Skip to main content

Personal liabilities

Information Technology-Specific Liabilities

1. Cybersecurity Failures

  • Situation: Failure to exercise reasonable care in protecting digital assets and company data, or in responding to cyber incidents.

  • Potential Penalties: Personal liability for breaches leading to financial losses, regulatory penalties up to $50 million for companies, and significant fines or disqualification for directors; the ASIC v RI Advice Group case sets a precedent for direct board liability.

  • Reference: Corporations Act 2001, Privacy Act 1988, APRA CPS 234, ASIC guidance.

2. Data Privacy Breaches

  • Situation: Failing to protect personal and sensitive information or to report notifiable data breaches.

  • Potential Penalties: Company fines up to $50 million, director criminal and civil penalties, personal lawsuits by affected individuals, and reputational damage.

  • Reference: Privacy Act 1988, Notifiable Data Breaches (NDB) scheme.

3. AI and Automated Systems Governance

  • Situation: Failing to set, monitor, and review governance frameworks for artificial intelligence, automation, or data-driven technology (e.g., GenAI).

  • Potential Penalties: Civil and regulatory penalties via “stepping stones” liability, especially where harm results from unmanaged risks; personal liability even if the director was not directly involved.

  • Reference: Corporations Act 2001, AI governance best practice (see ISO/IEC standards).

4. Lack of IT Risk Oversight

  • Situation: Failing to ensure IT risks are identified, managed, and integrated into organisational risk frameworks.

  • Potential Penalties: Liability under general directors’ duties; ASIC can prosecute for lack of oversight regardless of technical expertise.

  • Reference: Corporations Act 2001, ASIC cyber resilience framework.

5. Critical Infrastructure Non-Compliance

  • Situation: For boards in critical sectors, failing to meet cyber obligations under the Security of Critical Infrastructure Act (mandatory incident reporting, baseline IT/OT cyber measures).

  • Potential Penalties: Large fines, orders to remediate, personal director liability for serious failures.

  • Reference: Security of Critical Infrastructure Act 2018.

General Director Liabilities Where IT Risk is Relevant

IT considerations now pervade many traditional board responsibilities. The following core areas highlight where IT risk or technology-related obligations intersect with classic board accountability:

  • Duty of Care, Skill & Diligence: Boards must stay informed about and act upon technology risks (cyber, AI, digital transformation, system outages).

  • Fiduciary Duty & Good Faith: Decisions about IT investments, cyber insurance, privacy strategies, or digital change programs must serve the best interests of the organisation and its stakeholders.

  • Workplace Health & Safety: Breaches of employee data, safety system failures due to IT negligence, or lack of cyber/IT threat controls pose new OHS risks (e.g., ransomware crippling safety systems).

  • Insolvency/Trading While Insolvent: IT breaches or cyber theft causing operational impacts or insolvency can expose directors if there’s a lack of planning or digital risk management.

  • Environmental Law: Digital system failures causing hazardous releases (industrial, infrastructure, logistics) may involve board liability if preventable through better IT or cyber protocols.

Key Laws and Regulatory Sources

Regulation / Standard Main IT Relevance Source(s)
Corporations Act 2001 General director’s duties for cyber, IT, and data risk  
Privacy Act 1988 & Notifiable Data Breaches Personal information protection, mandatory breach reporting  
APRA CPS 234 Prudential standard for information security in financial institutions  
Security of Critical Infrastructure Act 2018 Mandatory IT/cyber reporting for critical industries  
ASIC Cyber Resilience Guidelines Board-level accountability for cybersecurity  
ISO/IEC 38507, ISO/IEC 23894 Best practice for AI and tech governance principles

Other IT Accountability Considerations

  • D&O Insurance Limitations: Most liability insurance policies do not fully cover IT/cyber regulatory fines or wilful negligence.

  • Culture and Training: Directors can be liable for deficiencies in organisational IT awareness or culture leading to compliance failures.

  • Personal Liability Without Direct Involvement: Australian law allows for board liability for systemic IT failures even if directors claim no technical expertise or direct action, as evidenced in ASIC v RI Advice.

Directors and board members must ensure they are properly briefed on IT risk, integrate technology into risk management agendas, and maintain dynamic knowledge of regulatory developments to minimize personal exposure under Australian law.

Back to top