Back in 2015, lawyers writing for Bloomberg Law described C-level security officers as the natural targets of post-breach lawsuits. They forecast that it would only be a matter of time before liability claims were routinely extended to senior in-house legal stakeholders, with the CIO (also known as the CISO, CSO or CTO) in a starring role. More recently, Paul Bergman, a US-based cyber commentator, posted on LinkedIn:

“The courts are raising the bar on personal liability for executives and board members and there are a growing number of cases in which the CISO is the scapegoat after cybersecurity incidents”. 

The predictions were correct. Scapegoat or otherwise, Uber’s former security officer Joe Sullivan is thought to be the first cybersecurity leader to face criminal charges in this context. Last year, in San Francisco federal court, he was found guilty of obstruction of justice and failure to report a crime, following a 2016 hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.

More cases have followed and, while there hasn’t been any in APAC so far, this is highly likely to change. Law firms including Maurice Blackburn and Slater & Gordon are investigating potential class actions against Medibank and Optus following last year’s highly publicised breaches. If legal action goes ahead, their security officers might be named.

“Directors and officers in Australia and New Zealand are more likely to be held to account for their acts or omissions than those in other APAC countries,” says Patrick Boardman, a partner at Clyde & Co. in Sydney. “For example, ASIC recently brought proceedings against senior officers and the entire board of Star Casino for an alleged breach of duty in failing to protect the company from significant risks to its business.”

Premium

You need to login to access this

Login

What are CIP Points? About ANZIIF Membership