Privacy and Cyber Security at the Forefront of Corporate Responsibility

The decision in Australian Securities and Investments Commission (ASIC) v RI Advice Group Pty Ltd [2022] FAC 496 (handed down on 5 May 2022) highlights the potential need for the financial services sector (and on a wider scale, corporate Australia), to do more, continually and consistently, to reduce cyber risk and strengthen their IT security infrastructure.

In what can be perceived as a watershed moment, this decision was the first of its kind to put financial services, and more broadly, the corporate sector, on notice with regards to cyber security with the clear inference that a lack of understanding and management with regards to cyber security and resilience will no longer be considered acceptable by ASIC.

This case provides important guidance on the measures that directors and Australian Financial Services Licence (AFSL) holders must undertake in order to comply with their duties under ss 961L and 912A of the Corporations Act 2001 (Act). It also proves relevant to any professional service business that collects personal and sensitive information and has a fiduciary obligation to maintain confidentiality of that information.

Discussing this case with us here at Antcliffe:Scott, is Annelies Moens, Managing Director of Privcore Pty Ltd.

Privcore specialises in privacy risk management, including conducting privacy impact assessments, privacy health checks, prevention and recovery from data breaches and privacy regulator stakeholder engagement. Privcore’s team has 40 years’ combined experience to help business and government deliver services with the trust and confidence of customers and citizens.

Together we will look at what this case means for businesses across Australia. We will discuss the implications for corporations under the Corporations Act, and then Annelies will explore what entities (both AFSL and others) can learn from the Australian Privacy Principles, which regulate the management and security of personal information under the Privacy Act.

The Case

Between 2014-2020, a number of authorised representatives of RI Advice Group Pty Ltd (RI Advice) were subject to nine cyber security breaches. During several of these attacks cyber criminals obtained access to sensitive and confidential client information.

ASIC claimed that by failing to promptly implement recommended advice, plans, procedures, guidelines, frameworks and systems to manage cyber security risk, and to manage the effectiveness of cyber security controls, RI Advice contravened sections 912A(1)(a), (b), (c), (d) and (h) of the Act relevant to AFSL holders.

The Federal Court found that:

“RI Advice contravened ss 912A(1)(a) and (h) of the Corporations Act from 15 May 2018 to 5 August 2021 as a result of its failure to have documentation and controls in respect of cyber security and cyber resilience in place that were adequate to manage risk in respect of cyber security and cyber resilience across its AR network, and as a result of this conduct, it:

(a) failed to do all things necessary to ensure the financial services covered by the Licence were provided efficiently and fairly, in contravention of s 912A(1)(a) of the Corporations Act; and

(b) failed to have adequate risk management systems, in contravention of s 912A(1)(h) of the Corporations Act.”

What are the implications of this case for corporations?

“As the holder of an AFSL, RI Advice is required to comply with the general obligations of a financial services licensee set out in s 912A of the Act. This includes the requirements:

(a)…pursuant to s 912A(1)(a), to do all things necessary to ensure that the financial services covered by the Licence are provided efficiently, honestly and fairly; and

(b)…pursuant to s 912A(1)(h), to have adequate risk management systems.”

Pursuant to s912A, a holder of an AFSL or a director of a financial services provider has responsibilities to ensure the implementation of effective cyber security systems. Such systems should be a part of standard risk and compliance procedures and, if relevant, reporting to the Board.

All directors today should have an understanding and ongoing awareness of their company’s privacy and cyber resilience and cyber security standards and protections. This may include ensuring that appropriate experts are retained to assist the company to design and implement adequate controls. All directors must ensure that the company implements the controls, measures and procedures necessary to ensure systems have adequate security measures in place commensurate with the level of risk.

AFSL holders have responsibility for the cyber security and cyber resilience of their authorised representatives (ARs)

AFSL holders must also ensure that, if there is more than one authorised representative (AR) under the licence, that they are equipped to monitor and manage risk across all the authorised representatives (within the meaning of s 761A of the Corporations Act).

When considering the obligation of an AFSL holder to do all things necessary to ensure that the financial services covered by the licence are provided ‘efficiently, honestly and fairly’ (section 912A(1)(a)), the AFSL holder is required to identify the risks that the ARs face in the course of providing financial services pursuant to the licence. Identification of risks must be documented and the risk management systems in place to manage the documented risks.

Tools to specifically identify privacy and security risks include the conduct of privacy impact assessments (PIA). A PIA is a risk assessment of new or existing processes, technology, laws or regulations, systems or programs involving personal information. It is designed to identify the privacy risks of handling personal information and then identify ways to mitigate, prevent or eliminate those risks.

The question inevitably arises, in an age where technology moves quickly, and digital bandits are dedicated to staying ahead of the game to overcome cyber security measurements implemented by business, what is cyber security best practice and what is expected of a reasonable cyber security risk management and resilience system?

The courts have considered the relevant test is what the reasonable person qualified in the area of cyber security and cyber resilience would expect, not the expectations of the general public. On this basis, it is necessary for business to engage with persons qualified in privacy and cyber security and to maintain ongoing systems reviews in order to maintain cyber resilience.

What can entities learn from the Australian Privacy Principles?

The Australian Privacy Act (Privacy Act) regulates private sector businesses with an annual turnover greater than $3 million, private health service providers regardless of annual turnover, credit reporting bodies, residential tenancy database operators, organisations handling Tax File Numbers (TFNs) (in relation to TFNs), the Federal and ACT government agencies and their contractors and offshore entities fitting one of the above criteria that have a link with Australia. As such, this would include AFSL holders that have an annual turnover greater than $3 million.

Not dissimilar to s912A(1)(h) of the Corporations Act which requires adequate risk management systems, Australian Privacy Principle (APP) 1 requires regulated entities to “take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity…”

APP 11.1 also requires regulated entities holding personal information to “take steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure

In this case, RI Advice possessed personal information including names, addresses, birth dates, health data, contact details and copies of official ID documents such as licences, passports and more.

Whilst it is not known whether the Office of the Australian Information Commissioner (OAIC) also investigated or is investigating RI Advice in relation to the events outlined above, as most investigations are settled in private, it is clear from this case that adequate risk management systems under the Corporations Act, include those designed to protect personal information.

As the privacy regulator, the OAIC has a significant amount of guidance on what are appropriate steps to take under APPs 1 and 11. This includes:

• Data minimisation and deleting or de-identifying personal information that is no longer required (for example, old customer personal information)
• Ensuring multi-factor authentication
• Procedures for identifying and responding to privacy breaches, handling access and correction requests and receiving and responding to complaints and inquiries
• A program of proactive review and audit of the adequacy and currency of the privacy policy, practices, procedures and systems implemented

The Australian Cyber Security Centre has also published the Essential Eight mitigation strategies to mitigate cyber security incidents.

It is likely that further strengthened accountability and security requirements will be incorporated under the Privacy Act as part of the reform process the Attorney-General’s Department is currently undertaking. A recent summary of that reform can be accessed from the Australian Institute of Company Directors’ website.

Whilst cyber security has been a growing concern for corporations, this case reflects just how truly critical the management of cyber security will be moving forward. Businesses, both large and small, must ensure effective and appropriate privacy and security risk management processes are in place, to not only protect their customers (and business), but to also avoid any potential future regulatory action due to non-compliance.

Alyssa Antcliffe & Neil Scott. Antcliffe: Scott. e: info@antcliffescott.com
Annelies Moens. Privcore Pty Ltd. e: operations@privcore.com