Cybersecurity – Is This a New Directors’ Duty?

When not-for-profit organisations hear about cybersecurity issues and big data breaches in large international companies such as Facebook and Target, they often make the mistake of assuming that issues surrounding cybersecurity will not apply to them. The reality is that not-for-profits are very popular targets for cybersecurity attacks. This is because they often hold a ‘goldmine’ of sensitive information, while also being less equipped to protect themselves from these threats.

Whilst courts will take into account the fact that not-for-profits might not have the resources that larger for-profit companies have to spend on cybersecurity, directors and other governing body members of not-for-profits are not absolved of liability. In fact, directors’ duties have broadened to include responsibility over managing these new risks and to include having policies in place that deal with cybersecurity. This article will address how to deal with these extended duties in relation to cybersecurity. These duties apply to all not-for-profits regardless of structure but, for ease of reading, in this article we refer to duties of company directors.

Australian Red Cross Blood Service Data Breach

On 5 September 2016, a database file containing information relating to approximately 550,000 prospective blood donors was inadvertently saved to a publicly accessible portion of a web server managed by a third party provider. Some of the information was particularly sensitive as it related to the sexual behaviours of the donors as well as other personal information. The Red Cross became aware of the data breach after an individual discovered the vulnerability and contacted a cybersecurity expert, Troy Hunt, who then subsequently informed the Australian Cyber Emergency Response Team (AusCERT), which notified the blood service on 25 October 2016.

How has cybersecurity affected the laws on directors’ duties?

Red Cross is an example of where directors may be held liable under these newly expanded duties depending on how they respond to cybersecurity events such as a data breach. The directors’ duties most relevant in this case are:

• the duty to exercise their powers with due care and diligence; and
• the duty to exercise their powers in good faith in the best interest of the corporation/organisation.

Courts have taken a broad approach in interpreting these duties to include many aspects of cybersecurity. The Australian Institute of Company Directors has also published A Director’s Guide to Governing Information Technology and Cybersecurity. The guide emphasises that in exercising these duties organisations should, where possible, acquire expertise in IT and have policies in place to deal with breaches and cybersecurity.

Understandably, the resources to acquire expertise, or have sophisticated data security systems, will vary between organisations. To comply with their duties, directors should ensure that the organisation’s response is commensurate to the risk. It may be that an organisation that faces a low risk of a cybersecurity attack may adequately comply with its directors’ duties by including cybersecurity on the board agenda and having a cybersecurity policy in place.

Ways in which not-for-profits might comply with directors’ duties

Cybersecurity governance frameworks

The Office of the Australian Information Commissioner (OAIC) recommends that organisations have some sort of data breach response plan. In instances of cybersecurity, such as cyber-attacks or theft of data, if the board can demonstrate that it was aware of a cybersecurity risk and used a framework to mitigate that risk, it is less likely to risk breaching its duties. A good example to look to is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which provides best practices in relation to how organisations might manage their cybersecurity risks.

Under this framework, the functions split cybersecurity management into five main areas: Identify, Protect, Detect, Respond and Recover. In summary it involves:

• Identifying and developing an understanding of the overall cyber risk context which includes the asset management, business environment and having a risk management strategy;
• Protecting and deploying safeguards for access control;
• Detecting and enabling timely discovery of breaches and anomalies;
• Responding and implementing plans to damage control and improve; and
• Recovery so that an organisation can resume operation.

It can be useful to compare the organisation’s current practices with the best practices highlighted by frameworks such as NIST, so that directors can effectively deal with cybersecurity risks and comply with this duty.

Acquiring and structuring expertise

Ways in which directors might think about acquiring expertise in IT to ensure that the board has appropriate advice to exercise its required governance duties will vary depending on the organisation. Where a cybersecurity risk is identified, directors would be wise to think about adding IT expertise to the board, whether by adding a board member with expertise in IT or, forming an IT board committee. Alternatively, the board may retain an external IT expert to provide it with advice. These options would reflect how the risk is then structured through the organisation as well as the size, scope and strategic reliance of the organisation on the use of IT. However, courts will understand that, for not-for-profits, it may not always be possible to acquire expertise due to limited resources.

Response by Australian Red Cross Blood Service
Following the breach at the Australian Red Cross Blood Service, there was an OAIC investigation. The OAIC commended the blood service’s quick response and handling of the breach. The OAIC stated that overall the blood service acted appropriately and in a timely manner to rectify the data breach, and that its response provided a model of good practice for organisations.

So what happened?

The Blood Service became aware of the incident on 26 October 2016 and took the following steps to respond:

• Continued to engage with the Incident Management Service of AusCERT by telephone and in person to assist its response to the incident.
• Confirmed (via AusCERT) that a copy of the data file held by the unknown individual and Mr Hunt were deleted.
• Engaged IDcare, an identity and cyber support service, to undertake an independent risk assessment of the personal information compromised. IDcare assessed the personal information as being of low risk of future direct misuse.
• Notified the public and affected individuals on 28 October 2016 that a data breach had occurred by issuing press releases on websites, social media, and notifying affected individuals by text and email.
• Engaged specialist organisations to conduct forensic analysis on the exposed third-party server, monitor the Donate Blood website for any vulnerabilities or unusual activity and to monitor the dark web for any indication that the data was available or was being traded.

Following the incident the Red Cross enhanced its information handling practices and provided an enforceable undertaking to engage an independent reviewer to review its third party management policy and standard operating procedure.

Summary

Not-for-profits, like any other organisation that deals with information, should consider the risks associated with cybersecurity. Depending on the size, resources, and the risk itself, the response will vary. The expansion of directors’ duties to include cybersecurity means that not-for-profits should consider model responses, such as the Red Cross, and frameworks, such as NIST, when it comes to creating policies or structures that might protect them from liability should there be a cyberattack. Not-for-profit organisations that are unsure about the risks associated with cybersecurity should seek legal advice.