Just like company directors, IT managers or CIOs who consult to the board can be held personally liable for data security breaches that result in third-party damages.
Lawyer Martin McEniery, from the law firm Freehills, issued this warning while highlighting the impact of significant' legislative changes in Australia during the past three months. Speaking at Meta Group's MetaMorphosis conference in Sydney today, McEniery cited the December 21 amendment to the Privacy Act and changes to the Criminal Liability provisions of the Commonwealth Criminal Code, effective from December 15, 2001.
The Commonwealth Criminal Code takes a strict liability' approach, and like laws prohibiting drink driving, there are very few defences, according to McEniery. This means that a corporate culture of tolerating non-compliance with privacy and cybercrime legislation, would be interpreted as the company's intent' in legal proceedings.
"At the heart of the new privacy laws are the National Privacy Principles (NPP), and NPP4 says an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure," McEnierysaid.
"Directors and IT managers may face personal liability, both criminal and civil, under the Common Law, Corporation Law, Trade Practice Act and Computer Misuses Offences if they do not implement appropriate IT security and usage policies, audits and technological protection.
"From December 15, 2001, companies are liable for offences committed by employees where the company has a corporate culture of non-compliance," McEnierysaid.
The issue of manager and director liability is particularly onerous when it is considered that some 70 per cent of security threats emerge from internal sources.
"That 70 per cent of the [security] damage is due to the internal environment is very important in terms of vicarious liability," McEnierysaid. "You can have the best security systems but [this is little defence] if one of your technical people who knows the architecture and how to get around it is doing damage. How are you going to protect yourself from [such a] bad arse?"
Steps to protection are policy and governance. Policy statements would cover acceptable and unacceptable computer usage, while governance would include suitable supervision and an appropriate training regime.
"So if the Federal Police come - you've got the piece of paper that shows you've done all that you can," he added. "[But] if you have policies in place, but are not implementing and monitoring, you can be held vicariously liable under the Trade Practices Act."
He added that while "all the talk is about privacy", the big risks lie in the area of IT data security since the implications of the theft or mishandling of personal information are enormous.