The cost of a cyber incident can be enormous. Beyond the costs associated with the technical investigation for determining the cause of the cyber incident, organisations will also have to fork out money for securing ICT infrastructure and making cyber security improvements. And the costs don’t stop there, with many indirect or flow-on costs such as the lost value of customer relationships and trust, operational interruption, reputational loss, and damage sustained from the loss of confidential or personal information.
23% of Australian organisations surveyed experienced a business-interrupting security incident in an average month during 2015.
From a risk management perspective, it makes sense for organisations to address cyber resilience and security as part of its business strategy, but is there a legal requirement for organisations to do so?
Unlike some other countries, Australia does not have cyber-specific laws that regulate cyber resilience and cyber security in the private sector. Instead, various Acts create some common legal obligations that apply to organisations under which they must address their cyber resilience and security. These obligations stem from the:
- Privacy Act 1988 (Cth);
- Mandatory Notification of Data Breach Regime; and
- Corporations Act 2001 (Cth).
Beyond this, organisations must also consider industry codes, standards, and guidelines relevant to their business in addressing their cyber resilience strategy.
Privacy Act – APP11
The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how companies collect, use and disclose personal information. APP 11 requires organisations to take active measures to ensure the security of personal information that it holds. In practice, this means that organisations must take reasonable steps to protect the information from misuse, interference, as well as unauthorised access, modification, or disclosure.
In 2015–16, personal information security was the third highest query to the Office of the Australian Privacy Commissioner (OAIC).
The OAIC expects organisations, in taking “reasonable steps,” to implement appropriate ICT security and data protection strategies, as well as ensure a cyber-aware culture organisation-wide.
The reality is that different industries will face different cyber threats and data security challenges. Reasonable steps to protect a banking customer’s personal information are likely to be unreasonable for a small retailer. Consequently, we are seeing that industries in Australia are mainly self-regulating their cyber security arrangements. There are industry specific voluntary codes, standards and guidelines that aim to set benchmarks and improve business practices and regulatory compliance in that industry.
For example, the Australian Prudential Regulatory Authority (APRA) and Australian Securities and Investments Commission (ASIC) provide guidance in relation to cybersecurity guidelines for banking, finance, insurance, and the superannuation industries. Specifically:
Mandatory Data Breach Notification Regime
Australia will have a Mandatory Data Breach Notification regime after legislation was passed by the Parliament in February 2017. The Government has 12 months to specify a date for the regime to begin operation. If no date is chosen, the regime will automatically start on 23 February 2018. The growth of the digital economy has created a wealth of data on customers and the introduction of the new regime is a signal to all industries that cybersecurity practices are now under the spotlight.
The Mandatory Data Breach Notification Regime will require organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals “as soon as practicable” if it becomes aware that there are “reasonable grounds” to believe that an eligible data breach has occurred (or if directed to do so by the OAIC).
The OAIC may impose penalties for non-compliance. These penalties may range from less severe sanctions such as public apologies (which may damage an organisation’s reputation) to compensation payments and civil penalties for “serious or repeated non-compliance.” A failure to comply with the regime can incur fines of up to $360,000 for individuals and $1.8 million for organisations.
Importantly, not all instances of data breach may need to be reported. In some instances a data breach could occur even if an organisation has taken “reasonable steps” to secure personal information as is mandated by APP11.
You can read more about the essentials of the mandatory breach notification regime here.
Corporations Act 2001 (Cth)
The Corporations Act 2001 imposes a range of reporting obligations on ASX-listed companies. These obligations require corporations to disclose information that would reasonably be expected to have a material effect on the price or value of their securities. The material impact of a cyber incident on organisations is undeniable. Last month Yahoo had to reduce its sale price to Verizon by almost $350 million following two cyber-attacks that compromised the personal information and account security of more than 1 billion users.
Organisations must consider how their cyber maturity impact on these disclosure obligations. ASIC identified in its Cyber Resilience Report (Report 429: Cyber Resilience – Health Check) that cyber security issues are matters that significantly impact a company’s operations and that it expects disclosure of these issues in annual reports and offer information statements.
And always remember… The buck stops at the top.
In its Cyber Resilience Report (Report 429: Cyber Resilience – Health Check), ASIC clarified that the obligation on company directors and officers to discharge their duties with care and diligence extends to cyber security and resilience. Directors’ duties now include an obligation to ensure appropriate commitment to cyber resilience in an organisation’s corporate governance regime. Directors face personal liability for failing to foster appropriate cyber resilience within their organisation.
You can read more about how cyber resilience impacts on a director’s duties in our previous blog.