Cyber Security
Cyber professionals and personal liability How to avoid being the scapegoat when things go wrong
A By Jen Tan
s security professionals, we focus on minimising risk and liability flowing from a security incident. And rightly so – after all, that is our job. However, in a crisis, it is human nature to find someone else to blame since we work based on “when, not if” a cyber incident occurs, it is only a matter of time before the focus will shift to you. Have you stopped to consider your liability and risk? You will find that most of us fall into one of the following categories: 1. C-Suite security executives – such as CISO, CIO, CSO and CTO; 2. Internal security staff – such as managers, advisors, architects, consultants, and specialists; 3. External security providers.
C-Suite Security Executives and Senior Managers This role is one of the positions that is most held
46 | Australian Cyber Security Magazine
accountable when a security incident occurs. In the US, security breaches often drag executives into litigation, and it won’t be long before we see this trend in Australia. If you are a senior manager, and your title does not include the word “chief” and “officer”, you could still be treated as an “officer” depending on your level of involvement and control, and be made personally liable. Your high level of responsibility increases the potential exposure and risk to your reputation, brand, remuneration, job security, and most importantly, personal liability. Sure, the Privacy Act, which introduced the notifiable data breach regime last year, imposes significant fines on companies only if they fail to comply with those requirements. However, recently, regulators have successfully used a “stepping stone” approach to allocate personal liability by first bringing an action against the company for an alleged contravention, then pursuing an individual for personal liability for breach of duties, which resulted in the company not complying with their legal obligations.
