands on which we work, and pay our respects to Elders past and present.

© 2025 WOTTON KEARNEY Legal information | Privacy | Legitimate interest | Contact