Companies across Australia have been scrambling in recent weeks to get on top of their cyber risk, after Optus, and then Medibank, fell victim to massive data breaches.
If it can happen to two such large, well-resourced organisations, then the implication is pretty clear that it can happen to anyone. Naturally, it has been a theme at many AGMs held this month.If a business becomes aware it has been hacked, there is a lot to think about at a time when urgency and a sense of looming disaster bring additional stress. It pays to be prepared, which includes carefully investigating potential weak spots in your organisation’s systems and minimising risk where possible, preparing a crisis management plan that identifies key personnel and responsibilities and includes cyber risk scenarios, and familiarising relevant staff on the plan. Business continuity arrangements and insurance options should also be assessed.
But it is not only the practical risk and impact of potential hacks, and a communications strategy (how, when and what to communicate, and to whom) that companies need to think about. Understanding the legal implications of a cyber incident is also crucial.
We spoke with partner Nicholas Boyle and senior associate Sarah Birkett from global law firm DLA Piper for an expert view on what businesses need to know about the law relating to cyber breaches.
What legal risks need to be thought through when you first become aware of a cyberhack?
DLA: There are a variety of legal risks. While many organisations (rightly) turn their mind to statutory and regulatory obligations in terms of reporting and notification of cyber incidents, there can be continuous disclosure obligations for listed entities, as well as contractual risks and potential liabilities. That is especially true where an organisation is providing services to other businesses and holds information about those business’ customers, since for a long time it has been commonplace for organisations to accept contractual commitments about data, cyber security and privacy.
As such, it is really important that organisations have proactively and prior to a cyber incident considered and documented the various risks and considerations, including by reviewing their contractual arrangements, and how the organisation will manage and respond to the risks and issues.
Who are you legally required to contact?
DLA: If there is an eligible data breach affecting personal information, then there is an obligation to report the incident to the Office of the Australian Information Commissioner and also affected individuals.
There are also potentially obligations to report to APRA for financial services entities, to the Australian Cyber Security Centre (ACSC) for organisations that are regulated by the Security of Critical Infrastructure Act as owners or operators of critical infrastructure assets (which is now quite broadly defined and can include providers of IT and systems in the supply chain), and also to other customers or suppliers under contractual commitments.
If the affected data relates to individuals outside of Australia, notification obligations may apply under privacy laws in those countries. Organisations may also be subject to contractual obligations to notify customers of cyber incidents.
What sort of insurances are available and what legal implications should clients consider when investigating insurance offerings?
DLA: Cyber insurance is becoming increasingly expensive and difficult to obtain, not unlike D&O insurance. The risks are difficult to assess and quantify, let alone to manage, since the threat environment keeps changing and the rate and scale of cyber attacks is ever increasing.
If you want to obtain cyber insurance, speak to an insurance broker who has expertise and experience in this area and check the policy wording and coverage carefully (including, most importantly, the exclusions).
It may also help to obtain certifications or have a third party assess your cybersecurity standing as part of seeking to obtain cyber insurance, but it very much depends on what you are looking for.
What are the legal restrictions on paying ransoms?
DLA: Currently there are no laws expressly dealing with the issue of ransom payments for cyber crimes. There was a private members bill before the parliament in 2021 which sought to impose a mandatory reporting obligation on organisations that elected to pay a ransom in response to a cyber extortion incident, but that didn’t progress.
It is possible that in the wake of the Medibank incident that the Government will look to introducing some regulation around the payment of ransoms in order to increase transparency and perhaps make Australia a less attractive target to cyber extortionists.
While it is possible that paying a ransom to a cyber extortionist is an offence under Division 400 of the Criminal Code Act 1995 (Cth) (which creates an offence for what is effectively money laundering type activities), it may also be possible to argue as a defence that the payment was made under ‘duress’. This hasn’t been tested in Australia, and it may be that ransomware-specific legislation will be the more relevant consideration in the future.
Is there anything from a legal perspective that clients should be considering now, before a hack?
DLA: As we said, preparation is key – know what data you have, why, where it is held and who uses or accesses it. Think about whether you need it and minimise what data you hold. Think about whether you can anonymise data rather than have it associated with an identified or identifiable person. Data minimisation is a key part of reducing the risk, since the less data you have the less can be exposed. It also then means you can better understand where to invest in cybersecurity to keep data as a safe as possible.
It isn’t possible to gold plate everything against cyber attack, since threats keep changing, resources are not infinite and it is difficult to completely eliminate human error/fallibility. However, you can make it harder for information to be lost, stolen or accessed by implementing good systems, policies and practices.
It is also a good time review and test data breach response plans and ensure that a strong culture of cyber security is implemented via staff education and training.
The Medibank and Optus data breaches, along with further hacks of smaller businesses in the weeks since, have only served to highlight the ongoing cyber threat that organisations face. The repercussions can be enormous – potential financial loss, business disruption, loss of data, reputational damage and impact on future market share. In the worst-case scenario, and particularly at a government level, incidents affecting essential services could cause severe disruption, devastating environmental impact or lead to injury or death.
In a report last year (Locked Out: Tackling Australia’s Ransomware Threat), the Government noted that 62% of small to medium businesses had experienced a cyber security incident, and 61% of executives considered ransomware attacks likely in the next 12 months.
In such an environment, companies cannot afford to assume they will not be affected. All organisations should be reviewing their exposure as for many, the question is not if they will face a cyber incident, but when.