The Federal Court, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (“ASIC vs RI Advice“), held that RI Advice Group Pty Ltd, an Australian Financial Services Licence holder, breached sections 912A(1)(a) and 912A(1)(h) of the Corporations Act 2001 (Cth) for failing to ensure the efficient and fair provision of financial services and lacking adequate risk management systems.
As a result, RI Advice to take specific actions to improve their cybersecurity and pay ASIC’s costs of $750,000.
Although the RI Advice decision concerns the duties of financial services licence holders, it nonetheless sends a clear message to all company directors that their duty of care and diligence under the Corporations Act 2001 (Cth) includes taking responsibility for their company’s cybersecurity measures.
This article provides practical steps for directors to prepare for data breaches.
Please also read my article about the Notifiable Data Breach Scheme, under which companies subject to the Privacy Act 1988 (Cth) (APP Entities) can face significant penalties for failing to report data breaches involving personal information.
Critical Actions For Directors and Management
Policies and Procedures
In ASIC vs RI Advice, Rofe J stated:
“It is not possible to reduce cybersecurity risk to zero… it is possible to reduce cybersecurity risk through adequate cybersecurity documentation and controls materially.”
Organisations must prioritise developing, implementing, and maintaining internal plans, policies, and procedures to ensure effective management and security of data.
Among the critical internal documents that managers and directors must consider developing:
- IT security policies and procedures, personnel policies, social media and device-level policies, and building security policies.
- Operational processes and procedures must align with regulatory and contractual commitments.
- Commercial contracts that contemplate a breach involving the data of a third party.
- Implement data retention policies as part of a data governance program to manage data from creation/receipt to disposal.
- Prepare data breach response plans to ensure the right people know the proper actions when an incident occurs.
- Business continuity and disaster recovery plans and facilities.
- Vendor management policies and processes.
- Offshoring or outsourcing contracts that contemplate data breaches outside the organisation and internationally.
- Audit document templates and checklists.
Data Breach Training
The policies and procedures are only helpful if staff understand what they mean, know why they are required, and know how to use them.
In my experience, many companies overestimate their employees’ knowledge and awareness of cybersecurity risk and their resilience to phishing, spear phishing, and social engineering.
Education and training are the most critical factors in mitigating the effect of data breaches. Here are some education and training-related tips to consider:
- Prepare induction training for new employees.
- In-person training at least every six months.
- Promote a culture where all employees and contractors understand the critical importance of effective data management and security.
- Directors must implement processes to monitor compliance with policies and mandatory training attendance continuously and address any exceptions as necessary.
ICT Teams
Effective management and mitigation of information risks require organisations to implement appropriate technological systems and measures to monitor and address risks in digital file storage, email and web hosting, and various online accounts. Naturally, these measures must align with the policies that govern their operation.
Here are more practical steps to consider:
- Consider creating user-level access to systems and information based on the user’s identity or role.
- Data encryption and physical access controls are also essential measures that can be employed to secure data.
- The architecture and design of IT systems should be appropriate for the particular organisation, including implementing network segmentation, segregation, and separation.
- Security testing processes like penetration and vulnerability assessments are essential for identifying and addressing potential security risks.
- Update virus detection software as the vendor recommends and monitor activities to automatically identify potential misuse or unauthorised use of data using security systems and processes such as data loss prevention software.
- Data backup cycles that limit the impact of data becoming corrupted or encrypted by outside actors are crucial, and backed-up data should be tested regularly. Implementing appropriate technological systems and measures is a fundamental aspect of effective data management and security, and organisations should take the necessary steps to safeguard their information.
Outsourcing
Data security considerations become even more critical when entering offshoring or outsourcing arrangements due to the additional risks of sharing information with third-party service providers – especially if your company’s data is being transferred to their systems.
Directors must consider the following critical data security measures when outsourcing:
- Conduct a thorough due diligence process when selecting service providers to ensure adequate data security measures are in place.
- Create contracts defining the service provider’s security obligations, including confidentiality, data protection, access controls, and breach notification procedures.
- Data access should be restricted to only those personnel who need it to perform their duties. Organisations should ensure service providers have appropriate access controls to safeguard against unauthorised access.
- Encryption must be used when emailing and transferring files to minimise the risk of unauthorised access.
- Consider having suppliers, agents, and contractors agree with your incident response plan so they are obligated to assist in the event of a data breach or security incident.
- Service providers must have data retention and disposal policies and procedures to safeguard against unauthorised access to data after the service agreement terminates.
Business leaders must take the above steps when offshoring or outsourcing arrangements to ensure their data is appropriately protected and secure and service providers comply with their contractual security obligations.