Company law – Your corporate guide to cyber security and data breaches

There is little doubt that both the scale and sophistication of cyber-attacks and data breaches are increasing, not just in Australia, but at an international level. Such sophisticated cyber-attacks are also becoming increasingly harder to detect.

One only has to look to the recent data breaches at both Optus and Medibank Private (Medibank) to witness the widespread reverberations not just within Australia, but also on the global stage. The security systems and procedures of two of Australia’s largest corporations have suddenly and without warning been thrown under the spotlight for all to see. In particular, the leak of personal health information as a result of the Medibank data breach has placed thousands of vulnerable Australians at risk, when it comes to everyday “transactions” such as applying for a job, applying for credit or seeking a reference.

The secondary impacts of such data breaches can be even more significant and may take time to fully materialise. These impacts may include risks to the financial standing and mental health & wellbeing of those individuals who have been targeted as well as reputational damage to the brand of those corporations at fault.

Both Optus and Medibank also face the very real prospect of class actions against them from clients aggrieved by the breach of their data. This is particularly so, where such breach has led to personal financial loss for the “victims”. It is little wonder that the demand for cyber security products and services is growing. Indeed, Australian’s spent AUD$5.6 billion on cyber security in 2020, with that figure expected to grow to AUD$7.6 billion by 2024¹.

This article guides you through the topic of cyber security and data breaches, and the importance of vigilance when it comes to securing client data, in particular personal, confidential or highly-sensitive data. Our guide also explains the consequences of a data breach and provides some key practical steps for corporations and company directors to implement, in order to ensure compliance when it comes to cyber security. Our guide follows a logical structure and is organised into chapters as follows:

Chapter 1 – Introduction to cyber security
Chapter 2 – Why is cyber security so important?
Chapter 3 – Safeguarding client data
Chapter 4 – The consequences of a data breach
Chapter 5 – Protecting privacy
Chapter 6 – Practical guidance for corporations
Chapter 7 – Conclusion and key takeaways

Chapter 1 – Introduction to cyber security

Cyber security refers to the body of technologies, processes and practices which are designed to protect networks, devices, programs and data from attack, damage or unauthorised access. In essence, cyber security refers to the protection of computers which are attached to the internet. Cyber security is often referred to as information technology (IT) security.

Entities such as government, business and corporations, as well as millions of Australian individuals rely on internet connections every day for carrying out work or study, conducting transactions or engaging in commerce or entertainment. If such use is compromised or threatened, both individuals and corporations can lose confidence in the systems and processes designed to protect them. This can have knock-on repercussions on innovation, investment, growth of the economy and trade & commerce.

The Australian Cyber Security Centre (ACSC) is the Australian government lead agency for cyber security. It was founded in November 2014 and was known at that time as the Cyber Security Operations Centre. The ACSC is a hub for private and public sector collaboration and information-sharing on cyber security, in order to prevent and combat threats and minimise harm to Australians. ACSC has been extremely critical of the recent cyber-attacks on both Optus and Medibank and the irreparable harm which this has caused thousands of Australians, particularly those most vulnerable.

At the same time, ACSC and entities, including the Australian Securities and Investments Commission (ASIC), have to be seen to hold large corporations such as Optus and Medibank to account. It does this via compliance and training programs and encouraging prompt reporting of a cyber incident or suspected cyber incident in order to mitigate loss.

The Australian Signals Directorate (ASD) also plays a part. Known formerly as the Defence Signals Directorate, ASD is a federal statutory agency and part of Australia’s intelligence community. ASD’s responsibilities include foreign signals intelligence, information security, cyber warfare, offensive cyber operations and providing support to military operations. ASD sees the data breaches of both Optus and Medibank as criminal attacks with the nature of these criminals’ business evolving to highly organised and syndicated criminality.

Chapter 2 – Why is cyber security so important?

There is little doubt that data is now one of the most valuable commodities for an organisation. Data is, in essence, an IP asset, which can be traded. The value of data lies in the market insight and knowledge which can be gained from it, including demographic information, trends and spending habits. This is valuable information in targeting new client segments and expanding business opportunities. However, in the hands of cybercriminals this information can be used against an organisation to their detriment. As technology advances, it is becoming increasingly easier for cybercriminals to illegally hack company accounts and breach security measures in order to access client data. Indeed, we have witnessed this firsthand with the recent data hacks on both Optus and Medibank.

