You would have seen the recent media attention about Optus becoming victim to cyberattacks over the past few weeks. As a result of these breaches, millions of customers have had their personal information compromised, including unauthorised access of their date of births, addresses, passport and driver’s licence numbers.

Optus has since contracted Deloitte to conduct an external review of the attacks and the sufficiency of Optus’ cybersecurity measures. It is not yet known whether ASIC will take action against Optus and relevant company directors.

Can company directors be criminally liable for cybersecurity attacks?

In 2015, ASIC confirmed that prevention and risk management of cyber-attacks falls within a company directors’ duties. But what are these duties, and what are some of the potential consequences of failing to perform them?

Under the Corporations Act 2001 (Cth), company directors are required to exercise their duties with care, diligence and in good faith. If a company director fails to do this, they may be held criminally liable.

Section 184(1) of the Act makes it a criminal offence for a director to:

1. be reckless; or
2. intentionally dishonest

and fail to exercise their powers and discharge their duties:

• in good faith in the best interests of the corporation; or
• for a proper purpose.

The maximum penalty for this offence is serious and carries a fine of up to $200,000 and/or 5 years imprisonment.

As has been uncovered recently, cybersecurity breaches are serious and can have significant impacts on individuals’ privacy. Section 184 of the Act prevents director’s from being willfully ignorant about the cybersecurity safeguards and protections in their organisation.  

For more information about potential penalties, visit our sentencing options page.

CASE STUDY – ASIC v RI Advice Group Pty Ltd [2022]:

ASIC has indicated its willingness to prosecute companies and company directors that fail to implement sufficient cyber security measures. In ASIC v RI Advice Group Pty Ltd [2022] FCA 496, ASIC alleged that RI Advice Group failed to implement adequate policies, systems, and resources which were reasonably appropriate to manage risk in respect of cyber security and cyber resilience. While the action did not directly involve directors, it followed statements in 2015 in which ASIC confirmed that cyber security fell within company directors’ duties.

In RI Advice Group, Rolfe J held that directors must “materially reduce cyber security risks through adequate cyber security documentation and controls to an acceptable level”.

Ultimately, the Federal Court ordered that RI Advice:

1. Pay $750,000 towards ASIC’s costs of the proceeding;
2. Engage an independent cybersecurity expert to manage the cybersecurity risks; and
3. Provide a written report to ASIC identifying additional cybersecurity measures that the company would be implementing and a proposed timeframe for this.

Streeton Lawyers has extensive experience in white collar crime, including matters involving breaches of directors duties. If you are being investigated or have been charged, call (02) 9025 9888 for a free consultation to discuss your options.

Image by laddlajutt1722