The world of cybersecurity is overflowing with principles. Principles about patching, passwords and people. Principles about physical security, phishing and firewalls. But until recently, there has been little legal precedent supporting these principles—and without such precedent, principles can be difficult to enforce.
However, the past month has served up two landmark cases that will help establish a new level of precedent for cybersecurity in Australia—one in the Federal Court and one in the ACT Civil and Administrative Tribunal. Both cases deserve utmost attention from senior management, boards and directors as our nation navigates a new era of cybersecurity uplift. These cases should not be dismissed as just technical ‘principles’.
After years of legal wrangling, on 5 May the Federal Court released its highly anticipated judgement into action brought by the Australian Securities and Investments Commission in 2020 against RI Advice Group. ASIC claimed RI Advice had inadequate cybersecurity controls in place, which the company failed to remedy despite being aware of the issues. This resulted in sensitive client information being compromised multiple times over a…