At a high level, cyber security is important for Australia’s national security, innovation and prosperity. At a corporate level, cyber security permits for healthy competition between organisations which in turn allows for innovation, investment and economic growth. Companies have a right to protect their trade secrets and IP from unwarranted intrusion. Part of that IP is valuable customer data pertaining to the market segments / demographic which an organisation is focused on, or targeting. If that data is breached, it gives a company’s competitors an unfair advantage in the marketplace, which in turn can stifle competition and growth.

At the most basic level, a cyber security attack can result in a corporation suffering billions of dollars’ worth of damage. This cost accumulates from:

• Taking corrective and restorative measures to amend the breach and recover at least some data, if possible. This may involve engaging specialist cybercrime organisations to assist including, in some cases, the Australian Federal Police (AFP). Indeed we have seen this with the recent Medibank breach.
• The costs of compensating clients for any loss or damage as a result of breach of their data, including settling any claims and/or class actions either in or out of court. The legal fees alone for addressing such claims can be extortionate.
• The costs of repairing damage to reputation in the marketplace. This may include special offers for customers or waiving fees for a set period of time. It may also include some form of corrective advertising or national apology. We have seen this with the recent Optus breach.
• Paying a ransomware demand to the cybercriminals in order to restore the breached data, if possible. However, this is not a recommended course of action. Evidence shows that, in most cases, organisations fail to retrieve all their data in the form it was prior to the cyber incident. Acquiescing to the demands of cybercriminals is also discouraged, as it fails to act as a deterrent and is only likely to fuel this behaviour and lead to increased cyber incidents ie. if cybercriminals feel that there is a strong possibility of being paid for their misdemeanors.

Hence the importance of cyber security cannot be over-stressed, particularly in today’s digitally-driven world where a large majority of consumer interactions are now digital transactions. Clients can feel even more exposed online where there is no “face” to go with a transaction. They need to have confidence that the protection of their personal data is taken seriously by those organisations with which they engage.

A data breach may also result in a formal investigation of the company at fault. The Office of the Australian Information Commissioner (OAIC) is authorised to investigate an act or practice which may be an interference with the privacy of an individual or a breach of the Australian Privacy Principles (APP) 1 under s 40(2) of the Privacy Act 1988 (Cth) (Privacy Act).

On 11 October 2022, the OAIC announced that it had commenced an investigation into the personal information handling practices of Optus, in regard to the data breach made public by Optus on 22 September 2022. On 1 December, the OAIC announced a similar investigation into the Medibank data breach. The OAIC investigations, in each case, will focus on whether Optus and Medibank took reasonable steps to protect client data from misuse, interference, loss, unauthorised access, modification or disclosure and whether the client information collected and retained was necessary in order for Optus and Medibank to carry out their business. The investigation will also consider whether the companies took reasonable steps to implement practices, procedures and systems in order to ensure compliance with the APPs under Australian privacy law. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Chapter 3 – Safeguarding client data

Companies and corporate directors need to take an active role in safeguarding client data. In Australia, confidential, private and sensitive information is protected by Federal and State privacy legislation. This includes the Privacy Act and the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). This legislation governs how businesses collect, store and use information and data relating to their clients, employees and any agents, such as subcontractors or suppliers.

As a business owner, company directors and boards are responsible for taking appropriate measures in order to safeguard their client data. This includes having appropriate processes, procedures and plans in place. Such plans include both a Data Governance Policy, to guard against a data breach (proactive approach), and a Business Continuity Plan, in the event that a data breach does occur (reactive approach) in order to allow a company to mobilise quickly in response to the breach.

A Data Governance Policy should contain the following:

• An overview of the processes pertaining to data security (including backups), data retention and data access.
• An overview of internal privacy policies, processes and procedures related to data governance.
• An overview of who, within the organisation, is responsible for data security. This may be one individual (for smaller corporations) or a whole team (for larger corporations).
• A process for data security to be central to every project undertaken by the organisation. Hence it should be included up-front as part of the project planning phase.
• A process for collecting only that data which is required by the company for their business purposes. This is in line with the 13 APPs as outlined in the Privacy Act.
• A process for using and disclosing data only for the primary purpose for which it was collected.
• A process for handling the disclosure of data overseas, whether that be to a subsidiary of the company or to an overseas supplier. If an Australian company is sharing data with a European company, then adherence to the European General Data Protection Regulation (GDPR) is essential. Part of the GDPR mandates a client’s right to be forgotten ie. that all client data, and the history of that data, be deleted on request by a client.
• A regular cybersecurity training and compliance program for all employees, to be conducted at least annually.

