Australia faces lawsuits over asylum seeker data breach

The Australian Government is facing a series of court battles after accidentally disclosing the personal details of almost 10,000 asylum seekers last month.

The Department of Immigration and Border Protection (DIPB) admitted to inadvertently leaking the personal details of the asylum seekers via its website in mid-February.

The leaked database contained the full names, nationalities and boat arrival dates and information of all individuals held on a mainland detention facility and on Christmas Island.

Australia's Immigration Minister Scott Morrison has said the information was never intended to be in the public domain, and the department has taken steps to mitigate the breach, which were for the most part futile. The breach is currently being investigated by the Privacy Commissioner as well as audit firm KPMG.

The leak, which Opposition immigration spokesman Richard Marles described as “one of the most significant breaches of privacy in Australia’s history”, is now the subject of multiple lawsuits by affected asylum seekers, who claim they are now more vulnerable to persecution in their country of origin.

As first reported by The Guardian, asylum seekers in NSW, WA and the Northern Territory currently awaiting deportation by the Immigration department have appealed for automatic protection in some 90 individual applications.

The appeals argue that an individual seeking asylum should be free to make claims for protection without their identity and personal details being disclosed to authorities in other countries, according to The Guardian. A directions hearing is scheduled for March 19 in NSW. 

Lawsuits are common in the aftermath of major data breaches.

A wave of lawsuits broke out across the United States seeking restitution over the 40 million credit and debit card and 70 million customer records stolen from Target shoppers following a security breach at the US retail giant late last year.

The breach occurred after a third party contractor was caught out by a phishing email carrying a popular bot. The theft also resulted in the departure of Target’s US CIO. 

Another US retailer, Neiman Marcus, suffered a similar data breach in early January 2014, revealing an “undisclosed” number of payment card details may have been stolen.

A resulting class action lawsuit alleged that damages resulting from the breach exceeded $5 million. 

Adobe also faced a class action lawsuit over the October 2013 exposure of the credit card data of three million of its customers and the logins and passwords of 38 million users.

The lawsuit was filed in November last year and claimed Adobe had failed to use industry best practices for its security, contrary to what it promised in its privacy policy. 

Morrison still the final port of call

Successful court action by the asylum seekers is unlikely to result in the granting of automatic protection, with the power to grant visas lying solely with Australia's Immigration Minister.

Gilbert + Tobin lawyer Peter Leonard told ITnews the Federal Court does not have the power to direct Morrison to grant automatic protection, only that the discretion should be exercised again due to the extenuating circumstances. 

“The courts can’t tell the Minister how to act, but it can say ‘this is different from when you did act, so you should make your decision again’. And that’s not uncommon for the courts as part of administrative law,” Leonard said.

“At the heart of it what [the asylum seekers] are saying is the breach has created a real and present possibility of harm  that these asylum seekers might not have had before, and that danger should be taken into account in the reviewing of their asylum status.”

IT lawyer Kay Lam-MacLeod from IdeaLaw told ITnews the courts would be looking at whether the Government took reasonable steps to protect the data and what security it had in place when making its decision.

But she said the applicants may face difficulty in proving the Government was liable as a result of the breach. 

She said in the normal cause of negligence, plaintiffs would have to prove a business failed to take reasonable precautions, then prove they had suffered damage as a result. 

“Generally if they were going to try and succeed in a case for negligence and prove damages, they’d have a bit of trouble trying to prove they suffered damage because the damage may not yet be apparent,” she said.

“And they may have trouble tying damages back to causation - just because it was available on the internet for a period of time, it doesn’t mean their home country regimes they are fleeing from actually accessed the information.”

In the private sector, efforts to pursue two international companies for damages over large-scale data breaches failed after the plaintiffs were unable to prove intentional conduct and actual damages.

Sony was hit with a giant class-action lawsuit following the 2011 attack on its PlayStation Network and Qriocity on-demand entertainment service, which revealed the user addresses, emails, usernames, birth dates and other credentials of 77 million users.

But while the plaintiffs claimed negligence on the part of Sony, the class action was largely dismissed after the judge found the case failed to prove willful, intentional or reckless conduct on the part of Sony. 

A June 2012 data breach at LinkedIn disclosed the passwords of 6.5 million users, some of which filed a $5 million class action lawsuit.

That lawsuit was dismissed before even getting to trial after a US judge ruled that damage done to users was abstract and not actual.