The Federal Court proceeding, Australian Securities and Investments Commission v RI Advice Group Pty Ltd  FCA 496 (“ASIC vs RI Advice“), held that RI Advice Group Pty Ltd, an Australian Financial Services Licence holder, breached sections 912A(1)(a) and 912A(1)(h) of the Corporations Act 2001 (Cth) for failing to ensure the efficient and fair provision of financial services and lacking adequate risk management systems.
As a result, the Federal Court ordered RI Advice to take specific actions to improve their cybersecurity and pay ASIC’s costs of $750,000.
While the RI Advice decision related to the duties of financial services licence holder, the decision sends an important message to all company directors about how they must take a proactive approach to manage cybersecurity risk, mainly due to the fact they could be personally liable for breaching their duty of care and diligence under the Corporations Act 2001 (Cth).
This article provides practical steps for directors to prepare for data breaches, emphasising Australia’s proactive approach towards director liability for data breaches. Additionally, APP Entities may be held liable under the Privacy Act 1988 (Cth) for failing to report breaches that may cause serious harm in relation to personal information.
Please also see my article about the Notifiable Data Breach Scheme.
Critical Actions For Directors and Management
Policies and Procedures
In ASIC vs RI Advice, Rofe J stated:
“It is not possible to reduce cybersecurity risk to zero… it is possible to reduce cybersecurity risk through adequate cybersecurity documentation and controls materially.”
Organisations must prioritise developing, implementing, and maintaining internal plans, policies, processes, and procedures to ensure effective management and security of data.
Among the key internal documents that managers and directors must consider developing:
- IT security policies and procedures, personnel policies, social media and device-level policies, and building security policies.
- Operational processes and procedures must align with regulatory and contractual commitments.
- Commercial contracts that contemplate a breach involving the data of a third party.
- Implement data retention policies as part of a data governance program to manage data from creation/receipt to disposal.
- Prepare data breach response plans to ensure the right people know the proper actions when an incident occurs.
- Business continuity and disaster recovery plans and facilities.
- Vendor management policies and processes.
- Offshoring or outsourcing contracts that contemplate data breaches outside the organisation and internationally.
- Audit document templates and checklists.
Data Breach Training
The policies and procedures are only helpful if staff understand what they mean, know why they are required, and know how to use them.
In my experience, many companies overestimate their employees’ knowledge and awareness of cybersecurity risk and their resilience to phishing, spear phishing, and social engineering.
Education and training are the most critical factors in mitigating the effect of data breaches. Here are some education and training-related tips to consider:
- Prepare induction training for new employees.
- In-person training at least every six months.
- Promote a culture where all employees and contractors understand the critical importance of effective data management and security.
- Directors must implement processes to monitor compliance with policies and mandatory training attendance continuously and address any exceptions as necessary.
Simulating data breaches is a critical tool to assess the effectiveness of such documents in addressing potential issues that may arise.
Effective management and mitigation of information risks require organisations to implement appropriate technological systems and measures to monitor and address risks in digital file storage, email and web hosting, and various online accounts. Naturally, these measures must align with the policies that govern their operation.
Here are more practical steps to consider:
- Consider creating user-level access to systems and information based on the user’s identity or role.
- Data encryption and physical access controls are also essential measures that can be employed to secure data.
- The architecture and design of IT systems should be appropriate for the particular organisation, including implementing network segmentation, segregation, and separation.
- Security testing processes like penetration and vulnerability assessments are essential for identifying and addressing potential security risks.
- Update virus detection software as the vendor recommends and monitor activities to automatically identify potential misuse or unauthorised use of data using security systems and processes such as data loss prevention software.
- Data backup cycles that limit the impact of data becoming corrupted or encrypted by outside actors are crucial, and backed-up data should be tested regularly. Overall, implementing appropriate technological systems and measures is a fundamental aspect of effective data management and security, and organisations should take necessary steps to safeguard their information through these means.
Data security considerations become even more critical when entering offshoring or outsourcing arrangements due to the additional risks of sharing information with third-party service providers – especially when your data is being transferred to their systems.
Directors must consider the following critical data security measures when outsourcing:
- Conduct a thorough due diligence process when selecting service providers to ensure adequate data security measures are in place.
- Create contracts that clearly define the security obligations of the service provider, including confidentiality, data protection, access controls, and breach notification procedures.
- Restrict access to sensitive data should be restricted to only those personnel who need it to perform their duties. Organisations should ensure service providers have appropriate access controls to safeguard against unauthorised access.
- Encryption must be used when emailing and transferring files to minimise the risk of unauthorised access.
- Consider having suppliers, agents, and contractors agree with your incident response plan so they are obligated to assist in the event of a data breach or security incident.
- Service providers must have data retention and disposal policies and procedures in place to safeguard against unauthorised access to data after the termination of the service agreement.
Business leaders must take the above steps when offshoring or outsourcing arrangements to ensure their data is appropriately protected and secure and service providers comply with their contractual security obligations.