Cyber Security

Cyber security, privacy and data protection – Implications for directors’ duties you need to know

Malcolm Campbell ||

Co-authored by Olivia Camilleri

Australian company directors are facing an increase in responsibilities as we transition further into the digital economy.

While developments in innovation and technological advances offer businesses lucrative opportunities to scale and thrive, the shift in the digital landscape has imposed additional obligations on company directors. Company directors are now responsible for managing cyber security and risk, and securing the increasing volume of confidential information collected from consumers online.

The Australian Government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.

Cyber security, privacy and data protection is more critical than ever before. Directors must take steps to assess the risks relating to a breach of digital security, ensure measures are in place to protect it and incorporate ongoing cyber security assessment and management into the corporate governance framework.

So, what’s the bottom line for directors and cyber security?

Your enterprise management must include regular and ongoing consideration of cyber security. This includes risk-assessment and investment in the development and implementation of a resilient digital strategy:

  • Addressing cyber security and managing risk is a directors’ duty.
  • A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation. Consumers in the United States are taking civil actions against directors for alleged failure to take adequate steps to protect their confidential information. These civil actions are outside the scope of the liability caps consumer contracts may otherwise seek to impose.
  • Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
  • The Australian Securities and Investments Commission (ASIC) has indicated its willingness to prosecute companies that fail to implement cyber security measures. In RI Advice Group Pty Ltd, ASIC alleged that RI Advice Group failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk related to cyber security and cyber resilience. This action doesn’t directly involve directors but is an indication that ASIC is taking cyber breaches seriously. On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. The decision confirmed that management of cyber security risk and cyber resilience is critical. Australian corporations should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre.
  • In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Read the ‘Cyber resilience: Health check’ report.
  • A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
    • Privacy
    • Consumer and data protection laws
    • Duties for company directors.
  • In recent years, the Australian Government has developed the 2023-2030 Australian Cyber Security Strategy which seeks to:
    • Increase cyber protection in Australia
    • Ensure government systems have a robust cyber-secure infrastructure
    • Develop independent strategies to manage cyber threats and attacks
    • Enhance Australia’s international efforts
    • Provide further education and training to equip cyber workforces with the necessary skills to combat cyberattacks.

The Minister of Home Affairs, Hon Clare O’Neil, has appointed an Expert Advisory Board to oversee and ensure the objectives of the strategy are being met.

Directors’ duties and cyber security – where to start

Now is the time to take action and invest in resources to protect the digital integrity of the company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Here’s a general overview of what to do:

Include cyber security within the broader enterprise risk assessment protocol
  • Identify, assess and document
  • Address foreseeable risks immediately
  • Isolate critical company assets, implement cyber security resilience protection and ensure regular testing and reporting
  • Engage a cyber security expert who can provide ongoing education and best practice advice to directors or the board
  • Introduce cyber security updates at every board meeting, including any emerging risks
Request and oversee the enterprise
Invest in strengthening security, software and hardware fundamentals
  • A policy of strong and regular password changes
  • Enforce multi-factor authentication
  • Ensure operating systems and software is genuine and up to date
  • Use only the tools you need to reduce risk
  • Prioritise best-of-suite tools to optimise your risk coverage
Invest in a cyber security team
  • Develop a cyber security protocol including a breach response plan that includes directors, customers, stakeholders and staff
  • Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
  • Create a program for regular checks and updates
  • Report all cyber incidents via the protocol regardless of severity or perceived significance
The key takeaway

Directors are responsible for creating and maintaining cyber resilient enterprises, and failing to do so brings the hefty whack of potential personal liability.

To discuss how best to meet your cyber security obligations as a company director, please contact Coleman Greig’s Commercial Advice team.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230