The regulatory and legal risks of cyber crime

Alec Christie and Jacques Jacobs explain why directors should ensure that effective cyber security and privacy policies are in place.

A series of high profile data breaches or cyber-attacks has brought the increasing regularity and number of incidents into the spotlight, as well as the significant costs associated with them and their potential exposure of boards and directors.

Despite a company’s best endeavours, in today’s world it is inevitable that data breaches will occur. Cyber-attacks (including theft, fraud, sabotage, espionage and hacking) are becoming increasingly sophisticated.

In 2010 and 2011, 2.95 million cyber-attacks were detected in Australia, resulting in losses of up to $595 million. The average cost of a data breach in 2011 was $2.16 million. While some attacks aim to bring a company’s information technology (IT) systems to a standstill, many target the valuable and confidential user and client information held by a company’s IT system.

In light of this, it is vital that directors implement appropriate risk management and data protection systems. While such actions may not stop cyber-attacks from occurring, they will reduce their impact on the company and go a long way to ensuring that directors are adequately insulated against potential actions arising in this field (especially for failure to address such risks).

Data breaches can leave directors and officers of the companies attacked vulnerable to civil suits (including possible class actions) for breaches of privacy legislation, corporate regulation or claims of misleading or deceptive conduct (for not adhering to the company’s own privacy policy, especially in respect of IT security).

To date, most reported or public incidents, and resultant actions against companies and their directors, have occurred in Europe and the US. However, important lessons can be learned by Australian directors.

Sony and Adobe have both experienced data sabotage which also affected Australians. However, under the current privacy regime it is difficult for an individual to bring a breach of privacy claim against either the company or its directors. While Australian corporations have been early adopters of online resources to maintain data, Australia has fallen behind the world in legislating how corporations deal with data breaches.

Under current state and federal legislation, neither Sony nor Adobe are required to report cyber attacks, data breaches or breaches of the Privacy Act to affected individuals or the Office of the Australian Information Commissioner (OAIC).
In Sony’s case, hackers stole encrypted credit card details of 77 million users of Playstation (owned by Sony).

As of 12 March 2014, a consolidated set of principles called the Australian Privacy Principles (APPs) now governs privacy and data protection throughout Australia and significantly enhances privacy and data protection regulation and its enforcement.

The APPs are the cornerstone of privacy protection in Australia and give the OAIC more powers in regulating how federal public agencies and private organisations handle personal information.

The OAIC has stated that a company will not necessarily have breached the APPs solely because a third party gains unauthorised access to personal information held by the company (via cyber-attack or otherwise).

However, the OAIC’s guidelines state that a company will have breached the APPs in circumstances where it did not take “reasonable steps” to protect the information.

Significantly, the amendments to Australian privacy legislation give the OAIC more and stronger powers to enforce adherence to the Australian privacy regime. These powers include:

• The ability to assess whether personal information is being handled in accordance with the APPs or relevant legislation.
• The ability to apply to the Federal Magistrates Court to seek a civil penalty where an individual or company has breached a civil penalty provision of the privacy legislation.

Corporate regulators also impose certain obligations on corporations and executives regarding data breaches. A company with an Australian Financial Services (AFS) licence that is not regulated by the Australian Prudential Regulation Authority (APRA) must have “adequate technological resources” to provide financial services covered by the licence and “adequate risk management systems”.

Whether technological resources are adequate will depend on the nature, scale and complexity of each business.

However, resources will need to be sufficient to comply with all obligations under the law dealing with AFS licence holders, maintain client records and data integrity, protect confidential and other information and meet current and anticipated future operational needs.

APRA requires that the businesses it regulates have clear accountability and communication strategies to limit the effect of data breaches. It has also issued relevant prudential practice guidelines.

APRA expects that such businesses will notify it of any major security incidents. While these obligations are welcomed by Australian consumers, they only apply to a small number of Australian AFS-licensed corporations and would not have been triggered in either the Sony or Adobe breach.

A Bill requiring mandatory data breach notification did not pass the Senate before Parliament was prorogued for the last federal election.

Although the new Coalition government believes in mandatory notification, it did not support the Bill (the Privacy Amendment (Privacy Alerts) Bill 2013) in its then form because of the its perceived lack of due process and scrutiny.

Despite this stumble, it is inevitable that mandatory data breach notification will eventually become law and, as such, directors should watch with caution any future obligations regarding data notification.

Current obligations regarding data breaches focus on private and public entities rather than on the actions of directors. However, that does not suggest that directors could not be exposed to claims arising from such cyber-attacks.

Other areas of law, aside from the current privacy regime, may expose directors to liability in these circumstances.

Further, as the amendments to the privacy regime encourage companies and, in turn directors, to disclose breaches, directors should seek to confirm that such systems are already in place and are up to standard.

Despite the lack of specific obligations regarding data breaches for directors (at this stage), they may nevertheless face exposure.

Current common law and statutory duties imposed on directors in Australia may, in our view, be interpreted to apply to data breaches in certain circumstances.

Directors should have particular regard to their duties of continuous disclosure and the duty of care and diligence under the Corporations Act.

Although, as we far as we are aware, these duties have not yet been considered by an Australian court specific to the area of cyber security, it is, in our view, possible that such obligations could be used to bring actions against directors.

Australian directors should carefully adhere to their duty of care and diligence. A director is required to discharge his or her duties with a degree of care and diligence that a reasonable person would exercise in their position.

This would include monitoring and reviewing a company’s risk management and data security policies.

While shareholders and customers could bring (and have in other jurisdictions brought) claims against directors, these groups first need to show that a director’s (or company’s) actions have caused them actual harm.

For example, a customer whose personal information may have been stolen because a company failed to implement its privacy policy would need to prove this caused him or her a real injury.

This requirement may be satisfied if the customer was a victim of actual credit card fraud (or other tangible loss).

Similarly, consumer class action suits relating to data breaches will need to establish that the customers suffered an actual loss.

In our view, it is only a matter of time before these types of arguments are tested in Australia, particularly by shareholders of companies who, depending on the nature of the company, might find it easier to show a loss.

As such, it would be prudent for directors to implement effective risk management policies and place a heightened emphasis on ensuring that appropriate cyber security policies and privacy policies are in place and correctly implemented.

Considerations for directors:

• Who is in charge of cyber security within the company?
• Can we create checks and balances by having the duties divided between relevant teams (i.e. the privacy officer and information security officer)?
• What role does board oversight play?
• When it comes to board oversight, should there be a director who takes the lead on, or responsibility for, information security, whether informally or formally?
• Has the company mapped the IT system network against information security functions and protections, identified the likely external and internal threats and the interplay between physical and cyber security?
• If the company has programs such as BYOD (bring your own device), what are the policies and safeguards applied to such devices and how does the company ensure that the policies are implemented in practice?
• What is the company’s incident response plan and how well is it disseminated through the organisation?
• Does this plan cover all matters (including regulatory notifications) it should cover?
• Does it include practical matters, such as how to communicate with all relevant stakeholders, including customers and suppliers?
• What insurance do we have for cyber security and data privacy breaches? Is our insurance policy up-to-date and does it cover the matters identified as part of the network and threat mapping?
• What are the policy limits and exclusions on the insurance coverage? In particular, is it a purpose-built cyber security and privacy breach policy that fully covers the company or is it simply an “add-on” to an existing policy?