Cyber security, cyber attacks and risk for Australian businesses: Legal Q&A with Steven Hunwicks
Major cyber attacks have highlighted the vulnerabilities of Australian businesses and organisations to the growing threat of data breaches and other cyber crimes.
In recent months, up to 10 million Optus and up to 3.9 million Medibank customers have lost personal data to hackers, and the Australian healthcare and real estate sectors (amongst others) have been hit with cyber attacks.
Steven Hunwicks, Special Counsel in HopgoodGanim’s Intellectual Property, Technology and Cyber Security practice, recently participated in a cyber security industry breakfast alongside panelists from McGrathNicol and B&R Enclosures. The breakfast forum brought together cyber security thought leaders to help business professionals such as CEOs, Managing Directors, Operational Managers and IT leads better understand the evolving cyber security landscape and highlighted key issues around cyber security and business risk for company executives.
In this adapted Q&A, Steven shares his responses to some of the key topics raised by a moderator in the forum.
Steven Hunwicks: Under Australia's Notifiable Data Breaches (NDB) scheme, organisations or agencies regulated by the Privacy Act 1988 (Cth) must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
In the time since 2018 when the Scheme commenced, the OAIC’s regulatory approach has shifted from being education- and awareness-based towards increased enforcement of the obligations imposed by the Scheme.
We see that there has been a shift in the regulator’s perspective. In 2018 it might have been described as: ‘We will educate you and make you aware of things that you could do differently next time to respond and recover.’ Whereas today, organisations are more likely to hear from the regulator: ‘You should have a prepared Incident Response Plan ready to go, and know how respond in a timely manner to a suspected data breach. We will hold you to the 30-day timeframe for assessing whether the event is a notifiable data breach.’
Steven Hunwicks: I’ve heard the response from businesses come back two ways: either (1) It won’t change anything, or (2) Why are they (the Australian Government) blaming me and my business or organisation by raising financial penalties?
There are some legal tests involved, but I can understand this perception. Increasing penalties is entirely predictable: These penalties are coming in after some really intense public pressure and a couple of major specific events that have happened, such as the Optus and Medibank data breaches.
From 12 December 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 increased the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches to the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30 per cent of an entity’s adjusted turnover in the relevant period.
For an organisation to suffer a data breach is not a strict liability offence, but now the maximum penalty of $50 million will put a big price on an organisation’s failure to take reasonable steps to protect personal information against data breaches or other serious interferences with privacy.
Steven Hunwicks: If we look outside Australia, yes. The penalties that have been levied since the start of schemes like the European Union’s General Data Protection Regulation (GDPR) have a total now of about $4.4 billion, and the largest of them is nearly a billion, thus far. The threat of higher penalties is starting to encourage discussion and is really heading in the right direction. While the new penalties themselves are unlikely to change boards’ behaviours, the enforcement of those penalties will start to have that effect.
In May this year, the Federal Court found an Australian Financial Services licensee breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks. As part of the judgment, as described by Australian Securities and Investments Commission (ASIC), Her Honour Justice Rofe “made clear that cybersecurity should be front of mind for all licensees”. She said: ‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.’
This IR advice decision involved a negotiated penalty, for an amount lower than ASIC was seeking, but we see that it did significantly shift boardroom behaviour. I think more discussions around the risks and consequences of enforcement can move the needle.
Steven Hunwicks: Two common issues include not talking about the risk and not having a plan to deal with events. The boxer Mike Tyson is credited as saying, “Everybody has a plan until they get punched in the mouth.” But there has to be a plan. Right? And a plan will adapt, but the plan includes knowing what information you hold, where you hold it and why you hold it. Because you won’t be able to answer those questions driving your board, the regulators or your customers unless you’ve done that internal analysis and have had those conversations.
Some of our clients have, unfortunately, had the misperception of not thinking they were ‘attractive enough as a target’ to be it. It’s important, as a business professional – whether you are a CEO, Managing Director, small business owner, Operations Manager, IT lead or in another role where you are responsible for assessing cyber security and IT risks – to understand this point in assessing risk and your vulnerability to cyber attacks and data breaches: Threat actors probably aren’t targeting your organisation. They’re targeting the risk that you have in the form of those IT system or firewall vulnerabilities, those business process and social engineering vulnerabilities. They’re going for that soft underbelly, not going for your organisation per se.
