Thousands of Australian students, teachers and education providers have been affected by the recent Canvas cyber attack, raising serious questions about privacy rights and compensation claims under Australian law.
The breach, involving the cloud-based learning platform Canvas developed by Instructure, reportedly exposed personal information including names, email addresses, student ID numbers and messages between users. Universities, TAFEs and public schools across Australia have confirmed they are investigating the impact.
While investigations are ongoing, many affected individuals may be wondering whether they can claim compensation if their personal information has been compromised.
What happened in the Canvas data breach?
According to reporting by ABC News, the cyber incident affected educational institutions globally, including Australian universities and state schools in Queensland, Tasmania and New South Wales. The compromised information is understood to include:
- Names
- Email addresses
- Student ID numbers
- Messages between users
This constitutes “Personal Information” for the purposes of the Privacy Act 1988 (Cth).
Can you claim compensation for a privacy breach in Australia?
Potentially, yes.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), organisations that hold personal information must take reasonable steps to protect that information from misuse, interference, loss, unauthorised access, modification or disclosure.
If an organisation fails to comply with those obligations, affected individuals may be entitled to compensation if a complaint to the Office of the Australian Information Commissioner (OAIC) would be upheld.
Compensation may be available for:
- Emotional distress
- Anxiety or humiliation
- Psychological harm
- Financial loss
- Costs associated with responding to the breach
Importantly, legal costs and other economic losses may also be recoverable in some circumstances.
How much compensation is available?
Compensation awards for privacy breaches in Australia have historically been modest, but recent OAIC determinations provide guidance on the amounts that may be awarded.
A key authority is “WP” and Secretary, Department of Home Affairs [2021] AICmr 2, which established indicative categories for non-economic loss resulting from data breaches.
According to analysis published by Clayton Utz, the OAIC has awarded compensation ranging from:
- $500 to $4,000 for general anxiety or embarrassment
- $4,001 to $8,000 for moderate distress with minor symptoms
- $8,001 to $12,000 for significant or prolonged distress
- $12,001 to $20,000 where mental health treatment was required
- More than $20,000 in extreme cases
Subsequent OAIC decisions involving Services Australia and Amazon Australia have generally followed those categories when assessing compensation for privacy breaches.
What would affected students need to prove?
Not every person affected by a data breach will automatically receive compensation.
Generally, a claimant would need to show:
- Their personal information was improperly disclosed or accessed;
- The organisation breached its obligations under the Privacy Act; and
- They suffered loss or damage as a result.
Evidence of distress, counselling, medical treatment, financial loss or other consequences may strengthen a claim.
What this means for education providers
The Canvas incident is another reminder that schools, universities and technology providers face increasing legal and reputational risks following cyber attacks.
Educational institutions often hold highly sensitive information relating to minors, vulnerable persons and internal communications. A failure to adequately protect that information may expose organisations to regulatory investigations, compensation claims and significant reputational damage.
What should affected individuals do now?
If you believe your information may have been compromised:
- Monitor your email accounts for phishing attempts;
- Be cautious of unsolicited messages or phone calls;
- Change passwords where appropriate;
- Keep records of any financial loss or emotional distress; and
- Obtain legal advice if you believe you have suffered harm as a result of the breach.
As further details emerge about the Canvas incident, affected individuals and institutions alike should closely monitor developments.
We can help with your data breach claim
Our litigation team can assist individuals and organisations affected by data breaches, including:
- Advising on rights under the Privacy Act 1988 (Cth);
- Assessing whether compensation may be available;
- Preparing and lodging complaints with the Office of the Australian Information Commissioner (OAIC); and
- Assisting with claims for emotional distress, financial loss and related damages.
If you believe your personal information may have been compromised as a result of the Canvas data breach or any other incident, our team can assist you in understanding your legal position and available options.
Sources:
ABC News – Canvas data breach leaves education providers scrambling as student data compromised “WP” and Secretary, Department of Home Affairs [2021] AICmr 2