Want to listen to the full episode and all our other episodes?
Hearsay allows you to fulfill your legal CPD requirements every year.
Our yearly subscription is only $299/year.
With a yearly subscription, you can access all of our episodes AND every episode we release over the next year.
Managing Data Breaches and Cyber Incidents
What area(s) of law does this episode consider? | Cyber security and privacy laws. |
Why is this topic relevant? | Our personal data is collected, stored, analysed and disclosed by corporations and government agencies everyday, sometimes passed on to external third parties, meaning this information can be exposed in the event of a cyber security attack. The effects of such an attack can not only mean loss of data, the cost to overcome such an attack, together with, in some instances, loss of reputation, which can be critical. A study by global cybersecurity firm, Webroot, surveyed 600 SMEs in Australia, the UK and the US, as to the average cost to that business of a cyberattack. In Australia, the figure on average is approximately $1.89 million. Half of Australian respondents to that study indicated that their business would face costs of more than $1.3 million if critical client or business records were lost. As our world increasingly moves to operate completely online with the rise of e-retail, e-commerce, cloud-based platforms and particularly working from home due to COVID19, it’s therefore important to be aware of what best practice is to prevent a cyber attack from occurring, and how to manage the situation if one has taken place. |
What legislation is considered in this episode? | Reece mentions the Privacy Act 1988 (Cth) generally. Regulators that oversee cyber incidents include:
Foreign legislation and organisations mentioned in the episode include:
|
What cases are considered in this episode? |
|
What are the main points? |
|
What are the practical takeaways? |
|
Show notes | ACCC Scamwatch Website |
David Turner:
1:00 | Hello and welcome to Hearsay, a podcast about Australian laws and lawyers for the Australian legal profession, my name is David Turner. As always, this podcast is proudly supported by Assured Legal Solutions, a boutique commercial law firm making complex simple. Our personal data is collected, held, analysed and disclosed by large corporates and government agencies every day. Since our personal and sensitive information is being stored in the networks of these public and private organisations, unauthorised third parties’ access to those networks or data breaches have been capturing the public attention for years. Sony, Adobe, Equifax and Facebook are just a few of the major corporations that have had to deal with the public scrutiny associated with a large-scale data breach. Data breaches no doubt mean a lot of long nights and hard work for cyber security professionals, but In addition to the technical response there is a legal response required as well, and joining me today to talk about legal responses to cyber security breaches is Reece Colbert-Wilkins senior associate and member of the Cyber Incident Response team at Clyde and Co. Reece, thanks so much for joining me on Hearsay. |
Reece Corbett-Wilkins: | Thanks for having me David. |
DT: | Now let’s talk about your role. You’re described as a breach coach, now in 15 words or less what is a breach coach? |
RC:
2:00 | Yeah so practically speaking our role is really to guide an organisation through an incident and provide them with the benefit of our experience of having dealt with incidents hundreds of times before. So really our job is to pick up on the blind spots that an organisation has in their response. We try to get the client to where they need to be as quickly cost effectively as possible. I suppose breach coach is a very US centric term, we’ve been described as a number of different things, incident response managers, cross managers, quarterbacks, most recently had a client call me a shepherd leading them through the depths of the valley and out the other side again, so that was a new one. |
DT: 2:00 | That’s quite a glowing but a bit of a biblical review there from the client. Now that’s interesting because often when we talk about the product we provide to our clients you know we’re talking about legal expertise or selling knowledge but it sounds like what you’re selling as much as knowledge is experience. The experience that comes with handling a lot of these once in a decade kind of corporate crises. |
RC: 3:00 | Yeah and that’s exactly the point I think that clients tend to lean on us for is not only our own experience and obviously the professional experience and advice that comes with that, but also the experience of other clients in similar situations and in particular where we see certain types of events occur that impact an industry at the same time. There’s a number in the headlines at the moment where organisations are dealing with ransomware incidents where data has been taken and then dumped online. The public is watching how those organisations respond and often organisations actually call us to gain the benefit of the experience of others so that there’s that herd mentality approach and ensuring that clients ultimately at the end of the day are taking the best practise approach and responding accordingly. |
DT: | I suppose because it is such a new and evolving area there’s not a huge wealth of experience out there in the market generally and when clients are looking for some kind of touchstone of experience to get through this new experience, it’s a team like yours that they go to. |
