DON'T BUILD ON SAND
Cyber security, AI, directors' duties, and personal liability in Australia — in plain English.
Australian directors are quietly being asked a question most of them haven't given an honest answer to. How exposed am I, personally, if my organisation has a cyber incident?
The short answer is more exposed than most directors realise. The law that puts directors there has been on the books for decades. What's changed in the last three years is how seriously regulators are applying it, to cyber and increasingly to AI.
Section 180 of the Corporations Act has always required directors to act with the care and diligence of a reasonable person. ASIC has spent the last three years applying that standard to cyber, using a doctrine called stepping stones. When a company breaches a law and a director didn't take reasonable care, the breach can step onto the director personally.
The numbers behind that have stopped being theoretical. Last October the Federal Court ordered Australian Clinical Labs to pay $5.8 million for failing to take reasonable steps to protect personal information. The first-ever civil penalty under the Privacy Act. Proceedings are ongoing against Optus, Medibank and FIIG Securities. And in April 2026, the Federal Court found Star Entertainment's former CEO and former Chief Legal and Risk Officer personally liable under Section 180.
It isn't just listed companies. ACNC Governance Standard 5 puts the same duty of reasonable care on charity directors and Responsible Persons. The dollar threshold protects the company from some Privacy Act obligations. It doesn't protect you, the director, from much.
We've put together two reads for board members and Responsible Persons, depending on how much time you have this morning.
THE 1-MINUTE READ
A short LinkedIn-friendly summary. The question, the principle, the prompt. Useful if you want to send something to a fellow director or board chair to start the conversation.
THE 12-MINUTE READ
A full plain-English directors' guide. Seven pages. What applies to your tier of organisation. What falls on you personally. AI risks alongside cyber. Five Australian cases every director should know. A defence ladder for what reasonable directors are doing now. And an explanation of how Red Flagg™ helps NFPs and charities that genuinely can't afford cyber protection — for free.
WHO THIS IS FOR
Australian directors. Board chairs. Charity Responsible Persons. Members of NFP committees. Anyone whose name sits on a corporate register or an ACNC listing and who has been quietly wondering whether the cyber-and-AI risk on their organisation is also a risk on them, personally.
This isn't legal advice. It's a plain-English starting point. If you want to talk it through, that's what we're here for.
If something feels off, check it with Red Flagg™.
