Snapshot
- The law is playing catch up in relation to cyber harm.
- A tort dealing specifically with digital privacy breaches would provide clarity.
- ASIC is taking its first action against a company for allegedly deficient cyber security.
Digital dualism is the belief the online and offline worlds are clearly distinct, do not interact and do not intersect. This is, at best, a naïve proposition. In 2020, it is unfeasible to contend there is no nexus between online and offline – they are inextricably linked. This fact has been clearly articulated, both by Prime Minister Scott Morrison in an unprecedented cyber security press conference on 19 June and also in Australia’s Cyber Security Strategy 2020, released in August.
Despite the startling pace of technological development and the pervasive impact the Internet of Things is having on governments, their institutions, businesses and individuals, the laws governing the cyber realm have failed to keep pace.
A key example is in relation to harm – namely, cyber harm stemming from data breaches. As we know, damages for harm – whether negligent, reckless or intentional – are long-established in Australian case law. The golf ball test applies, and when it comes to harms that occur in the ‘real world’, the law is relatively clear cut. In the case of cyber harms however, the law and its interpretation are murky. This is despite the fact that cyber harms resulting from data breaches are real, tangible and damaging, and, as the world marches towards 5G, more likely to occur.
What is cyber harm?
There is no doubt cyber harm is difficult to define. In a recent paper, however, Agrafiotis et al formulated a useful definition, describing cyber harm as: ‘the damage that arises as a direct result of an attack conducted wholly or partially via digital infrastructures, and the information, devices and software applications that these infrastructures are composed of.’ (‘A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate’ Journal of Cybersecurity, 2018, 1–15, 2)
These harms can manifest in physical or digital, psychological, economic, reputational, social and societal harm. But the question remains – how can these harms be quantified, especially when they are both novel and potentially intangible?