RC:
4:00
5:00 | Yeah exactly and really the benefit of our service is not only our own experience but also a panel of vendors that sit behind us. TIP: A breach coach is a bit like a project manager for responding to cybersecurity incidents. It’s an important role because the first 48 hours immediately following a cyber breach are crucial – doing the wrong thing in this window could make an already devastating situation worse. This is where your breach coach steps in, helping to pull together an interdisciplinary team to initiate the most appropriate response. So whilst we are legal advisors and we can advise on legal compliance issues as well as more general commercial responses as well as communication strategy and all of that, we also have a panel of about 80 vendors that have various specialisms. Some of them provide security advice to try and get systems back up and running, others will provide deep forensic analysis services where they need to actually do a look-back exercise to understand exactly what happened, so that you can make informed decisions about data risk. Others provide PR in crisis management support services, right down to dark web monitoring services, threat actor negotiation and facilitation of payment services. There’s a whole range of vendors that ultimately offer this combined off the shelf service to clients depending on the type of incident that they occur. |
DT: | So you’re kind of a diagnostician almost and you’re looking for the tool that will fix the particular problem that the client’s facing? |
RC:
6:00 | That’s exactly it. I suppose the question is how do you deal with the client when they call? It ultimately depends on whether in their journey, so some clients will call us right at the outset when they’ve identified an incident and they need to know where to go from there. Others will have tried to deal with it internally and they might have quite sophisticated internal capabilities but they get stuck and they need that bit of assurance to get to the next point. Others call at the 11th hour right before they make a key decision such as notifying regulators, or notifying individuals, and they really want the benefit of that crisp advice right before doing so. So it really does depend on the type of incident as to how we provide that service, but our goal is always at the outset in particular to try and understand what has happened, where the client’s up to, and map out a strategy for dealing with that incident from that point onwards. |
DT: | Let’s talk about an example where a client might have come to you early in that process and they’ve called and said, ‘Reece I think our data has been compromised, what do we do now?’ What’s your first step with the client? |
RC:
7:00
| Yes, the first step is to really map out where they are up to in their knowledge of what’s actually happened so that you can be very quickly aligned with their understanding. So its asking really the fact finding questions about what has happened, when did it happen, and how did it happen to the extent they know and often they don’t, who is it impacting, is impacting the client themselves and impacting their clients in a supply chain, is it data that’s been dumped online, is it just suspicious activity? It’s really trying to get a grasp of the incident type and the effect of that incident on the organisation. And really beyond that is then matching the client’s internal capabilities to respond to it with that panel of vendors to provide that support. Ultimately the goal is in those initial stages to help contain the incident, so really stop the leakage of data or contain the impact of the incident so it might be providing advice on very simple things like if they know their email account has been breached and somebody’s in their email account sending out emails, then giving them the practical advice about resetting passwords. Perhaps implementing increased security controls like multi factor authentication, it’s really basic key initial mitigation advice, but beyond that it really then is matching up that client with a vendor who has that specialism to provide that ongoing support as well as the legal advice that’s all around that. |
DT:
| You mentioned earlier that for some cyber incidents there is a step that needs to be taken which is notifying the regulator, and who is the regulator for these sorts of incidents? |
RC: 8:00
9:00
10:00
| It’s a really good question, the initial regulator that governs this in Australia is the OAIC, the privacy commissioner, TIP: The Office of the Australian Information Commissioner is the independent regulator for privacy and freedom of information. In addition to taking privacy complaints, notifiable data breaches must be reported to the OAIC. A notifiable data breach occurs when the following criteria are met:
