In response to market feedback, ASX has released a useful data breach example to be included in its Guidance Note 8 on Continuous Disclosure, which will take effect from 27 May. Entities listed on ASX have obligations to make immediate disclosure of information material to investors, subject to limited exceptions, all of which require information to remain confidential.
The new example provides high-level guidance to ASX-listed entities on when disclosure may be required in connection with a data breach, and what might need to be disclosed. This type of decision requires consideration of the nature and extent of the data breach and confidentiality issues.
For example, while confidential consultation with regulators might not trigger disclosure, formal notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals will mean that confidentiality is lost, and the disclosure obligation may be triggered. The new example recognises that determining materiality will often be difficult, and unsurprisingly suggests that it may be prudent to make a release to ASX at the point of notification to OAIC and affected individuals, to ensure that continuous disclosure obligations are met.
The key trigger for disclosure is of course materiality, and this may be hard to judge in a quickly unfolding data breach response situation. The ASX suggests the possible use of a trading halt to provide time to prepare an appropriate announcement. That said, the fact that a situation is developing and all facts not yet known is not a reason to delay disclosure of what is known.
While the ASX’s new guidance is useful and appreciated, and will repay careful study, disclosure decisions around significant data breaches require careful consideration having regard to the particular circumstances. The legal responsibilities of senior executives and non-executive directors in relation to data breaches is an area that warrants close attention in the current environment. ASIC has indicated the potential for enforcement action if directors and officers fail to take reasonable steps to prepare for the almost inevitable data breach.
Statements to ASX concerning data breaches (and other public statements) are a critical part of an entity’s response to a data breach, and senior executives and boards will be well served by having comprehensive response plans in place, and regularly testing them.
In this practical article, Partner Jonathan Cheyne from JWS’ Board Advisory & Governance group introduces the famous Swiss Cheese Model of incident causation – which is widely applied in many other...
As Australia debates reforms to non-compete clauses, the implications for venture capital (VC) and private equity (PE) firms are significant, particularly regarding business sales and funding...
While all eyes have been on the recent introduction of the privacy reform Bill to Parliament, there have been a number of other updates that continue to inform the shifting patterns of opportunity,...