Cyber-security and legal risks

New obligations and increased cyber-security risks mean that modern businesses purchaser need to consider new obligations for their contracts.

Cyber-security and legal risks

In January 2020, Allianz published the results of their annual Risk Barometer survey[1], which identified cyber incidents as (for the first time ever) the most important global business risk. It affirms cyber-security issues increasingly taking precedent as a concern for businesses.

Under the header of this risk, Allianz reported the following trends which are of particular relevance to law firms:

    1. “Data breaches larger and more expensive” – “As companies collect and use ever greater volumes of personal data, data breaches are becoming larger and costlier….”;
    2. “Litigation prospects rising” – “Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors…; and
    3. “M&A can bring cyber issues” – “Even the best protected companies will be exposed if they acquire a company with weak cyber-security or existing vulnerabilities.”

In light of this risk, Australian entities should consider introducing additional proactive procedures into their privacy governance, keep up to date with new data and privacy related litigation developing in the industry and consider additional auditing and protective measures when buying or selling a business.

 

New obligations and procedures

In Australia, the Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles. These principles require applicable entities to ensure that they are compliant with a number of obligations including (without limitation):

    1. To have an up-to-date policy about the management of personal information by the entity (Australian Privacy Principle 1);
    1. Disclosing how the entity will use and disclose the personal information it collects (Australian Privacy Principle 6);
    1. Imposing obligations in relation to cross-border disclosure of personal information by the entity (Australian Privacy Principle 8);
    1. Ensuring personal information collected is accurate, up-to-date and complete (Australian Privacy Principle 10); and
    1. Ensuring personal information is kept secure (Australian Privacy Principle 11).

2017 amendments to the Privacy Act 1988 (Cth) also introduced mandatory “eligible data breach” obligations. The amendments extend not only to unauthorised electronic data breaches, but may also apply to “physical” data breaches, such as losing an unencrypted USB containing confidential client information whilst taking public transport. If a notifiable data breach occurs, the entity may potentially be required to notify the Australian Privacy Commissioner, professional associations or persons who are affected by the data breach.

In the age of the international retail business, internet shopping and global charities, it is not only Australian legislation that has application to Australian entities. Potentially, the use and disclosure of data in, and transfer out of, the UK, EU and EEA areas by an Australian entity can be subject to the General Data Protection Regulation.

Accordingly, an Australian entity should consider:

    • What their obligations are in relation to the collection, use, disclosure and maintenance of personal and sensitive information;
    • Whether their privacy and cyber-security policies and procedures are up-to-date; and
    • Whether a regular technology and cyber-security audit, and technology road-map are needed. The audit should consider what cyber-security gaps there currently are in the entity’s I. T. environment (for example, gaps arising from with support for Windows 7 ending on 14 January 2020). The roadmap should consider what new hardware and software is needed to ensure is needed to protect confidential data.

 

New types of cyber-security litigation

Allianz’s report identifies that data breach litigation is continuing to develop globally. Potentially, that wave of litigation could find its way to Australian shores, noting that a recent Office of the Australian Information Commissioner’s Statistics Report[1]  attributes 35% of reported data breaches to be as a result of human error (including unintended disclosure or loss of a data storage device), being as high as 55% in the health sector.

Apart from data breaches, notably, litigation over privacy matters are occurring within Australia. Summaries of recent published Australian decisions that highlight changes ordinary businesses are needing to make to their business models and practices include:

‘QP’ and the Commonwealth Bank of Australia Limited (Privacy)[2] :

    • The Complainant had a credit card for his business with the Commonwealth Bank of Australia (“CBA”).
    • In 2013, CBA sold the debt to Credit Corp Group (“CCG”), and the Complainant entered into a payment plan entered in 2013 with the Commonwealth Bank.
    • In January 2015, the Complainant had been advised by CCG the debt had been paid and finalised.
    • However, in June 2015, CBA advised the Complainant that the debt was still outstanding. This affected the complainant’s credit applications.
    • The Commissioner determined that:
    • CBA interfered with the Complainant’s privacy by using and disclosing personal information about the complainant which was inaccurate, out-of-date and/or in complete in breach of Australian Privacy Principle 10.2;
    • CBA was required to issue a written apology acknowledging their interference with the complainant’s privacy, and pay the complainant $15,0000 for non-economic loss;
    • CBA undertake changes to its policies and operation procedures establishing reasonable steps to ensure that financial information about a person that CBA uses or disclosure is accurate, complete, up-to-date and relevant in accordance with its privacy obligations, and provide a copy of its amended policies and procedures to the privacy commissioner.
    • CBA is to engage an auditor to assess its practices and effectiveness of its amended policies and processes, and provide a report to the Commissioner.

‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy)[3]

    • TICA provides information services to a number of industries by providing access to various online databases to real estate industry members for a fee. This included maintaining a Public Record Database which collates publically available information such as daily court lists.
    • In February 2014, the complainant was a party to a proceeding in the New South Wales Civil and Administrative Tribunal.
    • This information was not altered after February 2014, notwithstanding that the evidence as that the proceedings were no longer on foot.
    • The complainant discovered that her personal information had been listed in TICA’s PRD when she sought private rental accommodation, and made a complaint in July 2014 that TICA had published her personal information on its PRD and disclosed this information to property agents. The complaint included that TICA did not take reasonable steps to ensure that the complainant had been made aware of the collection of the complainant’s personal information.
    • TICA contended that it did not have the contact details of the complainant nor was it in a position to locate these details from the face of the information on the PRD listing, and therefore was not in a position to take reasonable steps to bring to the complainant’s attention the fact of the listing of her personal information on the PRD.
    • The Commissioner decided that TICA had failed to take any reasonable steps to comply with its obligations to ensure the complainant was aware of the collection of information, and declared that:
      • TICA were to produce a notice on a tenant-accessible portion of its website that addresses various matters that will assist persons in identifying how TICA collects, uses and discloses information, and how those persons can contact TICA about their personal information; and
      • TICA were to issues an apology and pay $1,500 to the complainant for non-economic loss.

 

New considerations for when purchasing or selling a business

New obligations and increased cyber-security risks may mean that the modern business purchaser would need to consider new obligations to introduce into their contracts. These would of course vary depending on the nature of the business, but potential new considerations can include:

    • Conducting an audit of the business’ I.T. environment and security before the merge, and identifying what risks need to be addressed before (or after) completion;
    • Identifying what personal and sensitive information is being acquired through the business acquisition, and testing whether the information is (without limitation):
    • Kept securely;
    • Current and up-to-date; or
    • Otherwise compliant with obligations under the Privacy Act 1988 (Cth).

If you seek legal advice on cyber-security and legal risk, make an appointment with our client engagement team to speak with a litigation lawyer.

This article was written by James Tan (Director) & Judith Mendes (Graduate Law Clerk).

 

Footnotes

[1] Office of Australian Information Commissioner, Notifiable Data Breaches scheme 12-month insights report, https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/, published 12 May 2019.

[2] [2019] AICmr48.

[3] [2019] AICmr 60

[1] Allianz Global Corporate & Specialty, Allianz Risk Barometer 2020, https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html, January 2020.