If these three things have happened, then a notifiable data breach has occurred. Their remit is to monitor compliance with the privacy act in the notified data breaches scheme in Australia, but in Australia there are other regulators as well that touch on privacy and data risk. The ACCC most recently tipped their toe in data and use of data for competitive advantage purposes and market influence purposes. Obviously, the corporate watchdog ASIC looks at this in terms of directors’ duties. ASX is keen to understand how publicly listed entities deal with continuous disclosure obligations around the impact of incidents. APRA deals with financial institutions and understanding with their own our critical infrastructure from a financial institution perspective is sound, because obviously if there’s impact to data and systems that impact the economy then they want to know about that with reporting obligations under the APRA scheme that came in place last year, so there’s a number of regulators that overlap with one another and have a part to play. But ultimately that the 1st and most immediate audience for regulatory response is the privacy commissioner of course that’s just in Australia. There’s obviously regional and global data protection authority regulators that we have regard to depending on the type of incident say for example if it’s a global incident affecting people around the world that of course that might warrant notifications in overseas jurisdictions as well which we routinely deal with. |
DT:
| Yeah I suppose if you had a publicly listed bank in Australia experiencing a cyber incident then you’ve potentially got the ASX in terms of continuous disclosure, the information Commissioner in terms of notifiable data breach, APRA, ASIC, you have a whole range of different regulators who are looking. for an update but possibly for entirely different reasons, and with entirely different emphasis. |
RC:
11:00 | Yeah completely, and it’s funny that the more we do this work the more we see regulators come out of the woodwork. So we had, just as an example, Christmas last year we had a very small real estate agency who unfortunately had a vulnerability in their website which meant that every time a tenant uploaded their tenancy application form together with all the supporting information like licences etc, was actually leaked out online and indexed by the way back machine and the Australian National University’s indexing site. So effectively all this information was online and the relevant regulator in that case was actually the state-based regulator that dealt with real estate agents, so the equivalent of Fair Trading. So in that case not only did you have the privacy commissioner at the Commonwealth level to deal with, due to the tax file numbers and other information which was part of all of that, you also had the Fair Trading equivalent in that state dealing with it from that perspective. |
DT: | You mentioned notifying regulators around the globe as well I suppose one international regime that many Australian companies would be familiar with is the GDPR because of the potentially fear-reaching consequences of that regime where a European resident person accesses a service provided by a company that’s a resident in Australia, what’s your experience been with the GDPR and how do you deal with the relevant regulator there? |
RC: 12:00
13:00
14:00
| The relevant regulator depending on where the company ultimately designates the jurisdiction in Europe could be all over Europe, but more often than not we’re dealing with the ICO in the UK. In the first year or the GDPR coming into effect I think something like 60,000 notifications were made to the ICO in the UK, so a very very large scheme with a high volume of notifications. TIP: The ICO, or Information Commissioner’s Office is the UK’s version of the OAIC. The GDPR, or General Data Protection Regulation is the EU equivalent of the Australian Privacy Act. The GDPR and the Privacy Act 1988 share many common requirements, including:
Importantly, the GDPR can apply to an entity that collects personal information even if the entity isn’t resident in or incorporated in the European Union. Examples of Australian businesses that might be covered by the GRPR include:
Those examples, particularly that last one, potentially catch a lot of Australian e-commerce businesses. I think over two years since the scheme has been in place it has now petered off. Organisations are now treating the GDPR and the notification requirements probably in a little bit more in a measured way. But in terms of the answer to the question how do you do that from Australia, we have a number of clients either that are global based or as you say solely in Australia but have information about European residents having data breaches. So we’ve dealt with a couple of organisations in Australia that have dealt with this scenario, so e-retail is a good example, or ecommerce, social dating websites, all of those kinds of online platforms that ultimately collect information about individuals around the world. And in answer to the question about how do you respond to that it’s tricky, because you have a number of overlapping notification regimes that might apply to the same incident, they have different threshold requirements for notifications, they have different timelines for notifications, they have different tests about whether or not it is a data breach that requires a notification, and so what the very first step that we do is we try to identify the residency status of any individual whose information might be caught up with the breach. And then work your way through ultimately the matrix of the different jurisdictions and the timeframes against all those jurisdictions and have that overarching lens which we view when we’re investigating the incident. |
DT: 15:00 | That must be an enormous undertaking where you have a business that might be providing purely digital software products to consumers all over the world. |
RC:
