Australian company directors have been navigating uncharted territory since the outbreak of the COVID-19 pandemic with many businesses suffering changes to both their supply chain and customer base.
It is more important than ever for directors to remember their duty under the Corporations Act to exercise their powers and discharge their duties with ‘care and diligence'1; and to remember that the duty is owed to the company, rather than directly to shareholders.2
The incidence of cyber attacks has increased dramatically during the pandemic with many individuals working from home where security is often compromised, and with many ‘usual’ business practices being disrupted on a daily basis.
ASIC Report 4291 states that:
On 21 August 2020, ASIC commenced proceedings in the Federal Court against RI Advice Pty Ltd (RI) an Australian Financial Services licence holder, following a number of alleged cyber breach incidents at certain authorised representatives of RI.
ASIC alleges that:
ASIC is seeking:
A failure to notify the Office of the Australian Information Commissioner of a data breach pursuant to the notifiable data breach legislation4 may also expose a company to a significant fine, particularly in circumstances where a company cannot demonstrate that the obligation to protect data and information in relation to individuals has been met.
The Australian Competition and Consumer Commission (ACCC) also has a number of statutory powers under the Australian Consumer Law which could be exercised to penalise companies who have poor cyber security, there is a potential for a finding of a false or misleading representation by a company in circumstances where it has poor data security.
Accordingly, it is important that directors are pro-active in this area and ensure that a company is in a position to demonstrate that it took all necessary steps to protect the company’s data from a cyber attack.
Sitting back and doing nothing will not be a defence and may well expose a director to a risk of disqualification, and the company to significant fine issued by the OAIC, or to an investigation by ASIC.
[1] Corporations Act 2001 (Cth) section 180.
[2] Sharp & Others v Blank and Others [2015] EWHC 3220 (Cth).
[3] See [1] ibid.
[4] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).