A director’s failure to adequately oversee data privacy is no longer just a corporate civil liability. It is now a direct line to personal criminal prosecution under Commonwealth law.
For Australian directors, the regulatory environment of 2026 marks a point of no return. The intersection of the Privacy Act 1988 and the Crimes Act 1914 (Cth) has erased the traditional separation between a data breach and a criminal offence. This convergence elevates a failure of governance from a simple breach of fiduciary duty under the Corporations Act 2001 to a matter of potential criminal recklessness, demanding a new standard of defensible oversight from every board member.
Table of Contents
The Intersection of the Privacy Act and Criminal Law in the Boardroom
The critical shift for directors is understanding the line between civil negligence and criminal liability. The Office of the Australian Information Commissioner (OAIC) has long enforced civil penalties for breaches of the Australian Privacy Principles. However, the Crimes Act 1914 (Cth) introduces a higher standard. It examines whether a board’s systemic failure to protect personal information demonstrates a “reckless indifference” to the law, a threshold that moves oversight failures into the criminal domain.
Professional standards set by bodies like the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS) provide a baseline for what constitutes “reasonable steps” in a governance context. Regulators and courts will look to these standards as a measure of a board’s diligence. A demonstrable, structured approach to data governance, aligned with these professional benchmarks, is a director’s first line of defence. Without it, a board appears indifferent to its obligations.
Federal vs State Jurisdictions for Directors
While many directors are familiar with state-based criminal laws like the Crimes Act 1900 (NSW), a significant data breach almost always triggers federal scrutiny. The handling of personal information falls under Commonwealth jurisdiction via the Privacy Act 1988. Consequently, any subsequent investigation into serious or repeated failures will engage the Crimes Act 1914 (Cth), making this a national issue for every Australian company director, regardless of their operational headquarters.
The Threshold of Criminal Liability
A governance oversight failure becomes a serious indictable offence when a director, aware of a substantial and unjustifiable risk of a serious privacy breach, proceeds with conscious disregard for that risk. This is the essence of recklessness in a corporate context. The defence of “I was not informed by management” is no longer viable. In the digital economy of 2026, a director’s duty is to actively interrogate, challenge, and verify the information presented to the board, not to passively accept it.
From the Boardroom
I once sat on a board where the Chief Information Security Officer presented a flawless report on privacy compliance. Every metric was green. The board was ready to approve the report and move on, but the Chair asked a simple question: “How would this report change if our key cloud provider had a catastrophic failure tomorrow?” The silence was telling. The CISO admitted our contractual protections were weak and our recovery plans were based on assumptions, not verified tests. Our pristine compliance report masked a critical, unmanaged risk. That single question shifted our entire approach from reviewing management reports to actively stress-testing our governance. It was a stark lesson that a director’s true role is not to accept information, but to challenge its underlying resilience against real-world failure.
Data, Deception, and Digital Risk: High-Stakes Clauses
The Crimes Act 1914 (Cth) contains specific clauses that present a direct threat to directors following a data breach. The computer offence provisions, for example, criminalise unauthorised access to data. A board that fails to oversee and enforce adequate access controls could be seen as complicit in creating an environment where such offences are likely to occur. This is not a technical IT failure; it is a governance failure with criminal consequences.
Furthermore, the risk of “obtaining benefit by deception” is acute. If a company’s public statements, annual reports, or market disclosures paint a misleadingly positive picture of its privacy and cyber security posture, this can be interpreted as deception. Following a breach that reveals systemic weaknesses, such statements can be used to argue that the board misled investors and the market, a serious criminal offence. This is why a board’s approach to cyber governance for boards in Australia must be grounded in sober reality, not aspirational metrics.
The legislative environment is also tightening. The Cyber Security Act 2024, which received Royal Assent in November 2024, with mandatory ransomware reporting obligations now in force and full enforcement from 1 January 2026, imposes stringent obligations on directors of critical infrastructure assets. While its scope is specific, its standards will inevitably become the benchmark for all Australian boards, raising regulator and stakeholder expectations across the economy.
Fraud and Corporate Misconduct in Reporting
A board’s reporting to shareholders, regulators like ASIC, and the OAIC must be rigorously accurate. Superficial compliance statements that are not backed by evidence of robust governance create significant legal exposure. A post-breach investigation will scrutinise every public and regulatory filing. If a disconnect is found between what the board claimed and what it actually did, allegations of corporate misconduct and fraud will follow. This risk is amplified when entering into a regulatory settlement agreement, where prior representations about compliance will be tested against the facts of the breach.
Establishing Defensible Oversight: The Board’s Shield
A director’s best defence against personal liability is a demonstrable record of diligent and active oversight. This requires moving beyond the technical dashboards provided by management. The board needs reporting that translates technical data into measures of legal and regulatory defensibility. The critical question is not “Are we compliant?” but “Can we defend our decisions and our governance framework to a regulator or in court?”
Achieving this standard of oversight requires proactive measures. Board-level incident simulations are essential for preparing directors to make defensible decisions under extreme pressure. An AI Governance Board Review is no longer optional as artificial intelligence systems become embedded in corporate processes, creating new vectors for data misuse and fraud. These structured activities create a defensible record of the board fulfilling its duty of care.
The Independent Advisory Advantage
Internal teams and auditors operate within the organisation’s culture and are subject to inherent biases. They often lack the independence needed to deliver the unvarnished truth to the board. For criminal-level defensibility, a board needs sober, objective realism. An independent advisor with no conflicts of interest, such as selling technology products or managed services, can provide this. Their role is to bridge the gap between the technical teams and the board, translating complex risks into the language of fiduciary duty and legal liability.
Questions for Your Next Board Meeting
To begin strengthening your board’s position, I suggest asking two questions at your next meeting:
-
Does our current reporting from management provide clear evidence of defensible oversight, or does it simply report on technical compliance activities?
-
Have we conducted a facilitated, board-level exercise to test our governance and decision-making protocols against a scenario involving a major data breach with potential criminal implications?
The answers will reveal the gap between your current posture and the requirements of the 2026 regulatory landscape. Defensible oversight is not a destination. It is a continuous, disciplined process of inquiry and verification, led from the top.
If this resonates, I would welcome a conversation. Director Readiness Assessment
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.
aradvice.com.au
