We have joined forces with One Direct Advisory, expanding our services to include expert advice across business strategy, finance, corporate structuring, governance and HR. Find out more here.

Business and Corporate Law

Cyber Attacks: Why we blame the business and not the attackers

Rather than businesses being perceived as a ‘victim’ of cyber attacks, growing public perception is that they are ‘failures’ who did not have adequate cyber security measures in place.


While the cyber attacker maintains anonymity, a business’s good name and reputation is irreparably harmed as the public loses trust. This can then lead to a downturn in revenue and, in some circumstances, can cause a once successful business to completely fail.

In something of an Australian first, ASIC recently commenced proceedings against a company that was the victim of a cyber-attack. ASIC alleges, in particular, that the company failed to implement appropriate policies and systems to prevent cyber attacks.

This, as much as anything, demonstrates the increasing pressure on businesses to ensure that they are not bystanders when it comes to cyber-security.


From January 2021 to June 2021, 30% of all data breaches notified to the Office of the Australian Information Commissioner (OAIC) were attributable to human error.

It is vital that businesses have sufficient measures in place to mitigate employees inadvertently exposing an organisation to both an attack and the flow-on effects from a data breach.

Strategies might include:

  • Data Breach Response Plan: This is a planning tool that identifies and explains the procedure your organisation will follow when responding to a data breach.
  • Cyber Security Policy: This explains the procedures your organisation will following when handling sensitive information, how to use the technology that keeps it secure, outlines security measures, including password requirements and identifying spam/scam emails and outlines how employees can prepare for a cyber-attack.
  • Appointing a Privacy Officer: This will be a senior staff member that other employees can approach regarding any cyber security issues. The Privacy Officer should have a clear role description and list of responsibilities.
  • Updating all Policies: All company policies and procedures should be regularly reviewed and updated to ensure it accounts for cyber security protection measures, including the Employee Code of Conduct, Social Media Policy, Anti-Discrimination and Harassment Policy, etc.


On 7 May 2021, the NSW Government released a draft Privacy and Personal Information Protection Amendment Bill 2021. If this is passed, it will make NSW the first state to implement mandatory notification of data breaches.

The intention is to create new standards of accountability and transparency in organisations in relation to their protection of personal information. Whilst this would only apply to an APP entity (an agency or organisation which must comply with obligations under the Privacy Act 1988 (Cth)), such a move again places the onus on businesses to protect themselves from cyber attackers and completely ignores the accountability of anonymous cyber attackers.

Evidently both public perception and political decision making appear to be moving to place all responsibility on businesses to have sufficient cyber security measures in place.

For these reasons, it is also imperative that businesses ensure all computers, phones and other electronic devices are protected with adequate security technology such as the Red Piranha Crystal Eye product.

If you wish to discuss any cyber security issues in relation to your business, please contact PBL Law Group.

Copyright 2021 @ PBL Law Group