Have a plan and make sure you bring in the right people to lead discussions internally and externally. This is really important.
Steven Hunwicks: Most organisations have some appreciation that there is risk out there, but most business leaders and decision makers haven’t taken the adequate steps to protecting against that risk. It’s not a zero-risk solved question, it’s a ‘Where are we now, and where do we want to be to manage that risk in our business and to afford how we can action that plan?’ question. Sometimes too, business leaders and decision makers may have a tailored plan that’s focused on a specific mandatory data breach reporting scheme, like the one in the Privacy Act. Most organisations we deal with actually have multiple reporting obligations: They’re coming at it from different perspectives, such as considering the Security and Critical Infrastructure Act (Cth) and its notification requirements. Australian financial services (AFS) licence holders also have reporting obligations. These schemes exist in multiple domains and need to be considered by business leaders and decision makers in context.
Steven Hunwicks: I’ve got some personal feelings on this and okay, generally I like the idea of ‘Don’t pay the ransom’. But with some specific exceptions, it is not unlawful in Australia to make a ransom payment.
While making that payment may not break the law, there’s a couple of factors to consider if you are assessing whether to make a ransom payment.
I can tell you that your board and your stakeholders will have an opinion about whether you should pay the ransom. You’d probably want to think about that scenario ahead of time, and having that conversation may resolve the question very quickly one way or the other. But there will be opinions around the table.
A person can be prosecuted for making a ransom payment in circumstances where either the money could be used as ‘proceeds of crime’ to perpetrate more crimes; or where they are wilfully or negligently unaware of how the ransom payment will be used.
Additionally, to make a payment to an agency, organisation or country that’s on a blacklist, such as a sanctions list, could contravene anti-money laundering and counter terrorism financing laws.
There are some legal defences that may be available, but these are very much ‘grey areas’. If you get it wrong, you may face a penalty that can range from a fine to serious jail time, up to 25 years.
All that said, there can be legitimate reasons for a business to consider pay a ransom. One of these might be in an instance where making the payment provides some assurance (however dubious or risky) that no further harm may come once you make that payment. Another legitimate reason to consider paying a ransom is where your data has been completely locked up and your business can’t run because even the back-ups are unavailable and all the data is encrypted.
Steven Hunwicks: Firstly, have an incident response plan and stick to that plan. It will need to change and adapt over the course of responding to a dynamic incident, but the experts that you put on to the team will help you mitigate those changes.
Second, a question that a business may ask in any incident response, is ‘Should I use my existing technology service provider or managed service provider to investigate the incident?’ The answer may be a complicated one. Should we ask people who implemented the technology to also investigate the adequacy, security or other details about the technology or how it was implemented, and in circumstances where they may have contributed to the data incident? I’d suggest in this situation a business should consider bringing in some outside help, whether from your cyber security insurer or somebody else on their panel, or a specialist forensic incident response provider.
Third, I think the most forgotten aspect of incident response is that an organisation may focus on meeting its regulatory or compliance obligations, yet forget that the organisation may have voluntarily signed up to extra obligations in its contracts with customers and which may be different or much shorter than those in statutory schemes.
To avoid that risk and possible liability for breach of contract, we need to check the contracts with your customers or stakeholders, because you may find a nasty surprise there where the board wasn’t aware of those obligations in the first place.
HopgoodGanim offers a leading team of intellectual property, technology and cyber security lawyers, many of whom have scientific or technical qualifications, including information technology and life sciences. We understand the complex intersection between the law and technology, and the importance of cyber security preparedness and data breach responses. We regularly advise Australian businesses, and international businesses who seek to serve Australian customers, on practical solutions for protecting and managing information assets and complying with their privacy obligations.
Steven Hunwicks is a Special Counsel in our Intellectual Property, Technology and Cybersecurity practice and brings over 20 years of experience in various commercial and legal roles and focusing in the information and communications technology sector, Steven advises Australian business owners, entrepreneurs, government agencies, not-for-profits and international businesses with IT contracting, technology projects and strategies, intellectual property (IP) protection and privacy matters.