Data Breach Update to Australian Securities Exchange Guidance on Continuous Disclosure Listing Rules
In Short
The Situation: The Australian Securities Exchange ("ASX") has published new data breach examples in an update to its continuous disclosure Guidance Note, effective from 27 May 2024 ("Data Breach Examples").
The Result: The Data Breach Examples identify whether a number of hypothetical data breach scenarios will be considered market sensitive information, or whether the information may fall within the exceptions from the continuous disclosure rules ("Listing Rule 3.1A").
Looking Ahead: The new guidance will be welcomed by ASX listed entities, in circumstances where there is greater market scrutiny on how those entities respond to cybersecurity incidents. Additionally, new reforms have been foreshadowed to the Australian Privacy Act that will likely impose stricter reporting and disclosure obligations on entities the subject of a data breach.
Overview of the New ASX Guidance on Data Breach Disclosure
The Data Breach Examples depict the evolution of a hypothetical data breach and provide specific junctures at which the ASX would, or would not, expect disclosure to the market under the continuous disclosure rules. The junctures distinguish between breaches of encrypted versus unencrypted data, and also between data that concerns a small versus large number of people.
The junctures include:
- Discovering that encrypted sensitive customer data may have been breached;
- Receiving blackmail threats;
- Disclosing the breach to the regulator confidentially;
- Discovering unencrypted data has been breached;
- Discovering that the data relates to a large number of individuals;
- Paying a ransom;
- The customer data being published on the dark web; and
- Becoming aware of commentary that a class action is being considered with requests for expressions of interest.
Read a more detailed summary of the Data Breach Examples.
These junctures attempt to cover the "greyer" areas of data breach events which ASX listed entities may have had to grapple with in determining whether they are materially price sensitive and require market disclosure. The Data Breach Examples also provide additional comfort that ASX listed entities may be able to rely on the exceptions from disclosure under ASX Listing Rule 3.1A in circumstances where it remains unclear whether the breach is materially price sensitive and while the breach remains confidential.
Observations on ASX's Guidance
Overall, we consider that the Data Breach Examples provide welcome guidance to ASX listed entities, particularly in circumstances where recent high-profile data breaches have enlivened a heightened scrutiny on the market disclosure made by ASX listed entities to cybersecurity incidents and breaches from shareholders, regulators and the media.
Aside from the usefulness of the Data Breach Examples, and the clarity they provide around disclosure requirements, we make three further observations.
First, it is important to recognise that data breaches are each unique and that there will rarely be a "one size fits all" approach for determining whether market disclosure is required. Care should be taken to avoid trying to categorise an actual scenario into one of the Data Breach Examples provided, in circumstances where there are other material aspects to take into consideration.
Second, where an exception to disclosure may be enlivened, the consequences of non-disclosure and the risk of private litigation including shareholder class actions, or regulatory enforcement action, will also need to be factored into the decision to disclose, or not disclose.
Third, the Data Breach Examples have been prepared in the context of Australia's current Notifiable Data Breach scheme, which requires an entity to report eligible data breaches to the regulator and affected individuals "as soon as practicable", and also allows an entity a period of 30 days after suspecting that it may have experienced a data breach to assess the situation and decide whether or not there has been an eligible data breach. Many entities listed on the ASX will also be subject to notification obligations under other jurisdictions which have considerably shorter notification obligations to the relevant regulator.
Foreshadowed New Australian Reforms Will Be Likely to Impose Stricter Requirements on Reporting Data Breaches
The Attorney-General's Privacy Act Review Report, and the Federal Government Response, foreshadow reforms which will provide a stricter and more limited period of potentially 72 hours after becoming aware of an eligible data breach for entities to notify the regulator, and affected individuals thereafter. Separately, the current 30-day assessment period for suspected breaches applying under the Privacy Act may also be shortened.
The impact of these potential reforms is that the junctures outlined in the Data Breach Examples will occur in a much shorter time frame. The consequence will be that ASX entities will need to move even faster in assessing their disclosure obligations over a brief period of time, and will most certainly need to have draft disclosure statements prepared as a matter of urgency when potential data breaches are discovered, so that the disclosure can be made immediately upon determining it is required. The potential reforms will not materially impact ASX entities subject to shorter reporting periods in other jurisdictions, e.g., 72 hours under the EU General Data Protection Regulation.
We recommend ASX entities have a data breach rapid response plan which includes draft announcements for a number of scenarios and sets up a rapid response team which is deployed upon suspecting or becoming aware of a breach.
Preparing the Contents of an ASX Announcement in the Context of a Disclosable Data Breach Scenario
The Data Breach Examples and updated guidance include commentary on what should be included in the preparation of a draft announcement and, in the context of a disclosable data breach scenario, the final announcement.
Noting that the content of a market announcement will depend on all of the facts and actual knowledge at the time, the guidance note provides that announcements should ideally contain all material facts, any material impact on operations or financial position (although we observe this is unlikely to be known at the initial announcement stage), the actions being taken and when the entity expects to further update the market. The material facts would include, to the extent known, the type of data accessed, whether it has been exfiltrated, the number of customers impacted, whether it was accessed through third-party systems, whether the incident is continuing and how impacted customers will be notified.
If the action being taken includes conducting an independent investigation for the dominant purposes of legal advice, care should be taken with referencing that investigation in the market update and thereby creating challenges to upholding the privilege claim over the investigation report.
This issue has been highlighted in the recent decision of Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58 ("Optus"), which examined whether a report prepared by Deloitte on its external review of Optus's data breach was privileged. The Full Court examined the evidence presented on the dominant purpose of the report, which included a media release that referred to the investigation and its commercial purposes from the perspective of the CEO. On the basis of this evidence, the Full Court confirmed that the report was prepared for multiple purposes, which included for legal advice and litigation, but that the evidence did not establish that this was the dominant purpose.
Three Key Takeaways
- The ASX has published new data breach examples in an update to its Guidance Note 8 (Continuous Disclosure). The guidance, which is based around hypothetical scenarios, will be welcomed by ASX listed entities, which are facing increased scrutiny in how they respond to cybersecurity incidents.
- Although the Guidance Note is broad in its application, data breaches are unique and there will rarely be a "one size fits all" approach for determining when market disclosure is required. Accordingly, ASX listed entities must still be have regard to broader continuous disclosure obligations.
- The Government has foreshadowed new reforms which will likely provide a stricter and shorter period for entities that are the subject of a data breach to notify the regulatory and affected individuals. These reforms would likely mean that relevant entities need to assess their disclosure obligations in a narrower period of time. Some entities may already be subject to shorter data breach reporting periods in other jurisdictions, for example in the European Union and California.