Data Breaches for Company Directors in Australia
The heat is being turned up for directors in Australia regarding cybersecurity, and there appear to be few places to hide.
The Federal Court found, in ASIC v RI Advice, that an Australian Financial Services Licence holder breached sections 912A(1)(a) and 912A(1)(h) of the Corporations Act by failing to ensure the efficient and fair provision of financial services and lacking adequate risk management systems.
As a result, the Federal Court ordered RI Advice to take specific actions to improve their cybersecurity and pay ASIC’s costs of $750,000.
ASIC v RI Advice highlights the importance of all company directors being proactive in managing cybersecurity risks, as they could be held liable for breaching their duty of care and diligence.
This article provides practical steps for directors to prepare for data breaches, emphasising Australia’s proactive approach towards director liability for data breaches. Additionally, APP Entities may be held liable under the Privacy Act 1988 (Cth) for failing to report breaches that may cause serious harm in relation to personal information.
This article provides directors with practical steps to prepare for data breaches to protect their organisations, which will help take the heat off themselves.
Please also see my article about the Notifiable Data Breach Scheme.
Critical Internal Actions
Policies and Procedures
In ASIC vs RI Advice Group, Rofe J stated:
“it is not possible to reduce cybersecurity risk to zero… it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls.”
Organisations must prioritise developing, implementing, and maintaining internal plans, policies, processes, and procedures to ensure their data’s effective management and security.
Among the key internal documents that managers and directors must consider developing are appropriate:
- IT security policies and procedures, personnel policies, social media, device-level policies, and building security and access policies.
- Operational processes and procedures must align with regulatory and contractual commitments.
- Audit commercial contracts to determine contractual risk in the event of a breach involving the data of a third party.
- Implement data retention policies as part of a data governance program to manage data from creation to disposal.
- Prepare data breach response so that the right people know the proper actions when an incident occurs.
- Business continuity and disaster recovery plans and facilities are also crucial.
- Vendor management policies and processes must be governed strongly and effectively.
- Gateway reviews on compliance with mandatory security and other contractual requirements imposed on service providers and business partners.
- Additional requirements may be necessary in the case of offshoring or outsourcing arrangements.
- Business leaders must also regularly audit rights to confirm the compliance of service providers and business partners.
- Review and test all plans, policies, processes, and procedures periodically.
The policies and procedures are only useful if staff understand what they mean, why they are required and how to use them.
In my experience, many companies overestimate their employees’ knowledge and awareness of cybersecurity risk and their resilience to phishing, spear phishing, and social engineering.
In any case, education and training are the most critical factors in mitigating the effect of data breaches. Here are some education and training-related tips to consider:
- Prepare induction training on employees’ first day.
- In-person training at least every six months.
- Promote a culture where all employees and contractors understand the critical importance of effective data management and security.
- Directors must implement processes to monitor compliance with policies and mandatory training attendance continuously and address any exceptions as necessary.
Simulating data breaches are a critical tool to assess the effectiveness of such documents in addressing potential issues that may arise.
Effective management and mitigation of information risks require organisations to implement appropriate technological systems and measures to monitor and address risks in digital file storage, email and web hosting, and various online accounts. Naturally, these measures must align with the policies that govern their operation.
Here are more practical steps to consider:
- Consider creating user-level access to systems and information based on the user’s identity or role.
- Data encryption and physical access controls are also essential measures that can be employed to secure data.
- The architecture and design of IT systems should be appropriate for the particular organisation, including implementing network segmentation, segregation, and separation.
- Security testing processes, such as penetration testing and vulnerability assessments, are essential for identifying and addressing potential security risks.
- Update virus detection software as the vendor recommends and monitor activities to automatically identify potential misuse or unauthorised use of data using security systems and processes such as data loss prevention software.
- Data backup cycles that limit the impact of data becoming corrupted or encrypted by outside actors are crucial, and backed-up data should be tested regularly. Overall, implementing appropriate technological systems and measures is a fundamental aspect of effective data management and security, and organisations should take necessary steps to safeguard their information through these means.
Data security considerations become even more critical when entering into offshoring or outsourcing arrangements due to the additional risks of sharing information with third-party service providers – especially when your data is being transferred to their systems.
Directors must consider the following critical data security measures when outsourcing:
- Conduct a thorough due diligence process when selecting service providers to ensure adequate data security measures are in place.
- Create contracts that clearly define the security obligations of the service provider, including confidentiality, data protection, access controls, and breach notification procedures.
- Restrict access to sensitive data should be restricted to only those personnel who need it to perform their duties. Organisations should ensure that service providers have appropriate access controls in place to safeguard against unauthorised access.
- Encryption must be used when emailing and transferring files to minimise the risk of unauthorised access.
- Consider having suppliers, agents, and contractors agree with your incident response plan so they are obligated to assist in the event of a data breach or security incident.
- Service providers must have data retention and disposal policies and procedures in place to safeguard against unauthorised access to data after the termination of the service agreement.
Overall, when offshoring or outsourcing arrangements, business leaders must take the above steps necessary to ensure their data is appropriately protected and secure and service providers comply with their contractual security obligations.