18 February 2020
Published by Madison Tonkes
With directors’ duties under the spotlight in the post-Hayne era, combined with changing laws to deal with a data-driven economy and regulators focused on enforcement, now is the time for assessing data risk and mitigation. Data is often described as the ‘new oil’ because of its value but the analogy extends to its vulnerability. Managing valuable and vulnerable data assets, therefore, not only makes good business sense but is also an aspect of corporate governance and a non-delegable concern for all directors. In this article, we offer strategies for managing data value and risk to help boards meet their duties.
What is a Data Governance Framework and why does your business need one?
A Data Governance Framework (DGF) is one way of dealing with data risk and, in our view, encompasses a holistic approach to how your business collects, manages and archives data.
There are many reasons for establishing and maintaining an effective DGF including:
Moreover, putting a DGF in place for any business handling or dealing with data will help ensure this valuable asset is properly maintained, protected and maximised.
If your business deals with a large volume of data or handles sensitive data, it is timely to assess any gaps in your data protocols now with a view to building resilient practices for the increasingly data-driven future that can adapt to changing data-based regulations, for example, data portability requirements (as required by the Consumer Data Right in certain sectors in Australia).
What are the key risks a Data Governance Framework combats?
Failing to adopt a proactive approach to data governance could expose your business to the following risks:
1. Cyber security and data breaches – a huge financial and reputational cost
In today’s contemporary business landscape, the risk of a compromise in data security is significant. The Australian Cyber Security Centre (ACSC) has reported that, of 113 private and public sector organisations surveyed, 90 per cent were the subject of an attempted cyber attack in the 2015–2016 financial year, and 52 per cent were attacked daily – some hundreds of times in a day. Over half (58 per cent) experienced at least one attack that was successful in compromising data or systems.
Another study by the Ponemon Institute on the causes of recent cyber and data security breaches found that the average total cost for corporations that suffer a data breach was $3.72 million and the average total cost for each compromised record was about $150 million.
With these severe financial and even greater reputational losses at stake, it is critical that businesses maintain a proactive approach to protecting their data.
Understanding the extent of risk exposure and the means to mitigate those risks for any particular corporation requires a careful review of the nature of the data held and accessed by that corporation, the obligations relating to that data under any contract to which they are subject, as well as statutory obligations under the Corporations Act, the Privacy Act and any other relevant regulations (depending on the nature of the data and the business).
2. Breach of directors’ duties
A data breach resulting in the loss of employees’ or clients’ personal and/or financial information, or commercially sensitive or confidential information, could give rise to claims against the board, the corporation and any associated individuals, as well as further regulatory action.
Australian corporate regulators are calling for greater board responsibility for data management and ‘cyber resilience’ practices. The Australian Securities and Investments Commission (ASIC) and the Australian Securities Exchange (ASX) recommend that data governance should feature as a regular agenda item in the boardroom. As corporate reliance on digital technologies increases, regulators say it is no longer sufficient for directors to delegate management of data to IT departments. ASIC has noted that “cyber risk is a fundamental part of a company's broader risk framework; it is not appropriate to delegate consideration of this risk solely to the IT department or to rely on one member of the board with information security expertise”.
While this area of law has yet to be considered by the courts, commentators suggests that there may be lessons to be drawn from the case of ASIC v Healey, where the court held that directors are expected to take a diligent and intelligent interest in the information available to them, to understand that information and apply an enquiring mind to the responsibilities placed upon them.
Alarmingly, the 2017 ASX 100 health check survey revealed that only 7 per cent of directors surveyed said they clearly understood the cyber security environment in which their corporations operated and 63 per cent said their understanding of the biggest data exposures facing their corporations was limited or non-existent.
The Corporations Act provides that directors are under continuing obligations to keep informed about the activities of the corporation so it is essential they gain an awareness of the data they collect, utilise and hold.
In the current climate, as businesses are becoming increasingly involved in data handling and management, directors must become familiar with the fundamentals of data governance.
Further, the effects of a data breach can be so damaging for a corporation such that it causes the firm to fall afoul of any number of client contracts, employee contracts, regulatory, legislative and reporting requirements. There is also strong support for the argument that data governance falls within a director’s duty to act with care, skill and diligence in the corporation’s best interests.
3. Breach of confidentiality obligations and privacy laws
Depending on the nature of the data held and accessed, corporations may have privacy and confidentiality obligations arising from various commercial and industrial contracts, as well as from industry specific regulatory instruments and privacy legislation.
Additionally, the growing concern around ‘hacking’ and the vulnerability of personal information has led to the introduction of data reporting requirements.
Businesses with a turnover of greater than $3 million are subject to new obligations relating to cyber breaches as a result of the 2017 amendment to the Privacy Act 1988 (Cth): The Privacy Amendment (Notifiable Data Breaches) Act (Amendment). The Amendment requires businesses covered to notify any individuals affected by a data breach and is likely to result in serious harm.
Corporations that fail to comply with the reporting regime can face significant civil penalties. It is also worth noting that penalties for serious or repeated privacy breaches set to rise to the greater of $10 million, three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover. Directors’ conduct could be scrutinised as a result and they may be deemed to have failed to discharge their duty of care and diligence by failing to take steps to avoid the breach and also by failing to ensure reporting.
Both ASIC and the Office of the Australian Information Commissioner have emphasised the need to make cyber security an ongoing topic of discussion for the boardroom agenda and that risk mitigation in this area must be an ongoing, central concern for the board in order to minimise risk of data breach and associated liabilities.
Importantly, DGFs cannot be formulated into a ‘one-size-fits all’ blueprint. Rather, they must be tailored to the particular organisation depending on existing frameworks, structure of the organisation, the type of data in question, how that data is used, and any applicable laws.
With this in mind, it is incumbent upon Australian businesses, boards and directors to be proactive and take the necessary steps to both manage and harness their data. To do this adequately, a robust DGF that meets the requirements of their business, laws and industry, seems worthy of serious consideration.
Authors: Madison Tonkes
 Kayleen Manwaring and Pamela Hanrahan, “BEARing Responsibility for Cyber Security in Australian Financial Institutions: The Rising Tide of Directors’ Personal Liability” 30 Journal of Banking and Finance Law and Practice 20, 21.
 Daffy, ‘How should directors tackle cyber risks?’ (2018) 46 ABLR 13, 149-151.
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.
Published by Madison Tonkes