A Business Continuity Plan should contain:

• A Disaster Recovery Plan in the event that systems holding client data are compromised or fail.
• Measures to lockdown existing systems with immediate effect in order to prevent further breaches. This may result in some business-critical systems being taken offline for a period of time whilst the incident is being investigated.
• Recommendations for seeking appropriate assistance ie. from a specialist data protection or data recovery provider if need be. Having appropriate assistance in-house or on hand will help to alleviate some of stress associated with the situation.
• System and access monitoring processes. This can help to determine who is online at any one point in time and what content they have accessed. This can assist in facilitating any subsequent investigations.
• Processes for troubleshooting the issue in order to determine the source of the breach.
• Recommended measures to recover what data can be recovered, if possible.
• A communication plan to communicate throughout the process with shareholders, stakeholders, investors and employees. It is essential that a clear line of communication is maintained with all potentially impacted parties throughout the incident. This will help to ensure that the right message gets out to the market on how the incident is being handled and should assist in minimising any negative fallout.

Strong virus protection software, scheduled backups and regular network updates are also crucial. This ensures that, for example, an organisation is always running the latest version of an operating system for which appropriate support is available.

Chapter 4 – The consequences of a data breach

The consequences of a data breach can be catastrophic for the organisation involved. Such consequences may include:

• A “slap on the wrist” fine,
• Millions of dollars in damages and compensation to impacted clients,
• Impact to revenue and profits,
• Impact on the attaining of future business or investment / grants,
• Irreparable damage to brand and reputation, and
• Clients defecting to other organisations, often a closest competitor.

Companies who have suffered a data breach are generally obliged to report that breach. The OAIC outlines the definition of a notifiable data breach, that is, when a company who must comply with the Australian privacy law is obliged to inform their clients if a data breach is likely to cause them serious harm. Examples of serious harm include:

• Identity theft, which can affect an individual’s finances and credit rating,
• Financial loss via fraud,
• A likely risk of physical harm such as from an abusive partner, or ex-partner,
• Serious psychological harm, or
• Serious harm to an individual’s reputation.

A company must also report a serious data breach to the OAIC. Generally, a company will have 30 days in which to assess if a data breach is likely to result in serious harm to a client.

If a data breach has occurred, OAIC expects the company which is in breach to take whatever steps are necessary in order to mitigate the damage and reduce the risk of an individual suffering serious consequences.

Chapter 5 – Protecting privacy

The Privacy Act contains 13 Australian Privacy Principles (APPs) which Australian corporations and agencies must follow if they collect, store, handle and disseminate personal information. Personal information is defined in the Privacy Act as any information, or any opinion, which identifies, or could identify, an individual. Some example of personal information include name, address, telephone number, date of birth and medical records. It is exactly this type of information which was compromised in the recent data attacks on both Optus and Medibank.

The OAIC has commented that the Optus data breach has highlighted the key privacy issues which corporate Australia needs to take heed of.

In line with Australia’s privacy laws, organisations should only be collecting and storing personal information which is reasonably necessary for the organisation to conduct their business. To do otherwise, breaches privacy legislation and increases the risk to clients of their data being breached. Clients have a right to know what data is being held pertaining to their personal circumstances. They also need to be afforded an opportunity to correct that data, or have it corrected on their behalf, if it is wrong.

In light of the recent cyber-attacks on Optus and Medibank, the OAIC is urging all corporations to review their personal information handling practices and data breach response plans to ensure that information is held securely and that, in the event of a data breach, the organisation can quickly mobilise in order to notify impacted individuals so that those who have been personally impacted can take steps to mitigate their risk of harm.