| Yeah it is, and I mean we get very good at knowing the hotspots we know even regionally in our region down here there are a couple of jurisdictions, the Philippines is just one, there are others in our immediate Asia Pacific jurisdiction which have fairly active regulators and also fairly active data protection laws so I suppose it’s a matter of going through those jurisdictions one by one and ensuring you tick them off, but to your point about the undertaking I think that’s probably a blind spot that some organisations probably have in terms of actually understanding their regulatory compliance obligations around the world and how to deal with that in real time following an incident. |
DT: | Can you tell us a success story about a situation where you were able to contain or respond particularly well to one of these cyber incidents? |
RC: 16:00
17:00
18:00 | Yeah of course, and some incidents we deal with, I will be honest, are in the front page news and they’re headline grabbing and very sexy and interesting, but to me they’re not really the ones that stand out, I think the ones that really stand out of the little guy. the small company that has an incident and you’re able to help them get to where they need to be very quickly and ultimately save their business from potentially fairly disastrous consequences. One particular incident that stands out, just before Christmas a couple of years ago, I remember the day we got a call at 6:00 AM on the morning on Monday morning and the client had had a ransomware incident which effectively locked up all the systems and their data, and this particular client was a trucking company. So not one which you might immediately think has a data or cyber risk exposure and they effectively said to us that if we can’t get our systems back up and running then the truck drivers won’t know where to deliver petrol to. And they had one particular client which was the public bus companies that drive the public buses around the streets and they source all their fuel from one particular supplier and they said that if they don’t get fuel within the next two days they will run out of fuel and unless they can source an alternative location for fuel the buses won’t run. And so when you can’t take a step back and think about that particular type of incident that could have very significant downstream impacts in economy if people can’t get to work, if they can’t get alternative source or means of getting to work by car or walking or working from home, it really can have an impact to the broader economy through these incidents. This client, through a lot of hard work and frankly getting a lot of people to help them out, in two days were able to stand up their systems. The truck drivers were able to get to work and deliver the fuel and it was a great success story, and a very near miss but I suppose it’s those kind of scenarios where that story will always stick out in my mind and is one of those types of incidents where but for a successful recovery effort we would have had a very different conversation and I suppose in my mind it also raises questions around supply chain management and business continuity planning and identifying single sources or points of failure in a supply chain and understanding how do organisations coexist with one another and ultimately get around these incidents should they occur. |
DT:
| Yeah I suppose when you talk to an engineer they talk about building redundancy into a system so that it can withstand a failure, and that story highlights that I suppose it’s part of your role when you are responding to an incident like that to identify ‘well that’s a real weakness in the in the supply chain management in that business.’ |
RC:
19:00 | Completely, and we see it all the time as we as organisations share more and more data with other organisations to do business so if you even think about any one of your mission critical applications that you use at work, it might be a time recording system, it could be your file storage system, it could be any one of the applications that you use even just your email system, we’re so highly dependent on platforms and data being ultimately processed by another entity outside your environment. I think this is a missing piece of organisations as they rushed to use the cloud and cloud based platforms over the last five to 10 years to do business, all a great idea, all very cheap and convenient, but it does come with risks, and I suppose organisations probably do need to look at not just their own environments in terms of data protection, but also all of the service providers that sit around their environment and understanding what is the impact on that business if that provider had a downtime issue, or if that I provider had a data breach issue leaking their data outside their environment. |
DT:
20:00 | That’s a great point you raise because I remember speaking to a client relatively recently about their privacy policy and the way their privacy policy dealt with disclosure to third parties and they were dealing with particularly sensitive information and said look we really don’t want to disclose to third parties without some explicit consent, some specific consents from our users. But the reality is that we disclose customer data in our own data to dozens of external parties, whether that’s Amazon web services or our email provider or whoever almost everyday. I’m glad you mentioned ransomware. I want to come on to that in a moment but before I do, can you tell me about a cyber incident that you don’t think was handled particularly well? Hopefully this isn’t one that one of our clients experienced of course. |
RC:
21:00
22:00
