In 2018, it is staggering that many businesses still do not encrypt their data, especially when the data is travelling across public networks. Large data breaches are becoming the norm around the world. At least once a week we hear of a significant data breach. Whether that be a breach of consumer data such as the Apple iCloud Breach in 2014; or national security secrets such as in November 2016 an Australian defence supplier’s loss of the F35 Joint Strike Fighter and other defence aircraft project information; or stolen business intellectual property, such as the leaking of Game of Thrones episodes from HBO just last year. The fact is far too little data is encrypted and at a time when data breaches are on the rise!
This notification of a consumer data breach puts the company, executives and its directors on notice – not just under the Australian Privacy Act, but under corporations law and civil litigation. Unencrypted data is now just a lawsuit and prosecution waiting to happen as consumers and businesses, whose data that has been accessed, are looking to the courts to seek financial compensation for organisations negligent behaviour. In the USA, class actions are being prepared against organisations and their executives. Of greatest concern to executives and directors is that it is not the organisation alone held responsible, but its board of directors and executives are personally accountable and liable.
Data privacy security regulations are no longer just a compliance issue, nor are they just a privacy issue, they involve financial and reputational damage caused by poor security practices. But what is not as well known is that corporate law, in most jurisdictions, places substantial requirements on directors and executives to exercise due diligence which encompasses cybersecurity. Board members and company executives are being placed on notice to ensure they are doing all they can to ensure the privacy of their customers’, suppliers’ and partners’ data and their own intellectual property and business data, such as encrypting sensitive data.
Today, company directors must ensure their business is encrypting all the sensitive data they handle, and ignorance will no longer be an acceptable defence.
Andrew Wilson, CEO of Senetas