Episode 3: Response and Recovery

In this episode, we're going to be discussing what you need to bear in mind from a legal perspective when the worst case scenario happens.

While the organisation is busy trying to contain the breach, one of the first steps from a legal perspective will be kicking off any mandatory breach notification processes. For example, under Privacy Law of personal information has been compromised. And these processes take longer than you'd expect, particularly whether circumstances are still evolving or if multiple jurisdictions are involved, and the stakes are rising. In just the last month, we've seen a high-profile US company executive criminally prosecuted in the wake of a cyber-attack in circumstances where the organisation failed to comply with relevant notification obligations.

It is not uncommon for cyber-attackers to claim a ransom. For example, in return for stopping a crippling DDOS attack or for not publicly leaking compromised information. This is reportedly the case in the currently unfolding Medibank cyber-attack in relation to which the Australian Federal Police Commissioner has strongly condemned the paying of ransoms.

No one likes disclosing bad news, but the continuous disclosure obligations that apply in context of a cyber-attack and no different to those that apply day to day. It's clear that the company's been attacked and there has been material harm suffered. It's almost certain that disclosure will be required at that point.

People also like to consider trading halts because when the company's under a cyber-attack, things feel a bit unsafe and people think shareholders shouldn't be trading. That's not the point of a trading halt - trading halts are used when the situation is developing and it's not clear whether the company has material information. Again, if you do have material information due to the fact of the attack already having occurred, you need to disclose that promptly.

We often get asked whether it's legal to pay any ransom that the attacker may claim. And while there's no law expressly prohibiting such payment, there are a range of legal considerations which need to be taken into account in the specific circumstances. It's worth mentioning economic sanctions laws in particular, which can be triggered by the  to certain criminals or Bitcoin accounts.

After an event like a cyber incident, there's often a need to conduct an internal investigation or review both to understand what has occurred and how to prevent recurrence. Like all the other elements of a response to a cyber incident, the key is planning. Think in advance about matters like the terms of reference of your investigation, who is to receive the output - is it to be shared externally, for example with your regulators, or is it just for internal use? And what steps might you want to take to protect the more sensitive information and findings?

Fines running into the hundreds of millions of dollars are increasingly being imposed by American and European Regulators on victim organisations. In the wake of the Optus breach, a bill has been introduced in Australia to significantly increase penalties for repeated and serious privacy breaches under the Australian Privacy Act. It remains to be seen whether New Zealand will follow suit.

It's important to be alive to the unfortunate possibility of claims being made against you, either by a relevant regulator or by other parties who may have been impacted by the incident.

The nature of any claims will depend on the particular circumstances and the impact of any harm suffered, but the best way to minimise liability is to ensure that you're well prepared to respond to any cyber incident as swiftly and effectively as possible and by ensuring that you have appropriate external advice available to you from the outset.

To see the video of this episode, click here.