In response to market feedback, ASX has released a useful data breach example to be included in its Guidance Note 8 on Continuous Disclosure, which will take effect from 27 May. Entities listed on ASX have obligations to make immediate disclosure of information material to investors, subject to limited exceptions, all of which require information to remain confidential.
The new example provides high-level guidance to ASX-listed entities on when disclosure may be required in connection with a data breach, and what might need to be disclosed. This type of decision requires consideration of the nature and extent of the data breach and confidentiality issues.
For example, while confidential consultation with regulators might not trigger disclosure, formal notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals will mean that confidentiality is lost, and the disclosure obligation may be triggered. The new example recognises that determining materiality will often be difficult, and unsurprisingly suggests that it may be prudent to make a release to ASX at the point of notification to OAIC and affected individuals, to ensure that continuous disclosure obligations are met.
The key trigger for disclosure is of course materiality, and this may be hard to judge in a quickly unfolding data breach response situation. The ASX suggests the possible use of a trading halt to provide time to prepare an appropriate announcement. That said, the fact that a situation is developing and all facts not yet known is not a reason to delay disclosure of what is known.
While the ASX’s new guidance is useful and appreciated, and will repay careful study, disclosure decisions around significant data breaches require careful consideration having regard to the particular circumstances. The legal responsibilities of senior executives and non-executive directors in relation to data breaches is an area that warrants close attention in the current environment. ASIC has indicated the potential for enforcement action if directors and officers fail to take reasonable steps to prepare for the almost inevitable data breach.
Statements to ASX concerning data breaches (and other public statements) are a critical part of an entity’s response to a data breach, and senior executives and boards will be well served by having comprehensive response plans in place, and regularly testing them.
Usually who serves on the board of a listed company is a matter for the company itself and others, including the courts, only rarely intervene. That’s why the Takeovers Panel’s order requiring...
The recent decision of the Federal Court in relation to proceedings brought by ASIC against iSignthis Limited and its former Managing Director and CEO, Mr Nickolas Karantzis highlights that a...
Welcome to Digital Bytes, our latest quarterly update on current developments in cyber, privacy and data governance.