The impact of Environment Social Governance (ESG) is more far-reaching in its scope than most Australian businesses realise. ESG is a popular acronym amongst business socials to highlight their commitment towards the environment, sustainability, ethical practices, and transparency. The term is also often used as an effective marketing device to align the business and its positive contribution to the environment ('E') and society. This is regardless of whether it can be demonstrated that its products and services are genuinely impactful. Vague or unverifiable terms like “eco-friendly” or “green” are often used to highlight a single environmentally friendly aspect while ignoring other harmful practices (lack of 'G'). However, the ‘S’ in ESG impacts organisations the most when it comes to data privacy and cybersecurity.
The ESG Concept
The ESG concept* has evolved in recent years due to a growing concern for the environment (‘E’). Consumers and investors are becoming more conscious of their purchasing decisions. As such, businesses have been quick to capitalise on this trend by presenting themselves as environmentally friendly. The consequences of greenwashing are significant. It misleads consumers who genuinely want to make environmentally or ethically responsible choices. By promoting false or exaggerated claims, businesses manipulate the actual environmental impact. This has led to a false sense of satisfaction among consumers and investors who believe they are making a positive difference when they are not. This in turn has demonstrated an increase in greenwashing claims.
*The ESG term was originally created by the United Nations Global Compact in 2004 but the concept predated the term
What is ESG?
Environment Social Governance (ESG) is a set of standards, policies and metrics used by organisations and investors to assess their impact on both the environment and society. Governance covers the overseeing of the environment and societal factors used to measure the non-financial impacts of particular investments and companies.
‘Introduction to ESG’, Harvard Law School Forum on Corporate Governance (1)
The Rise in Greenwashing
The Australian Securities and Investments Commission (ASIC) won its first greenwashing civil penalty action against Vanguard Investments Australia in March 2024 (2). Following this, ASIC were successful in their claim against Active Super in June 2024 (3). In both greenwashing actions, the Federal Court found that Vanguard and Active Super contravened the law by making misleading representations concerning its ESG credentials.
In the case of Vanguard, there was a failure to research or screen against securities in its Index Fund who were still conducting significant activities in industries involving fossil fuels. Similarly, Active Super claimed that it eliminated investments in its superannuation fund which posed too great a risk to the environment and the community. Some of these risks included gambling, coal mining and Russian investments. The Federal Court, in its decision found that its green credentials were also misleading investors, potential investors and ordinary consumers who trusted and bought into these claims.
Beyond the more publicised impact on the environment, the risk of ‘S’ (social) when it comes to ESG breaches is more understated. Social risks such as workplace health and safety, human rights, supply chain relationships, and diversity, do not incur the same level of public exposure when compared to their Environmental counterpart. Instead, the relegation of these types of social issues is seen as stemming from a deficient workplace culture. When considering the impact of serious harm on individuals and society when personal information is compromised, it is arguable the public exposure arising from privacy and cybersecurity breaches, as a social risk, are as significant as any Environmental ESG breach.
OAIC
The Office of the Australian Information Commissioner (OAIC) reported it received an increase of 19% in the June - December 2023 reporting period, when compared to the previous six months. Interestingly, the source of breaches reported included malicious or criminal attack (67%), human error (39%) and system fault (3%) (4).
In June 2024, the OAIC filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach. The claim was made for ‘failing to take reasonable steps to protect the personal information from misuse and unauthorised access or disclosure, in breach of the Privacy Act 1988 (Cth) (5). The personal information of millions of current and former customers of Medibank was accessed by threat actors and published on the dark web. This attack exposed a large number of Australians to the likelihood of serious harm. Such serious harm includes potential emotional distress and the material risk of identity theft, extortion and financial crime (6).
The direction taken by the OAIC no doubt sends a strong message to the Australian business community about the consequences of data breaches. Same too, regarding the serious interference of privacy it inflicts on individuals on a large scale. The action serves as a wakeup call for businesses to invest in cybersecurity defences. This further reinforces the ethical obligations and legal duty businesses have in protecting the personal information of individuals they have been entrusted with (7). In fact, a recent survey conducted by Tenable (8) has published results revealing that 44% of Australian IT and cybersecurity leaders have observed a significant reduction in their insurance premiums, ranging from 5% to 15%, as a result of implementing proactive risk management strategies.
A Proactive Approach
The last three years have demonstrated that there is growing pressure for businesses to demonstrate their corporate commitment to ESG. This includes the expectation for a proactive approach and governance around a thought-out framework, ‘G’. The ‘S’ in ESG impacts organisations the most when it comes to data privacy and cybersecurity.
When considering the serious harm inflicted by the public exposure of personal and sensitive information post data breach, privacy and cybersecurity should form part of any ESG framework. This should form a standard used by investors and consumers to assess the organisation’s impact on both the environment and society.
ESG is proving to be a significant challenge for companies who have exposure in either of the E, S or G, as regulators are pursuing companies who are alleged to have talked the ESG talk, but not walked the walk. This makes it imperative that business owners focus on engaging professionals to ensure that at the end of the day, their company statements on ESG reflect the reality.
Reach out to Siera Data to learn more.
References
- https://corpgov.law.harvard.edu/2020/08/01/introduction-to-esg/
- https://asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-061mr-asic-wins-first-greenwashing-civil-penalty-action-against-vanguard/
- https://asic.gov.au/about-asic/news-centre/find-a-media-release/2024-releases/24-121mr-court-finds-active-super-made-misleading-esg-claims-in-a-greenwashing-action-brought-by-asic/
- https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023
- https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
- https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
- https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
- https://www.insurancebusinessmag.com/au/news/cyber/revealed--cybersecurity-measures-slash-insurance-premiums-for-australian-firms-493030.aspx