Cyber security, privacy and data protection – Implications for directors’ duties you need to know

Katie Akpinar, ||

Co-authored by Olivia Camilleri

Australian company directors are facing an increase in responsibilities as we transition further into the digital economy.

While developments in innovation and technological advances offer businesses lucrative opportunities to scale and thrive, the shift in the digital landscape has imposed additional obligations on company directors. Company directors are now responsible for managing cyber security and risk, and securing the increasing volume of confidential information collected from consumers online.

The Australian Government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.

Cyber security, privacy and data protection is more critical than ever before. Directors must take steps to assess the risks relating to a breach of digital security, ensure measures are in place to protect it and incorporate ongoing cyber security assessment and management into the corporate governance framework.

So, what’s the bottom line for directors and cyber security?

Your enterprise management must include regular and ongoing consideration of cyber security. This includes risk-assessment and investment in the development and implementation of a resilient digital strategy:

  • Addressing cyber security and managing risk is a directors’ duty.
  • A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation. Consumers in the United States are taking civil actions against directors for alleged failure to take adequate steps to protect their confidential information. These civil actions are outside the scope of the liability caps consumer contracts may otherwise seek to impose.
  • Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
  • The Australian Securities and Investments Commission (ASIC) has indicated its willingness to prosecute companies that fail to implement cyber security measures. In RI Advice Group Pty Ltd, ASIC alleged that RI Advice Group failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk related to cyber security and cyber resilience. This action doesn’t directly involve directors but is an indication that ASIC is taking cyber breaches seriously. On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. The decision confirmed that management of cyber security risk and cyber resilience is critical. Australian corporations should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre.
  • In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Read the ‘Cyber resilience: Health check’ report.
  • A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
    • Privacy
    • Consumer and data protection laws
    • Duties for company directors.
  • In recent years, the Australian Government has developed the 2023-2030 Australian Cyber Security Strategy which seeks to:
    • Increase cyber protection in Australia
    • Ensure government systems have a robust cyber-secure infrastructure
    • Develop independent strategies to manage cyber threats and attacks
    • Enhance Australia’s international efforts
    • Provide further education and training to equip cyber workforces with the necessary skills to combat cyberattacks.

The Minister of Home Affairs, Hon Clare O’Neil, has appointed an Expert Advisory Board to oversee and ensure the objectives of the strategy are being met.

Directors’ duties and cyber security – where to start

Now is the time to take action and invest in resources to protect the digital integrity of the company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Here’s a general overview of what to do:

Include cyber security within the broader enterprise risk assessment protocol
  • Identify, assess and document
  • Address foreseeable risks immediately
  • Isolate critical company assets, implement cyber security resilience protection and ensure regular testing and reporting
  • Engage a cyber security expert who can provide ongoing education and best practice advice to directors or the board
  • Introduce cyber security updates at every board meeting, including any emerging risks
Request and oversee the enterprise
Invest in strengthening security, software and hardware fundamentals
  • A policy of strong and regular password changes
  • Enforce multi-factor authentication
  • Ensure operating systems and software is genuine and up to date
  • Use only the tools you need to reduce risk
  • Prioritise best-of-suite tools to optimise your risk coverage
Invest in a cyber security team
  • Develop a cyber security protocol including a breach response plan that includes directors, customers, stakeholders and staff
  • Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
  • Create a program for regular checks and updates
  • Report all cyber incidents via the protocol regardless of severity or perceived significance
The key takeaway

Directors are responsible for creating and maintaining cyber resilient enterprises, and failing to do so brings the hefty whack of potential personal liability.

To discuss how best to meet your cyber security obligations as a company director, please contact Coleman Greig’s Commercial Advice team.



Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.


More posts

Proposed changes to building and construction law in NSW

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Can you dismiss an employee who fails to return to the office?

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

The NSW Building Commission’s extraordinary powers

In late 2023, the NSW Government passed the Building Legislation Amendment Bill 2023 (Amendment Bill). The Amendment Bill established the NSW Building Commission and granted it extraordinary powers to enter construction sites, inspect work and take away information and materials.

© 2024 Coleman Greig Lawyers   |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230