Australian insurers have largely dodged one of the nastiest consequences of major cyber incidents: mass third‑party litigation. The grace period for these class actions may be about to end. When the Optus and Medibank Private data breach class actions reach trial they could answer a set of questions that go directly to insurers’ balance sheets: how courts will treat negligence in data breaches at scale, how much forensic evidence will be exposed to plaintiffs and how easily future claimant firms can follow in their wake. For brokers and underwriters, the key will be what these cases signal about where Australian cyber risk is heading.
The trials dates are more than a year away but so far significant developments have already taken place in the interlocutory fights over whether Optus and Medibank could keep their forensic investigation reports into their cyberattacks secret.
In both cases, the companies appointed external forensic investigators to examine the incident, its cause and scope – exactly what most insureds now do as a standard first response to a cyber event. They then argued those reports were protected by legal professional privilege because the investigators were engaged by their lawyers to assist with legal advice and contemplated litigation.
The courts disagreed.
“The court pointed out that if you want those reports to be privileged, they have to be produced solely for legal purposes, and that needs to be the understanding of everyone involved,” said Nicholas Blackmore (pictured), a partner at Kennedys specialising in cyber and data privacy law.
Optus and Medibank had also used the investigations as part of a broader public relations strategy – announcing, for example, that Deloitte had been appointed, and promising to share findings to help customers and other businesses. That public‑facing posture cut directly against any claim the reports were created solely for legal advice.
For insurers and brokers, the message is blunt. The common incident‑response playbook – forensic firm plus comms campaign – now carries a serious discovery risk.
“These cases set some clear rules about when a forensic report will and will not be privileged. It is a legal point, but it is an important one in the context of cyber incidents,” said Blackmore.
Once disclosed, those reports become an evidentiary roadmap for plaintiffs. They typically identify root causes, control failures and timelines – precisely what claimant firms need to craft negligence arguments about whether an insured’s security posture met the required standard of care.
“Having access to those reports makes it much easier for plaintiffs to pursue their claims,” said Blackmore.
Substantively, both class actions are framed in negligence. Plaintiffs will seek to prove duty of care, breach, causation and loss – but, crucially, they’ll be doing so against the backdrop of two of the largest breaches in Australian history, each affecting millions of customers.
If the plaintiffs succeed, the decisions will effectively codify a set of expectations around what “adequate” cyber security looks like for large, data‑rich organisations. That would do more than resolve two headline cases; it would give later claimants a template.
“If these cases succeed, I would not be surprised to see plaintiff law firms becoming much more active in bringing data breach class actions,” said Blackmore.
Scale is central. For individual victims, the immediate loss – replacement IDs, personal time spent remediating issues – typically doesn’t justify litigation. But at Optus and Medibank volumes, aggregated through a class action mechanism, the economics change completely.
That is why these are genuine test cases. A win for plaintiffs probably normalises the idea that any large Australian data breach will be followed by class action activity. A loss, conversely, could chill the emerging plaintiff appetite and buy the market more time.
Historically, Australian cyber insurers have written policies in a relatively benign litigation environment. There have been incidents, complaints and confidential settlements – but no successful large‑scale third‑party actions.
Cyber policies have still responded meaningfully, but mainly on the first‑party side: incident response, forensics, notification costs, PR, business interruption. Third‑party claims have been rare enough not to drive portfolio‑level pricing.
That might not hold if Optus and Medibank plaintiffs get up. Most cyber wordings in the market do respond to liability: they cover third‑party claims arising from a data breach, alongside the first‑party costs, even if there is variation between forms. If large class action damages – or even substantial settlements – become a predictable follow‑on from major incidents, that is a different risk universe.
“Previously, insurers have had the benefit that there has been very little litigation in Australia - almost none - in the wake of data breaches,” said Blackmore. “Yes, things could become much more expensive for insurers in Australia if these cases are successful.”
The combination of (a) courts forcing disclosure of forensic reports that expose root causes and control gaps, and (b) established negligence precedents in high‑profile cases, would likely make the plaintiff bar’s job far easier. That, in turn, pushes Australian cyber closer to the US model, where significant breaches are almost automatically followed by class actions.
The Optus and Medibank cases may not reach trial until 2027 and 2028. But from an insurance perspective, the signal has already been sent: the legal and evidentiary ground rules around major data breaches are shifting – and pricing, coverage negotiations and risk management conversations will need to shift with them.
