Cyber security, privacy and data protection – Implications for directors’ duties you need to know

Malcolm Campbell ||

December 7, 2023

_{Co-authored by Olivia Camilleri}

Australian company directors are facing an increase in responsibilities as we transition further into the digital economy.

While developments in innovation and technological advances offer businesses lucrative opportunities to scale and thrive, the shift in the digital landscape has imposed additional obligations on company directors. Company directors are now responsible for managing cyber security and risk, and securing the increasing volume of confidential information collected from consumers online.

The Australian Government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.

Cyber security, privacy and data protection is more critical than ever before. Directors must take steps to assess the risks relating to a breach of digital security, ensure measures are in place to protect it and incorporate ongoing cyber security assessment and management into the corporate governance framework.

So, what’s the bottom line for directors and cyber security?

Your enterprise management must include regular and ongoing consideration of cyber security. This includes risk-assessment and investment in the development and implementation of a resilient digital strategy:

Addressing cyber security and managing risk is a directors’ duty.
A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation. Consumers in the United States are taking civil actions against directors for alleged failure to take adequate steps to protect their confidential information. These civil actions are outside the scope of the liability caps consumer contracts may otherwise seek to impose.
Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
The Australian Securities and Investments Commission (ASIC) has indicated its willingness to prosecute companies that fail to implement cyber security measures. In RI Advice Group Pty Ltd, ASIC alleged that RI Advice Group failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk related to cyber security and cyber resilience. This action doesn’t directly involve directors but is an indication that ASIC is taking cyber breaches seriously. On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. The decision confirmed that management of cyber security risk and cyber resilience is critical. Australian corporations should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre.
In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Read the ‘Cyber resilience: Health check’ report.
A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
- Privacy
- Consumer and data protection laws
- Duties for company directors.

In recent years, the Australian Government has developed the 2023-2030 Australian Cyber Security Strategy which seeks to:
- Increase cyber protection in Australia
- Ensure government systems have a robust cyber-secure infrastructure
- Develop independent strategies to manage cyber threats and attacks
- Enhance Australia’s international efforts
- Provide further education and training to equip cyber workforces with the necessary skills to combat cyberattacks.

The Minister of Home Affairs, Hon Clare O’Neil, has appointed an Expert Advisory Board to oversee and ensure the objectives of the strategy are being met.

Significantly, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) was enacted as an amendment to the Security of Critical Infrastructure Act 2018 in accordance with the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The SLACIP Act introduced an obligation on entities to establish a risk management program to enhance the security of critical infrastructure within entities internal operations. In addition, the amendment imposes a stricter enforcement of measures to protect systems of national significance by obliging operators to enhance security measures.

Directors’ duties and cyber security – where to start

Now is the time to take action and invest in resources to protect the digital integrity of the company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Here’s a general overview of what to do:

Include cyber security within the broader enterprise risk assessment protocol

Identify, assess and document
Address foreseeable risks immediately
Isolate critical company assets, implement cyber security resilience protection and ensure regular testing and reporting
Engage a cyber security expert who can provide ongoing education and best practice advice to directors or the board
Introduce cyber security updates at every board meeting, including any emerging risks

Request and oversee the enterprise

Invest in strengthening security, software and hardware fundamentals

A policy of strong and regular password changes
Enforce multi-factor authentication
Ensure operating systems and software is genuine and up to date
Use only the tools you need to reduce risk
Prioritise best-of-suite tools to optimise your risk coverage

Invest in a cyber security team

Develop a cyber security protocol including a breach response plan that includes directors, customers, stakeholders and staff
Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
Create a program for regular checks and updates
Report all cyber incidents via the protocol regardless of severity or perceived significance

The key takeaway

Directors are responsible for creating and maintaining cyber resilient enterprises, and failing to do so brings the hefty whack of potential personal liability.

To discuss how best to meet your cyber security obligations as a company director, please contact Coleman Greig’s Commercial Advice team.

Authors

Malcolm Campbell

PHONE +61 2 9895 9357

Email Malcolm

TAGS:
Cyber Security, Data Protection, DIRECTORS' DUTIES

Send an enquiry

First name

Surname

Phone number

Email address

Message

Which area of law are you enquiring about?

Preferred office location

How did you hear about us?

Any personal information you provide is collected pursuant to our Privacy Policy.

Author

Employers should exercise caution when dismissing during probationary period

November 12, 2024

Can you dismiss an employee during the probationary period? Yes, but a recent case is a lesson in caution. The recent Federal Court decision of ‘Dabboussy v Australian Federation of Islamic Councils’ is a warning to employers to consider the importance of timing if dismissing an employee during probation.

The business impacts from the Government’s new cyber security laws

November 7, 2024

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

Will the Right to Disconnect laws fix Autsralia’s excessive work culture?

November 4, 2024

Contrary to the stereotype of the laidback, sun-kissed Aussie, we’re actually a nation of workaholics. In this article, our Employment Law specialist, Senior Associate Victoria Quayle discusses whether the new Right to Disconnect laws will fix Australia’s excessive work culture.

A guide to intrafamily adoption

October 22, 2024

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

October 17, 2024

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

October 14, 2024

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

October 9, 2024

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

October 8, 2024

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

September 30, 2024

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

September 26, 2024

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Businesses must only collect personal information when reasonably necessary

September 23, 2024

Part 2 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches

Are you liable for labour hire workers if they are injured?

September 16, 2024

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.