Lawthentic Loop

Stay updated, stay in the loop

Lawthentic Loop

Stay updated, stay in the loop

Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Cyber security, privacy and data protection – implications for directors’ duties you need to know

Author: Katie Akpinar, Principal Lawyer

9 March 2022 * Updated 18 May 2022

Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Australian company directors are facing an increase in responsibilities as enterprise transitions further into the digital economy.

While developments in innovation and technological advances offer businesses lucrative opportunities to scale and thrive, the shift in the digital landscape has imposed additional obligations on company directors, now responsible for managing cyber security and risk and securing the increasing volume of confidential information collected from consumers online.

The Australian government and regulators are currently reviewing the scope of directors’ duties concerning digital security, privacy and consumer matters. We expect directors’ duties to expand.

Cyber security, privacy and data protection is more critical than ever before. Directors must take steps to assess the risks relating to a breach of digital security, ensure measures are in place to protect it and incorporate ongoing cyber security assessment and management into the corporate governance framework.

So, what’s the bottom line for directors and cyber security

Your enterprise management must include regular and ongoing consideration of cyber security. Including risk-assessment and investment in the development and implementation of a resilient digital strategy.

  • Addressing cyber security and managing risk is a directors’ duty.
  • A failure to take action could result in directors being held personally liable for a breach of directors’ duties through civil litigation with consumers or failing to comply with current (and new) legislation. Consumers in the United States are taking civil actions against directors for alleged failure to take adequate steps to protect their confidential information. These civil actions are outside the scope of the liability caps consumer contracts may otherwise seek to impose.
  • Directors of listed companies must consider cyber breaches (and risks) in any prospectus issue and as part of their periodic and continuous disclosure obligations.
  • The Australian Securities and Investments Commission (ASIC) has indicated its willingness to prosecute companies that fail to implement cyber security measures. One to watch is RI Advice Group Pty Ltd, where ASIC alleges that RI Advice Group failed to implement adequate policies, systems and resources which were reasonably appropriate to manage risk in respect of cyber security and cyber resilience. This action does not directly involve directors but is an indication ASIC is taking cyber breaches seriously. [*Update: On 5 May 2022, the Federal Court handed down its landmark decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 confirming that management of cyber security risk and cyber resilience is critical. Australian corporates should review their cyber security measures regularly and follow advice of the Australian Cyber Security Centre. Read more in our article Cyber security risk management essential – Landmark decision in ASIC v RI Advice.]
  • In 2015, ASIC confirmed cyber security falls within directors’ duties and identified cyber security and resilience as high-risk areas for enterprise, warning it would be the subject of future review. Report 429 Cyber Resilience: Health Check 2015.
  • A mandatory review of directors’ duties is included in Australia’s Cyber Security Strategy 2020 (the Strategy). Item 36 of the Strategy forewarns legislative changes prescribing a minimum cyber security baseline across the economy, including:
  • Privacy
  • Consumer and data protection laws
  • Duties for company directors
  • The government has introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth). If passed, boards overseeing critical infrastructure corporations will oversee the introduction of baseline cyber security, the implementation of enhanced cyber risk management programs for assets of national significance, and mandatory cyber incident reporting.

Directors’ duties and cyber security – where to start

Now is the time to take action and invest in resources to protect the digital integrity of the company. Ensure cyber security, privacy and data protection is part of your risk assessment and corporate governance processes and mitigate the risk of personal liability for breach of directors’ duties.

Here’s a general overview of what to do:

Include cyber security within the broader enterprise risk assessment protocol

  • Identify, assess and document
  • Address foreseeable risks immediately
  • Isolate critical company assets, implement cyber security resilience protection and ensure regular testing and reporting
  • Engage a cyber security expert who can provide ongoing education and best practice advice to directors or the board
  • Introduce cyber security updates at every board meeting, including any emerging risks

Request and oversee the enterprise:

Invest in strengthening security, software and hardware fundamentals

  • A policy of strong and regular password changes
  • Enforce multi-factor authentication
  • Ensure operating systems and software is genuine and up to date
  • Use only the tools you need to reduce risk
  • Prioritise best-of-suite tools to optimise your risk coverage

Invest in a cyber security team

  • Develop a cyber security protocol including a breach response plan that includes directors, customers, stakeholders and staff
  • Invest in training and skills development for IT professionals and any other employees involved in cyber security risk management and monitoring
  • Create a program for regular checks and updates
  • Report all cyber incidents via the protocol regardless of severity or perceived significance

The key takeaway

Directors are responsible for creating and maintaining cyber resilient enterprises, and failing to do so brings the hefty whack of potential personal liability.

We are following the Strategy and all regulatory actions closely and will update you as we learn more about how they impact directors and their obligations. If you have any questions or concerns, please do not hesitate to get in touch with the Lawthentic team.

About Lawthentic | Commercial Lawyers

Based in Sydney, Lawthentic provides high-level, specialist, commercial and corporate legal advice to business Australia-wide and across APAC. We deliver progressive end-to-end commercial law services that address the full spectrum of legal issues a business may encounter, driving “Real Progress for Enterprise”. Our legal services cover all areas of Commercial law, Corporate law, Intellectual Property law, Data and Technology law, Regulatory Compliance, and Dispute Resolution. We work with medium to large corporate businesses looking for friendlier and more cost-efficient legal services without compromising on expertise. We provide in-house, face-to-face, or remote support from our offices in Sydney.

About the Author

Katie Akpinar, Principal Lawyer

Katie is a Principal Lawyer and Founder at Lawthentic. She is an accomplished commercial and corporate lawyer with considerable experience working with organisations in Australia and across the Asia Pacific region. Katie has a simple philosophy, to consistently apply a commercial approach in delivering practical, considered, and specialist legal guidance. Combining her top-tier law firm experience with corporate acumen and a wealth of industry insight, she provides strategic solutions, whilst playing a meaningful role in her clients’ mission and purpose, helping business to do business. Read more about Katie >

Get in touch