17
By Sue Ellson
behaviours of the donors as well as other personal information. The Red Cross
became aware of the data breach after an individual discovered the vulnerability and contacted a cybersecurity expert, Troy Hunt, who then subsequently informed
the Australian Cyber Emergency Response Team (AusCERT), which notified the blood service on 25 October 2016.
How has cybersecurity affected the laws on directors’ duties?
Red Cross is an example of where directors may be held liable under these newly expanded duties depending on how they respond to cybersecurity events such as a data breach. The directors’ duties most
relevant in this case are:
*the duty to exercise their powers with due care and diligence; and
*the duty to exercise their powers in good faith in the best interest of the corporation/organisation.
Courts have taken a broad approach in interpreting these duties to include many aspects of cybersecurity. The Australian Institute of Company Directors has also published A Director’s Guide to Governing Information Technology and Cybersecurity. The guide emphasises that in exercising these duties organisations should, where possible, acquire expertise in IT and have policies in place to deal with breaches and cybersecurity.
By Vera Visevic & Brian Lee