A data breach occurs when information your business holds is compromised – lost, stolen or sent to the wrong person. Data breaches affect small businesses every day.
The individuals whose personal information is affected may be harmed and the business which suffers the breach might lose customers, money and trust and see its reputation damaged. A lot of management time can be spent responding to a data breach, particularly you have to inform the Privacy Commissioner and affected individuals about it.
But what about getting sued for the data breach? Can a business be held legally liable for loss arising from a data breach? What about the directors and officers of the company, can they be held personally liable?
In this article weʼll talk about whether businesses and directors and officers can be sued after a data breach. We will only consider the position for private companies (those not listed on the exchange) and sole traders – individuals who run a business and might have registered business name. We also wonʼt consider industry specific rules like those promulgated for the financial services sector by the Australian Prudential Regulation Authority.
Liability under federal and state laws
At the moment, there is no act of parliament which specifically gives individuals whose personal information is compromised by a data breach the right to sue for loss they suffer.
However, directors and officers of companies (directors) must exercise their powers and discharge their duties with reasonable care and diligence. When doing this, they must make a business judgment, which means (amongst other things) that they have to:
- make the judgment in good faith for a proper purpose;
- inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate; and
- rationally believe that the judgment is in the best interests of the corporation.
The Companies Act says that if a director fails to do this, they might be held personally liable. Risk management is a key part of a directorʼs job. There has been a lot of publicity about data breaches and the importance of cyber security and ASIC has spent quite a lot of time talking and writing about these issues.
Because of this, we think all directors must inform themselves about and take steps to limit cyber security, data breaches and privacy incidents.
Doing nothing is not an option
Because of the business judgment rule, itʼs clear that directors of different organisations do not have to act the same way. So, the directors of a company which runs a suburban gym will not be expected to take the same kind of precautions against a data breach as those of a telecommunications company.
But what both sets of directors must do is inform themselves about the risk of data breaches, their likely impact, how they might be prevented and how to respond. Of course, depending on the circumstances, directors should take reasonable steps to reduce the risk that data breaches will occur.
The real dangers for directors arise if they donʼt even bother to inform themselves about the risks or, worse, if they do inform themselves but do nothing to mitigate them. Doing nothing is not an option.
You can never prevent a lawsuit starting, but you can reduce its chances of success
A person who suffers loss because of a data breach at your company might try to sue your company for negligence or for breach of contract.
Whether a breach of contract claim will succeed largely depends on the contract. Check your customer and supply contracts to make sure they limit or exclude liability for data breach or cap the amount of damages recoverable.
For negligence claims, you can limit the likelihood they will succeed by taking reasonable steps to prevent a data breach occurring. If you, as a director or sole trader, have informed yourself about the risks, acquired IT security advice, have software protection, trained your employees and have in place a reasonable data breach response plan which you have acted on, itʼs hard to see how a claim for negligence would succeed.
However, if you do nothing, you are exposing your business to liability.
- Do something.
- Inform yourself about cyber security and data breaches. Take advice from security professionals.
- Take reasonable steps (depending on your circumstances) to reduce the risk of a data breach – enhance your security, manage the information you hold and train your staff.
- If you exercise your business judgment and take action proportionate to the risks you face, it is very unlikely that:
- you will be held personally liable for a data breach; or
- Your company will be liable in negligence for loss suffered by affected individuals.
About the Author
Ted Ringrose is a Partner of Ringrose Siganto, a law firm specialising in privacy law. Ted read history and law at the University of Queensland and has a Master of Public Affairs from the University of Sydney. He specialises in privacy law and telecommunications law.
— Note: This does not constitute legal advice and is for general information only.