Without doubt, the use of the Internet for transacting and delivering services provides economic benefits for business and individuals. The value of Australia’s internet-based economy doubled from $50 billion in 2011 to $100 billion in 2017 and is estimated to reach $140 billion in just another 3 years.
The following is an overview of the risks to business, the potential costs and exposure to risk of legal liability of cyber breaches and malicious attack, highlighting the need for awareness and implementation of a Response Plan to address vulnerabilities.
Cyber Attacks in Australia
Businesses own and operate most of the infrastructure in cyberspace. However the risks of malicious cyber activity poses a real threat to business. Unauthorised access to data, Modification and Impairment of information, Online Financial and property crimes, Online Fraud and Forgery, Identity Theft, Card Skimming, and Copyright crimes are only some of the threats, which may confront you and your business before you know it.
PricewaterhouseCoopers’s 2016 Economic Crime Survey found that Australian respondents have experienced cybercrime at much higher levels compared with the global rate. Cybercrime attacks are costing Australian businesses over $1 billion a year, according to the Australian Cyber Security Centre (ACSC).
On 20th April 2017 the Australian Securities Exchange (ASX) released their ASX 100 Cyber Health Check Report (Report), which reveals that most big Australian companies are taking the reality of cyber risks very seriously. 75% of Boards have engaged external parties to perform regular vulnerability or penetration assessments.
The Report further identifies that a serious skills shortage is already hindering the growth of the Australian Cyber Security industry, leading to the conclusion that Australia will likely struggle to grow its cyber security ecosystem at the rate required to combat the threat of hackers and other types of cyber criminals.
Business Requirements to Respond to the Threats
According to the Report, 62% of directors say that the level of attempted malicious cyber activity against their company has increased over the past year and 80% expect a further increase in cyber risk over the next year.
Yet despite the increasing risks, a large percentage of Australian companies have not yet developed processes for detecting, containing and managing data breaches. Many large companies have not developed a data breach response plan. 25% of the ASX Top 100 listed companies admit they have not yet considered how they will notify customers of a data breach when the Notifiable Data Breaches (NDB) scheme commences in early 2018. 30% haven’t evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
An important step forward in dealing with the control of data breaches in Australia includes the NDP, which will regulate how companies will deal with data breaches. The legislative provisions provide powers upon the Privacy Commissioner to investigate, make determinations and provide remedies for non-compliance with the Privacy Act 1998 (Cth). The Privacy Commissioner can instigate a range of consequences from public apologies, compensation payments and fines for serious breaches or repeat offenders. Civil penalties are currently $360,000 for individuals and $1.8 million for corporations.
Consequences for Businesses Large and Small
However cyber criminals who steal data or disrupt commerce don’t only target large corporations. Any business that keeps sensitive data on clients, employees, patients, students, partners, customers or other third parties may be liable for damages if their financial information, product or strategic proprietary information, customer records or business transaction histories are stolen and used to either directly steal funds from the business or its customers, or if such information is sold to other criminals.
For any business, customer information theft can paralyse operations or even result in a company being forced out of business. A breach in which credit card or other financial information is stolen can potentially have serious consequences. Cyber theft may seriously damage a firm’s reputation and compromise the integrity of its electronic commerce, resulting in unrecoverable losses.
The Threat of Legal Liability
Protection of data is no longer an IT responsibility – it is the responsibility of the CEO and CFO. A company’s directors or principal of a business may be liable for not ensuring that the information they keep is safe.
Businesses can face legal claims if they fail to deliver secure services. There is a real threat of legal liability flowing from a cyber attack, whether it be to individuals, consumers, patients or other companies. To allow insecure systems to remain in place for any substantial length of time could arguably raise a potential claim in the tort of negligence.
In May 2017 the infamous ransomware attack of the WannaCry worm affected computers around the world. The worm affected outdated versions of Windows that are no longer supported with protection software.
The WannaCry hacking tool shut down more than 200,000 Windows users, disrupting numerous car factories, FedEx and Britain’s National Health Service, by encrypting data and then demanding a ransom to unlock them. It was argued that users of outdated computer systems may be knowingly negligent to allow outdated systems remain in place.
Cyber Security Lawsuits
In recent years the USA has seen a wave of computer security lawsuits due to companies’ lax computer security. Software providers have also been liable for not implementing sufficient security in their products. It is likely that Australia will follow the trend of the US in respect of cybercrime liability lawsuits.
In 2014 LinkedIn settled for $US1.25 million after a data breach suit in which it was alleged that individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures.
In the CardSystems Solutions class litigation, the defendants were charged with negligent data security practices that allowed cybercriminals to compromise customers’ credit card accounts. The negligence enabled unauthorized access to forty million credit cards and transferred data from 200,000 cards from CardSystems’s computer network.
In the recent Horizons Breach case, violations of US federal privacy law were considered de facto injuries, providing plaintiffs with standing to litigate in negligence regardless of whether they suffer an economic loss. The appellate decision in Re: Horizon Healthcare Services Inc. Data Breach Litigation potentially broadens the conditions under which a plaintiff can file suit against a company for loss of digital personal information.
Australian organisations and businesses have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and safeguard it from unauthorised access, modification or disclosure. All users of the Internet need to be aware of the numerous dangers associated with online commercial activity.
Pavuk Legal can provide you with legal advice in respect of Cyber Security, Cybercrime law, Data Protection and Cyber related legal and commercial issues.
Many other essential hot topics for business owners is all found in the book Nobody Else’s Business. Nobody Else’s Business is about helping business owners live the life they want to live, now and in the future. It is the ultimate guidebook for succession planning of modern Australian businesses.
To purchase your own copy of Nobody Else’s Business please follow the link http://www.nobodyelsesbusiness.com.au/
For the full range of Legal Services that Pavuk Legal offers please go to: www.pavuklegal.com/services/