Chapter 6 – Practical guidance for corporations

We have witnessed first-hand the devastating consequences which a data breach can have for an organisation. As always, prevention is better than cure. There are practical steps which companies can take in order to safeguard their data and reduce their risk of becoming a target for cybercriminals. These steps include ensuring that:

• Plans and policies are in place – Your company should have a Data Governance Policy and Business Continuity Plan in place (as outlined in Chapter 3 above). These plans should be reviewed (and revised if need be) on a regular basis ie. at least annually as technology advances so rapidly and business circumstances can change. Also ensure that all employees are aware of, and adhere to both the Policy and the Plan. Consider conducting annual training sessions to walk employees through the plan and highlight any changes. This is essential for new starters to the company.
• Data security is part of the company’s culture – Data security is the responsibility of everyone in the organisation from graduates up to the CEO. Being wary of phishing and scam emails should become second-nature for all employees. Everyone needs to think twice before pressing send on an email ie. is this going to the right group of people, have I attached the right information etc. “Test” employees regularly ie. with mock phishing emails, to ensure that employees get better at recognising and responding to risky emails.
• Data environments are set up correctly – Avoid having production data in a test environment. Your test environment should contain “dummy” data only. In addition, a disaster recovery or backup environment is often (by necessity) a copy of a company’s production environment. However, this poses additional risks.
• Data storage is conducted appropriately – All data in storage should be encrypted. Encryption is also essential anytime that data is being moved around, or between, systems or databases. In addition, sensitive client data should always be redacted with access only for those individuals who need to access it.

Chapter 7 – Conclusion and key takeaways

There is little doubt that the protection of personal client data is of utmost importance to any corporation. The recent data breaches at both Optus and Medibank only serve as a stark reminder of the devastating consequences which can occur when data falls into the wrong hands.

The impact on a company’s profits and revenue is one aspect. However, it is invariably the damage to a corporation’s brand and reputation in the marketplace which is of a far greater severity. Clients can lose confidence in an organisation almost overnight, and a reputation which has taken years to foster and build can be destroyed by one cyber incident – particularly where that incident reaches international headlines. Companies, and the directors behind those organisations, need to ensure that they have appropriate process and plans in place to deal with all probable scenarios when it comes to the protection of client data – particularly data of a sensitive, confidential or personal nature.

Perhaps one positive aspect to emerge from the recent data breaches at Optus and Medibank is that the reporting of cyberattacks has now increased ie. if anything companies and individuals are now becoming more technically savvy and responsive, which can only be a good thing.

The ACSC, OAIC, ASD and ASIC provide a wealth of information to assist you in understanding your obligations when it comes to data security and privacy.

Refer also to our next-generation research platform for tax and legal professionals, CCH iKnowConnect for more information.

We have a whole practice area dedicated to Privacy Law.

We also provide regular news stories on topics such as the Optus data breach which you can access on our CCH iKnowConnect platform.
​

Free 7-day trials are available on CCH iKnowConnect for specific areas of interest and practice areas. Experience it for yourself today!

1. The Australian Cyber Security Centre, Medibank Private Cyber Security Incident, 1 December 2022, accessed 5 December 2022.
2. The Office of the Australian Information Commissioner, OAIC opens investigation into Optus over data breach, 11 October 2022, accessed 5 December 2022.
3. The Office of the Australian Information Commissioner, Advice on the Optus data breach, 14 October 2022, accessed 5 December 2022.
4. The Office of the Australian Information Commissioner, OAIC opens investigation into the Medibank over data breach, 1 December 2022, accessed 5 December 2022.
5. The Office of the Australian Information Commissioner, What is a notifiable data breach?, accessed 5 December 2022.
6. The Australian Signals Directorate, Cyber security, accessed 5 December 2022.
7. The Australian Securities and Investments Commission, Guidance for consumers impacted by the Optus data breach, accessed 5 December 2022.
8. The Australian Securities and Investments Commission, Guidance for consumers impacted by the Medibank Private and AHM cyber incident, accessed 5 December 2022.
9. Australian Government, Global Australia, Cyber security, accessed 5 December 2022.
10. EU General Data Protection Regulation (GDPR), accessed 5 December 2022.
11. CCH Pinpoint ®, Privacy Law, accessed 5 December 2022.
12. CCH Pinpoint ®, The Optus data breach and corporate responsibility, 26 September 2022, accessed 5 December 2022.