ESG: why the ‘S’ in ESG impacts organisations the most when it comes to data privacy and cybersecurity

The impact of Environment Social Governance (ESG) is more far-reaching in its scope than most Australian businesses realise. ESG is a popular acronym amongst business socials to highlight their commitment towards the environment, sustainability, ethical practices, and transparency. The term is also often used as an effective marketing device to align the business and its positive contribution to the environment and society, regardless of whether it can be demonstrated that its products and services are genuinely impactful. Vague or unverifiable terms like “eco-friendly” or “green” are often used to highlight a single environmentally friendly aspect while ignoring other harmful practices.

The ESG concept¹ has evolved in recent years due to a growing concern for the environment (‘E’). Consumers and investors are becoming more conscious of their purchasing decisions and businesses have been quick to capitalise on this trend by presenting themselves as environmentally friendly. The consequences of greenwashing are significant. It misleads consumers who genuinely want to make environmentally or ethically responsible choices. By promoting false or exaggerated claims, businesses manipulate the actual environmental impact. This has led to a false sense of satisfaction among consumers and investors who believe they are making a positive difference when they are not. This in turn has led to an increase in greenwashing claims.

What is ESG?

Environment Social Governance (ESG) is a set of standards, policies and metrics used by organisations and investors to assess their impact on both the environment and society. Governance covers the overseeing of the environment and societal factors used to measure the non-financial impacts of particular investments and companies.

‘Introduction to ESG’, Harvard Law School Forum on Corporate Governance²

The Australian Securities and Investments Commission (ASIC) won its first greenwashing civil penalty action against Vanguard Investments Australia in March 2024³, and subsequently it won against Active Super in June 2024⁴. In both greenwashing actions, the Federal Court found that Vanguard and Active Super contravened the law by making misleading representations concerning its ESG credentials.

In the case of Vanguard, there was a failure to research or screen against securities in its Index Fund who were still conducting significant activities in industries involving fossil fuels. Similarly, Active Super claimed that it eliminated investments in its superannuation fund which posed too great a risk to the environment and the community, which included gambling, coal mining and Russian investments. The Federal Court, in its decision found that its green credentials were also misleading investors, potential investors and ordinary consumers who trusted and bought into these claims.

Beyond the more publicised impact on the environment, the risk of ‘S’ (social) when it comes to ESG breaches is more understated. Social risks such as workplace health and safety, human rights, supply chain relationships, and diversity, do not incur the same level of public exposure when compared to their Environmental counterpart. Instead, the relegation of these types of social issues is seen as stemming from a deficient workplace culture. When considering the impact of serious harm on individuals and society when personal information is compromised, it is arguable the public exposure arising from privacy and cybersecurity breaches, as a social risk, are as significant as any Environmental ESG breach.

As the quantity and pervasiveness of data breaches continue to rise, Australian businesses are beginning to accept that it is not a matter of if, but when they will be the next target of clandestine threat actors. The priority placed on protecting data preceding a breach is still insufficient given the extent to which personally identifiable information (PII) and sensitive information (SI) is being collected and stored by businesses. The insidious way data collection impacts every Australian individual who has ever shared some aspect of their PII and SI when they apply for a job, registered for a place to rent, visited a healthcare professional or purchased a ticket to a concert means that almost all transactions involve the disclosure PII and SI to some degree.

The Office of the Australian Information Commissioner (OAIC) reported it received an increase of 19% in the June - December 2023 reporting period, when compared to the previous six months. Interestingly, the source of breaches reported included malicious or criminal attack (67%), human error (39%) and system fault (3%)⁵.

In June 2024, the OAIC filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach for ‘failing to take reasonable steps to protect the personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988 (Cth)’⁶. The personal information of millions of current and former customers of Medibank was accessed by threat actors and published on the dark web. This attack exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime⁷.

The direction taken by the OAIC no doubt sends a strong message to the Australian business community about the consequences of data breaches and the serious interference of privacy it inflicts on individuals on a large scale. The action serves as a wakeup call for businesses to invest in cybersecurity defences and reinforces the ethical obligations and legal duty businesses have in protecting the personal information of individuals they have been entrusted with⁸. In fact, a recent survey conducted by Tenable⁹ has published results revealing that 44% of Australian IT and cybersecurity leaders have observed a significant reduction in their insurance premiums, ranging from 5% to 15%, as a result of implementing proactive risk management strategies.

The last three years have demonstrated that there is growing pressure for businesses to demonstrate their corporate commitment to ESG, and this includes the expectation for a proactive approach and governance around a thought-out framework, ‘G’. In view of the serious harm inflicted by the public exposure of personal and sensitive information from data breaches, privacy and cybersecurity should form part of any ESG framework and standard used by investors and consumers to assess the organisation’s impact on both the environment and society.

ESG is proving to be a significant challenge for companies who have exposure in either of the E, S or G, as regulators are pursuing companies who are alleged to have talked the ESG talk, but not walked the walk. This makes it imperative that business owners focus on engaging professionals to ensure that at the end of the day, their company statements on ESG reflect the reality.

Learn more at Siera Data.

¹The ESG term was originally created by the United Nations Global Compact in 2004 but the concept predated the term.
² https://corpgov.law.harvard.edu/2020/08/01/introduction-to-esg/
³ https://asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-061mr-asic-wins-first-greenwashing-civil-penalty-action-against-vanguard/
⁴ https://asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-121mr-court-finds-active-super-made-misleading-esg-claims-in-a-greenwashing-action-brought-by-asic/
⁵ https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023
⁶ https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
⁷ https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
⁸ https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
⁹ https://www.insurancebusinessmag.com/au/news/cyber/revealed--cybersecurity-measures-slash-insurance-premiums-for-australian-firms-493030.aspx