Digital piracy and the potential for new directors’ duties
The impacts of COVID-19 have sped up Australia’s transition to a digital economy and accelerated virtual means of conducting business. As such, the Australian Government has raised concerns regarding the lack of investment in cyber security, as well as a gap in cyber security knowledge held by suppliers and consumers. In response to these concerns, the Government has released a consultation paper which provides options for strengthening cyber security regulations and incentives.
The consultation paper identifies three key aims:
setting clear expectations for managing cyber security risks;
increasing transparency for businesses and households; and
protecting consumer rights and providing clear legal remedies.
Part 1 - Setting clear cyber security expectations
In response to large businesses managing cyber security risks poorly, the Government is proposing to set clear expectations to ensure large businesses actively monitor their cyber risk environment.
The Government hopes to do this by introducing either voluntary, Government co-designed, or mandatory governance standards. Importantly however, it is likely that the heightened standards will place a greater onus on the directors of such businesses.
Alongside the new governance standards, the Government is looking to implement a cyber-security code, which would potentially incorporate a cyber security standard into the Privacy Act 1988 (Cth) (Privacy Act).
The Government has also suggested the adoption of a “baseline standard for smart devices” as seen in the European Telecommunication Standards Institute. This would require manufacturers of smart devices to adhere to and implement the baseline cyber security requirements for mobiles and other smart devices.
Part 2 - Increasing transparency
To mitigate the cyber security knowledge gap between suppliers and consumers, the Government is proposing to introduce consumer friendly visuals, including labels or trust marks. These labels and trust marks will be implemented to assist consumers, as well as businesses in their decision making and allow them to be more informed about products that may be susceptible to cyber security issues.
The Government is proposing to follow the likes of United Kingdom, Finland and Singapore in implementing voluntary labelling, which is likened to the current 6-star rating on Australian appliances. The Government is also considering a mandatory expiry label, which would display the length of time security updates will be provided for that specific device.
To further increase transparency, the Government is considering certain responsible disclosure policies, which include obligations on companies to report any cyber security risks or vulnerabilities to agreed software developers and businesses or third parties.
With respect to small businesses, the Government proposes implementing a cyber security health check program. This would result in businesses completing a self-assessment of their own compliance against a Government issued standard. If the small business completes the check to a satisfactory standard, they will receive a 12-month cyber-health “trust mark”.
Part 3 - Protecting consumers
The Government has noted concern around consumers being able to obtain appropriate compensation in circumstances where a business fails to meet its obligations and expectations in relation to cyber-attacks and having appropriate security measures in place.
To ensure appropriate compensation is available, the Government is contemplating potential reform to the Australian Consumer Law (as set out in Schedule 2 of the Competition and Consumer Act 2010) and the Privacy Act. In this regard, the Government has indicated that the potential reforms could result in a broader application of a director's duty to act in the best interests of the company and for a proper purpose, to include cyber security.
Key takeaways
The above proposals are likely to significantly impact businesses and their approach to governance - resulting in more onerous standards and obligations in relation to cyber security and the handling of personal information.
The deadline to file submissions in response to the consultation paper was 27 August 2021. We will be following the outcome closely.
For more information please contact:
Paul Gray
Principal
T: 03 5225 5231
M: 0414 195 886
E: pgray@ha.legal
Hugo Le Clerc
Lawyer
T: 03 5225 5213
E: hleclerc@ha.legal
Ryan Popovski
Graduate Lawyer
T: 03 5226 8572
E: rpopovski@ha.legal