23:00
24:00
| It is a good question. We do often see this occur with certain types of incidents and I think the root cause of why people mishandle the responses is they probably don’t realise what’s actually happening behind the incident and they often relied too heavily on their IT provider for guidance about how to respond because I think people associate data and cyber incidents as being an IT issue without appreciating the underlying mechanics of not only that incident but also the impact from say a legal or privacy perspective. So one particular example where this applies is handling what we know is called business email compromise incidents and so that type of incident is really where a threat actor or the cyber criminal is able to gain access to somebody’s email account. They often do this remotely and once they’re inside that email they usually do a number of different things, they will try to commit invoice fraud, so they will send out false instructions to creditors or payers with false bank account details and attempted misdirected funds away from the intended recipient. They will distribute phishing emails from within that mailbox to unsuspecting contacts of the mailbox and with the hope that they can leapfrog into those people with mailboxes. Or they will actually try to hijack the email accounts to send these fraudulent emails almost as a weapon to gain information or money from their victims. So that’s the business email compromise style event that we see all the time and most commonly people see it when they frankly receive an invoice and pay it into the wrong account, that’s only what they see. Behind this kind of incident though if you speak to an IT provider they might say to you that this is a low grade style security incident where the response is simply that you need to reset the password to the account, implement multi factor authentication, delete any forwarding rules and move on. But of course what they miss is the privacy impact, they miss the fact that the threat actor has very often been in the mailbox for very long period of time, they’ll miss the fact that they potentially synchronised the mailbox and have actually taken all the emails outside of the environment forever, they might miss the fact that the emails have been forwarded out of the environment, and so we’ve seen a lot of clients impact in this way, and particularly law firms as well whose information is forever outside the control of their own IT environment. TIP: In February 2020 the OAIC said that malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia, with almost one in three breaches linked to compromised login credentials. Some other key findings of the OAIC’s latest Notifiable Data Breaches (NDB) Report include:
The problem with all of this is that not only is there a residual privacy risk because there’s a potential for misuse of any of that data that’s now outside in the environment, we actually are seeing targeted attacks off the back of these types of mailbox breaches. We’ll see payroll information for example being misused to commit payroll fraud, we’ll see as I said a phishing email sent for the invoice fraud purposes, so I see a number of activities sitting around the misuse of data that’s been taken from a mailbox. The privacy commissioner this year has called out this particular type of incident and said this is occurring on an epidemic scale across Australia. It’s not just a security issue it’s something that organisations must investigate and thoroughly respond to from a privacy impact assessment perspective, and going forward organisations need to reduce the amount of data that they’re actually storing in their mailboxes because we’re all guilty of it, everybody stores years and years of data in those mailboxes, the cheap data storage, but unfortunately that impacts the severity of these incidents when they occur. So it’s a very long way of saying if a client doesn’t treat that type of incident in the appropriate way it can have fairly significant downstream impacts. |
DT:
25:00 | That’s an interesting way of looking at it I suppose because as you say, an IT professional might say ‘well there’s not much of an IT issue here, right? Someone has found your password or obtained it from you with some social engineering approach or something like that, and change your password,’ right? But that’s an approach that’s driven by an assessment of the level of technical expertise required to remedy it, rather than focusing on the outcome and I suppose as a lawyer we can be no better, you know we can sometimes say that we’re assessing your problem based on its legal and technical complexity not on the severity of the outcome, but I suppose to paraphrase what you’re saying, a data breach specialist or a cyber incident specialist, is really looking at the privacy impact of the incident rather than the technical expertise required to fix it. |
RC:
26:00 | It’s all of that, so our role is really to have a good level of understanding of the various ways in which these instant impact the business, from a compliance, from a governance, from a purely technical, from a privacy, from a legal perspective and that’s ultimately why the panel that we set up ultimately has all those different specialisms. So our role is the triage at identify the issue and make sure it’s addressed appropriately but I think coming back to the against the genesis of why you see that mishandling if you will of that type of incident, is I think organisations, particularly decision makers in organisations, they’re afraid to engage with the subject matter of cyber because it’s this nefarious concept that is you know perhaps all too scary and difficult to comprehend, but I think as we move forward organisations just need to be comfortable with asking the hard questions and almost admitting that perhaps this isn’t their area of specialism but being comfortable enough to engage with the material to ensure that the right questions are asked, so that the matters are addressed in the appropriate way. |
