15 Sep Company directors: liability for cybersecurity negligence

Directors are subject to a range of legal duties including the core duties contained in sections 180 – 183 of the Corporations Act 2001 (Cth) (Corporations Act) which largely codify the common law on directors’ duties.

 

The duty to act with care and diligence

Directors must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if he or she were a director in the company’s circumstances and had the same responsibilities of that director.

In making decisions, directors must apply an enquiring mind, consider the overall position of the company, test information put before them by management and proactively consider what other information they require. In practice, the duty requires each director to become familiar with the fundamentals of the business, its financial status, stay informed about the organisation’s activities, and monitor the organisation’s affairs and policies – importantly, including in the context of cyberspace.

 

The changing context – Australia’s cyber security regulations and incentives

The Government is consulting on stronger cyber security regulations and incentives to support a growing digital economy and respond to a growing threat environment, particularly ransomware. This work forms part of Australia’s Cyber Security Strategy 2020[1] and responds to recommendations of the 2020 Cyber Security Strategy Industry Advisory Panel.[2]  It also complements the Government’s critical infrastructure reforms[3] and the Review of the Privacy Act 1988.[4]

Australian businesses are facing wide-reaching regulatory reform, aimed and large and small business alike.

On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy. Interested stakeholders have been invited to provide a submission to the Strengthening Australia’s Cyber Security Regulations and Incentives discussion paper,^[5] which inter alia records the cost of cyber security incidents to the Australian economy as AU$ 29 billion dollars per year, or 19% of GDP.

Also on 13 July 2021, the Sydney Morning Herald headlined: “Real and present danger: Government considers making company directors personally liable for cyberattacks,[6] quoting Home Affairs Minister Karen Andrews saying that “the country cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security … I want to make sure Australian businesses – big and small – are secure and consumers are protected.”

 

What does this mean for company directors?

This means that there will be an increased compliance burden for Australian businesses and increased risk to company directors.  While it appears that the Department of Home Affairs, responsible for the initiative, seeks to balance corporate accountability and not impose undue hardship on organisations and directors, it remains to be seen how this might be achieved.

The fact remains that, the current requirements under the Corporations Act already render directors liable for cyber security – irrespective of whether the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234[7] (Information Security) applies or not.

 

Current company director liabilities

When company directors breach the law, they can be personally liable. Apart from personal liability arising from criminal offences, trading while insolvent, liability for company tax debts etc., directors can also become personally liable as a result of breaching director duties that caused the company to suffer loss.

So, failure to identify the risk of ransomware (due diligence), and failure to address the risk of ransomware (due care) can already render a company director liable under the Corporations Act.

 

Consequences of failing to perform director duties of diligence and care

 A director who fails to perform their duties, may:[8]

1. 1. 1. Have contravened a civil penalty provision such as the care and diligence requirements under section 181(1) of the Corporations Act (see section 1317E). The court may order the director to pay to the Commonwealth up to $200,000).
      2. Be personally liable to compensate the company or others for any loss or damage they suffer.
      3. Be prohibited from managing a company.

 

Business judgment rule

The business judgment rule under Section 180(2) of the Corporations Act provides a defence for a director in relation to an alleged breach of the duty to act with care and diligence.

The rule provides that a director who makes a ‘business judgment’ (any decision to take or not take action in respect of a matter relevant to the business operations of the corporation) is taken to meet the care and due diligence requirements in respect of the judgment if they make the judgement in good faith, have no material interest in the matter, inform themselves about the matter, and rationally believe that the judgement is in the best interests of the organisation.

The director’s or officer’s belief that the judgment is in the best interests of the corporation is a rational one unless the belief is one that no reasonable person in their position would hold.[9]

 

Takeaways – putting it in simple terms

• • • • Due diligence is the act of investigating and understanding the risks that the organisation faces, like ransomware.
      • Due care is the act of developing and implementing risk mitigation strategies that address the risks, like ransomware.

Due diligence and due care play a part in determining director legal liability.  Directors can be legally charged with negligence and held accountable for any ramifications arising from negligence in addressing a risk like ransomware (and other cyber security risks).

 

3 factors contribute to the determination of liability

1. 1. 1. 1. A legally recognised obligation – director duties of due diligence and due care;
         2. Failure to conform to the required standard – failure to identify that ransomware is highly possible and put in place appropriate strategies to mitigate the risk; and
         3. Proximate causation resulting in injury, damage or loss – ransomware results in the inability of the organisation to operate and loss of revenue, data, confidentiality, intellectual property, personal information etc.

The role of standards in establishing reasonableness

• • Aside from risk mitigation treatments (avoid, accept, reduce/control, transfer), Australian and international standards, and best practice assist in demonstrating compliance with legal requirements, because these establish norms of what is reasonable under certain circumstances.

Cyberlaw in Australia

The regulatory landscape in Australia is complex. Like the United States, Australia has a ‘patchwork’ of laws, regulations, and other legislative instruments that apply in various jurisdictions and various industry sectors.

Any business wanting to maximise sustainable competitive advantage arising from the use of technology whilst managing legal and other risks needs to have a clear understanding of how the regulatory landscape impacts them, what laws apply to them and how these relate to their use of technology and their business processes.

Business, legal and other risk cannot be separated from the use of technology – it is all business risk and the board is ultimately responsible.

 

 

 

 

[1] https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/australia%E2%80%99s-cyber-security-strategy-2020.

[2] https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/industry-advisory-panel.

[3] https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/protecting-critical-infrastructure-systems.

[4] https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988.

[5] Strengthening Australia’s cyber security regulations and incentives — Quick summary (377KB PDF).

[6] https://www.smh.com.au/politics/federal/real-and-present-danger-government-considers-making-company-directors-personally-liable-for-cyber-attacks-20210712-p588vz.html.

[7] https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf.

^[8] Be guilty of a criminal offence with a penalty of up to a maximum of $200,000, or imprisonment for up to five years, or both.

[9] Note: This subsection only operates in relation to duties under this section and their equivalent duties at common law or in equity (including the duty of care that arises under the common law principles governing liability for negligence) – it does not operate in relation to duties under any other provision of this Act or under any other laws.