Can I be held personally liable for a cyber breach at my company?

Yes, under Australian law, directors can face liability if they fail to exercise reasonable care and diligence regarding cyber risks. Ignorance of technical details is no longer a valid defence. You must demonstrate active governance.

Does cyber insurance cover all ransomware payments?

Rarely. Most policies have strict exclusions regarding negligence or specific security protocols that must be in place prior to the incident. Insurers are increasingly contesting claims where basic governance was missing.

What is the first legal step after a data breach?

Secure the evidence and engage legal counsel immediately to establish legal privilege over the investigation. Do not communicate externally until you understand your obligations under the Privacy Act and the Notifiable Data Breaches scheme.

Are Current Cybersecurity Best Practices Failing? Insights from a Cybersecurity Lawyer

Australian companies spend billions on firewalls, detection software, and threat intelligence. Yet, the same breaches happen repeatedly. A major European museum recently suffered a multi-million dollar theft because the password for the security system was the name of the museum itself. This persisted for a decade.

As a cybersecurity lawyer in Melbourne, I frequently see SME owners treat digital security as an IT problem. They buy a product, tick a box, and assume they are safe. This approach is legally dangerous. The current “best practices” often create a false sense of security, leaving directors exposed to liability when, not if, a breach occurs.

This is just one more area where culture eats strategy.

The Compliance Paradox

Compliance does not equal security. Many businesses follow a standard checklist to satisfy an auditor or an insurance form. They deploy antivirus software and enforce complex password policies. However, these measures often fail to account for human behaviour.

When security controls are too rigid, employees bypass them. They share passwords to get work done faster. They use personal devices to avoid network restrictions. Defining reasonable standards requires looking at how your business actually operates, not just what a generic framework suggests.

From a legal standpoint, ticking boxes without enforcing the underlying policy is negligence. If you have a policy that requires multi-factor authentication (MFA) but allow exceptions for senior executives, you have created a documented trail of your own failure. In court, a plaintiff will use your own ignored policy as evidence against you.

The Insider Threat is Often Ignored

Most SMEs focus their defence on external hackers. They imagine a criminal syndicate overseas. While this threat is real, the more immediate danger often comes from within. This includes malicious employees, but more frequently, it involves well-meaning staff making errors.

Recent international cases have shown that even cybersecurity professionals can turn rogue, using their privileged access for extortion. While extreme, this highlights a critical gap in standard advice: technical controls cannot fix a lack of trust or oversight.

Your employment contracts must evolve. Standard confidentiality clauses are insufficient. You need specific provisions regarding data handling, device usage, and immediate revocation of access upon termination. Just as you would protect yourself during a building project with strict contractual terms, you must protect your digital infrastructure with appropriate employment agreements.

Legal Implications of Third-Party Data Breaches

You might have a secure network, but your suppliers likely do not. Supply chain attacks are becoming the primary vector for compromising SMEs. A vendor you trust with your customer data gets hacked, and suddenly, you are the one facing the regulator.

The legal implications of third-party data breaches are severe. Under the Australian Privacy Act, you generally cannot outsource liability. If you hand data to a payroll provider and they leak it, your customers will sue you, and the Office of the Australian Information Commissioner (OAIC) will investigate you.

We recently saw a case involving a vulnerability in widely used endpoint management software. Thousands of companies were exposed not because they made a mistake, but because a tool they trusted had a flaw. Recent government reports highlight that supply chain vulnerabilities are escalating.

Your vendor contracts must include:

Mandatory notification periods for breaches (often shorter than statutory requirements).
Indemnities for costs related to forensic investigation and legal advice.
The right to audit their security practices.

Why “Best Practice” Isn’t Enough

The term “best practice” implies a static standard. The law, however, looks for “reasonable steps” in the context of the specific risk. What was reasonable in 2023 is negligent in 2025.

Hardware and software eventually fail. When they do, the legal question shifts to defensibility. Did the directors understand the risk? Did they allocate resources appropriately? Did they test their response plan?

Many businesses treat their incident response plan like a fire drill – something to be ignored until the alarm rings. This is a mistake. A plan that sits on a server you can no longer access because of ransomware is useless. Just as we advise on a compliance checklist for private lending to avoid regulatory ire, your cyber governance requires active, regular review.

Rethinking Training and Culture

We force employees to watch generic videos about phishing. They click “next” until it ends. This is the industry standard, and it is failing. Scientific reviews of training methods indicate that engagement is low and retention is poor.

Effective governance requires a culture where security is not an obstacle to work. If your staff are afraid to report a potential mistake because they fear punishment, you will not know about a breach until it is too late. Legal defensibility improves when you can demonstrate a culture of continuous education rather than tick-box compliance.

Practical Steps for Directors

If you wait until a hack occurs to seek legal advice for data breach protocols, you have already lost ground. You need to position your business to survive the scrutiny that follows an incident.

Focus on these commercial decisions:

Audit your insurance: Does your policy cover “social engineering” fraud? Many do not.
Segregate duties: No single employee should have the power to destroy backups or transfer large sums without oversight.
Review vendor agreements: If a vendor refuses to accept liability for their own security failures, find a new vendor.

Cybersecurity is not a technical shield, it is a process of risk management. If you are concerned about your current exposure or the validity of your vendor contracts, we should discuss your position.

About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.

Book an appointment with one of our Lawyers to discuss your specific needs.

Book a Consultation

A Note on the Information We Share

Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.