Update on Australia’s First Cyber Security Case: ASIC v RI Advice
Earlier this year, we published a post about Australia’s First Cyber Security Case – ASIC v RI Advice Group Pty Ltd (RI Advice). In it, we outlined the circumstances that led to the lawsuit, ASIC’s sought orders and declarations, and the next steps for the claim. These next steps included a tentative trial date of 29 November 2021. This has already been pushed back to 4 April 2022, but that doesn’t mean nothing is happening in the case. Here’s what we know about how the legal arguments in ASIC v RI Advice are developing:
ASIC Has Been Asked to Revise Its Further Amended Statement of Claim
Since filing the original Statement of Claim (SOC) in October 2020, the document has undergone changes that resulted in the filing of an Amended Statement of Claim in February 2021 and a Further Amended Statement of Claim (FASOC) in May 2021.
RI Advice challenged the content of the FASOC in an Interlocutory Application made in July 2021. In it, the Defendant alleged that parts of the FASOC were “evasive or ambiguous, are likely to cause prejudice, embarrassment or delay in the proceeding and/or fail to disclose a reasonable cause of action” and should therefore be struck out. The Court disagreed, instead ordering that ASIC should amend the FASOC, but that no parts of it should be struck out.
The case is listed for further management on 10 December 2021, in advance of the 3 week trial scheduled for April 2022.
Key Takeaways for Australian Organisations From the Proceedings So Far:-
While any resolution to the ASIC v RI Advice claim is unlikely to materialise in the near future, there are still critical takeaways for Australian organisations:
Your cybersecurity framework should take global standards into consideration.
ASIC relied on ‘six standards from around the globe, five of which were said to be publicly available’ in drafting its initial claim against RI Advice. While the legal arguments surrounding the reliance on these standards is complicated, it’s evident that ASIC is looking to the standard used globally or set by other countries in determining what acceptable cybersecurity looks like in Australian companies.
ASIC does not demand perfection from companies, but they do want to see progress and attention being paid.
Part of ASIC’s claim is that RI Advice firstly did not have adequate cybersecurity documents and controls in place, but they go on to note that it was the failure to identify the cause of the cybersecurity incidents and use that information to mitigate future risk that gave rise to RI Advice’s contravention of certain provisions of the Corporations Act. Review of the root causes of incidents and development and implement of corrective actions to prevent their recurrence should be mandatory step in any incident response plan.
RI Advice’s failure to take appropriate action, knowing of existing identified vulnerabilities that had led to data breaches, is just as important as the failure to implement appropriate cyber security protections in the first instance.
Australian businesses should have information security incident response policies and processes in place to ensure that, if a cybersecurity incident does occur, steps will be taken not just to contain the damage caused by the breach, but also to improve cybersecurity in the aftermath.
It is important for all organisations to have developed, implemented and tested a robust incident response capability. You should consider developing and implementing these plans, if you haven’t already.
You can read the judgement here: http://www7.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2021/1193.html
Privacy 108 Provides Comprehensive Cybersecurity Planning for Australian Organisations
The specialist team at Privacy 108, led by one of Australia’s foremost privacy experts Dr Jodie Siganto, work with medium and large-sized organisations to develop robust cyber security frameworks. Our cybersecurity lawyers offer:
- Cyber awareness programs and training.
- Strategic frameworks for minimising the risk of unauthorised data access.
- Detection systems and processes.
- Data breach responses.
- Data loss policies to mitigate potential losses from ransomware or similar.
- Cyber-continuity planning.
- Criteria for choosing cyber-conscious third-party service providers.
- Data sharing contracts between EEA-based and non-EEA companies.
- Compliant collaboration and information sharing policies and processes.
- Responsive cyber governance programs.
For more information, get in touch: