In Australia, the emerging view is that managing cyber risk falls under the risk management umbrella of boards of directors. All directors and officers have a key responsibility to ensure that companies adopt appropriate risk management strategies to protect the company and its shareholders. Although there is little authority at this stage for how regulators and courts will deal with the issue as it relates specifically to cyber risk, it is anticipated that, in the event of a cyber incident, the directors' and officers' conduct will be assessed in the context of their overall duties to the company and shareholders and their overall risk management function.
When managing and controlling a company, directors and officers have a fundamental non-delegable duty to exercise reasonable care and diligence under Australian law, both under section 180 of the Corporations Act 2001 (Cth) and the common law. Although currently untested in the context of cyber risk, in interpreting the scope of this duty the courts have increasingly imposed a high standard of care on directors and officers, requiring them to understand intimately and manage actively all risks associated with the company.
The primary corporate regulator, the Australian Securities and Investments Commission (ASIC), has the power to bring an action against directors and officers for a breach of their duties. The consequences are potentially serious, and include a declaration of contravention, pecuniary penalties, compensation orders and disqualification of the director or officer from managing a corporation.
In addition to direct regulatory action brought by ASIC, a failure by directors and officers to take reasonable steps to prevent, or respond appropriately to, a cyber incident may also give rise to civil proceedings, either by affected individuals or, if it is in the best interests of the company to do so, in the form of a derivative action brought by shareholders. Private litigation often follows regulatory investigations, as these investigations typically expose the inner failings of the company and provide the relevant evidence and roadmap necessary to formulate an action.
Australia has an active securities class action culture, fuelled by a well-developed plaintiffs bar and litigation funding industry. It is likely that the question of directors' liability arising out of a cyber incident's impact on a company's share price may be tested in the courts, although this has not yet occurred to date.
All Australian companies publicly listed on the Australian Securities Exchange (ASX) have an obligation to inform the ASX of any information that a reasonable person would expect to have a material effect on the price or value of the company's securities. Directors and officers of publicly listed companies should carefully consider whether they have an obligation to notify the ASX of a cyber incident and, if so, the timing and content of this notification.
There are various industry-specific disclosure obligations that exist should a cyber incident occur, and directors and officers should be aware of the obligation to notify regulators and affected individuals of cyber incidents. For example, financial services companies regulated by the Australian Prudential Regulation Authority must notify the regulator of major IT security incidents. A failure to notify is a strict liability offence and penalties of up to AU$36,000 may apply.
All organisations subject to the Privacy Act 1988 (1988 Act) have an obligation to maintain the security of personal information. In general, organisations that have a turnover of more than AU$3 million annually, as well as some small businesses such as private health service providers and businesses that buy and sell personal information, are subject to the 1988 Act.
The Australian government has recently introduced draft legislation which, if enacted, would require organisations and agencies subject to the 1988 Act to notify the Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs (the Privacy Amendment ( Notifiable Data Breaches) Bill 2016). A failure to do so will be deemed to be an interference in the privacy of affected individuals, and penalties of up to AU$1,800,000 will apply.
Various legislative regimes that impose civil penalties on companies for contravening the relevant regulatory requirements also have in place ancillary liability provisions under which directors and officers could be held personally liable where it can be shown that they were involved in the contravention; that is, through aiding, abetting, counselling or procuring the relevant contravention. An example of this legislation is the Competition and Consumer Act 2010, which makes it an offence for a company to engage in misleading or deceptive conduct. A director or officer could be personally liable if it can be shown that he was involved in the misleading or deceptive conduct. While ancillary liability may be difficult to establish, the liability mechanism nevertheless exists and directors and officers should be wary of any representations they make about the company's state of cyber security.
Ffion Flockhart is a partner, and Steven Hadwin is an associate, in the London office; David Navetta is a partner, and Kris Kleiner is an associate, in the Denver office; Dino Wilkinson is a partner in the Abu Dhabi office; Steve Tenai is a partner in the Toronto office; Christoph Ritzer is of counsel in the Frankfurt office; Elsa Jordaan is a director in the Johannesburg office; and John Moran is a partner, and Reece Corbett-Wilkins is an associate, in the Sydney office, of Norton Rose Fulbright.