Is a Business Liable if Hacked? 10 Crucial Insights for Australian Small Businesses

Small businesses in Australia are navigating the online landscape with increasing success but are also faced with unprecedented challenges, particularly cyber security threats. At the back of most business owners' minds is a looming threat that can have profound consequences - being hacked.

This raises a pivotal question for small businesses.. is a business held liable if hacked? To unravel the complexities of this issue, let's explore some insights for Australian small businesses. We will look at when a small business may need to consider if there are legal implications after a cyber security incident.

To begin with, hacking scams and security breaches are often not a direct fault of a business; many times, cyber criminals have targeted the business to gain access to company data.

Legal Obligations Under Australian Law

Australia has robust privacy laws, including the Privacy Act 1988, which governs the handling of personal information. Small businesses must comply with these laws, and a cyber security breach may trigger legal obligations, including the mandatory reporting of eligible data breaches to the Office of the Australian Information Commissioner (OAIC).

Compliance with Australian Privacy Principles (APPs)

The APPs outline the standards for handling personal information under the Privacy Act. Small businesses must be familiar with and adhere to these principles, which include securing personal information from unauthorised access and disclosure. Failure to do so may result in legal consequences.

Data Breaches and Duty of Care in Australian Business Practices

Regardless of size, Australian businesses are expected to exercise a duty of care in safeguarding sensitive information. Negligence in implementing adequate cyber security measures could render a business liable if a hack occurs. This duty extends to protecting customer and employee data from unauthorised access.

Industry-Specific Regulations For Australian Data Protection

Certain industries in Australia have specific regulations and standards regarding data protection. Small businesses should know and comply with industry-specific requirements to avoid legal repercussions. For example, healthcare providers must adhere to the My Health Records Act 2012.

Does your company hold any of the following?

• Client bank account details
• Customer credit card details
• Other financial information
• Health information
• Sensitive personal data
• Confidential information

If you do hold this type of data, you will likely be further regulated than other industries that do not store or collect data of this nature.

Contractual Obligations in Australia

Contracts with clients, customers, suppliers, or service providers often contain data protection and cyber security clauses. Failing to fulfil these contractual obligations may result in legal consequences, and small businesses should review and adhere to such agreements.

Australian Privacy Act Notification Requirements

The Privacy Act mandates that businesses notify affected individuals and the OAIC in case of a serious data breach. Australian small businesses must be prepared to take reasonable steps to comply with these notification requirements, including the timing and content of notifications.

Regulatory Fines in Australia

Regulatory bodies, including the OAIC, can impose fines for non-compliance with privacy laws. Small businesses may face financial penalties in addition to the immediate costs associated with a cyber attack, emphasising the importance of regulatory compliance.

Repercussions of Class Action Lawsuits

In Australia, affected individuals may pursue legal action through direct individual or class-action lawsuits following a significant data breach. Establishing negligence or a failure to protect sensitive information adequately becomes crucial in these legal battles.

Legal liability is a very complex space in Australian law at this stage, but there have been instances of Reputational Damage in the Australian Context
While not a direct legal consequence, the impact on a small business's reputation following a cyber attack can be significant. Loss of customer trust and confidence may have lasting effects on revenue and long-term viability, underscoring the importance of proactive communication.

Cyber Liability Insurance Coverage in Australia

Small businesses in Australia should explore cyber security insurance to mitigate financial risks associated with a cyber attack. Understanding the terms and conditions of insurance coverage and any exclusions is vital for businesses seeking financial protection. To understand what an appropriate insurance level will be, it's best to speak to both your technology and IT team and someone who can help with legal compliance.

Cyber insurance can be challenging to obtain without suitable safeguards, but purchasing insurance can be beneficial with costs associated with data breaches.

What Are The Main Ways That Security Breaches Happen To Businesses?

The most common ways that your business or email account may be hacked are:

• A business email compromise (which often arrives looking like legitimate business emails but are, in fact, a fraudulent email or 'phishing' attempt)
• A hacker gaining access to your files due to vulnerabilities in your computer system.
• Hacking scams such as business email invoice fraud, which may redirect funds to fake invoices
• Malware, ransomware or other viruses
• An ex-employee or someone with access to your business data using their access to steal data or for a fraudulent purpose
• By accident, if an employee leaves a computer unlocked or loses a device with sensitive data

What Can A Business Potentially Be Held Liable For?

Being a very new area of law, it's hard to know how a legal matter may unfold with so many changes to current Australian laws coming into play. A general position from the relatively small number of cases in Australia indicates that if a business has fallen victim to a data breach and a business failure is shown, a company may be liable.

Often, the court will issue fines and specific requirements for data protection policies and implementation. The company may also be liable for any loss suffered, including the costs of replacing ID and any inconvenience this has caused.

Where Can I Seek Additional Help Or Legal Assistance After Hacking Occurs?

Generally speaking, if you need to understand liability after a data breach or compromised IT systems, you'll probably need professional assistance. If personal ID, bank details or other sensitive data has been exposed, there is likely a legal risk, or at the very least, the company liable has a potential duty of care to inform affected parties.

If you work in fields that handle sensitive data, you'll probably be aware of your legal options and requirements to notify in the case of unauthorised access.

Support for small businesses after a data breach can come from:

• Your industry compliance regulators
• Your cyber security or IT team,
• A technology or compliance lawyer who understands the laws surrounding your industry
• The Australian Cyber Security Centre (ACSC) has a wealth of resources in this area, including the 'Have you been hacked' tool.
• The Office of the Australian Information Commissioner (OAIC) also has a tool, 'Report a data breach,' which you can explore.

A Final Note On Business Liability After A Hacking Event Occurs

Whether a business is liable if hacked in Australia is not a 'one-size-fits-all' answer and requires a thorough understanding of Federal and state laws and industry regulations. For small businesses, proactive cyber security measures, compliance with Australian privacy laws, and a comprehensive approach to contractual and legal responsibilities are essential.

As the threat of cyber attacks continues to evolve, staying informed and implementing robust cyber security practices are critical for safeguarding data and small businesses' legal standing in the Australian digital landscape.

Disclaimer: This is general information only. Please contact us for further guidance or seek independent legal advice that considers your unique personal situation before making any decisions based on the information in this communication.