DT:
27:00 | Now some of our listeners might be interested in what we’re talking about not just as advisers talking about privacy law aspects, but also because more firms are a major target of phishing attacks and end up with the kind of attacks we’re describing. Phishing is one of those words that we hear a lot, but that maybe we don’t always use correctly or don’t fully understand. TIP: Phishing is a type of social engineering attack – which basically just means tricking someone into giving you access, and it’s often used to steal user data, including login credentials and credit card numbers. Phishing usually occurs when an attacker, masquerading as someone trustworthy, dupes a victim into opening a malicious link or attachment to an email, instant message, or text message. That then leads to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information to the attacker. I think in years past it was banks and government institutions that were the main target for these kinds of phishing attacks, but when their security became too competent, law firms were a good alternative as gatekeepers and holders of a lot of the information of those sorts of agencies. What can our listeners, who might be working in or even running a law practice, do to look out for phishing attacks and similar attacks that might compromise their or their clients’ data? |
RC:
29:00 | To your point around law firms being the middleman I think that’s a critical piece that law firms and professional service providers more generally need to realise that we are a key middle man in a supply chain, usually two customers or two clients on either side, or whatever that looks like. Not only do we hold a lot of sensitive information about our clients and so in that way we’re really the soft underbelly of our client’s information, if you will. We also direct payments and we also hold money on trust for our clients. So we are a very natural target for these types of attacks. And you asked the question about how do you train staff or how do you manage the risk of phishing emails, there’s a few things that all clients can do, the first is education awareness. Educating your employees to become cyber literate. The way that we tried to explain it to clients is we say that employees are the last line of defence where technical controls fail, and so it’s really critical that employees know how to spot a phishing email, they know how to engage in good practises such as securely sharing historic data, so for example not sending spreadsheets of clients details by email if they’re not password protected, really basic things like that and you know good password practises is another example. What we’re seeing at the moment with COVID with the rush for people to work remotely is we’re seeing some really good thought leadership come out of the privacy commissioner’s office and other resources as well, trying to educate users about how to stay safe online while at home. So what you’re doing there, the strategies to actually make it personal to individual employees at a personal level, on a family level, because if they see cyber risk as a way to protect their family wellbeing, then they’ll develop good habits and those good habits will then translate into the workplace and ultimately benefits the workplace and frankly our economy as well. |
DT:
30:00 | Yeah that’s interesting looking at it as a kind of a personal risk being rather than as a professional risk thing. I imagine a lot of your clients are not just looking for assistance in responding to a particular incident they might originally come to you for that purpose, but ultimately they are asking you to help them prepare for future incidents, and of course prevention is so much better than a cure. In addition to the kind of technological law or information technology protections that a client can put in place what can businesses do from a legal perspective to prepare themselves for a cyber incident? |
RC:
31:00 | It’s a great question, there’s probably 3 things that we’re speaking to clients about at the moment to deal with this cyber prevention basis. The first is really to have an incident response plan in place, and I know it sounds silly but test that plan regularly because people within the organisation move on and often the plan itself becomes stale. So prior to COVID we were regularly running workshops clients to simulate these cyber events occurring and testing their response. By running these exercises organisations are able to identify blind spots in their own organisational response as well as develop muscle memory about how to respond quickly and what to do next. I think one of the practical benefits as well as these incident response planning sessions is you know the key functions of say your HR, your legal, your IT, your risk management, sometimes for the first time we are actually meeting each other around the table staring into the whites of each other’s eyes and actually having a conversation about how- |
DT: | -a new interdisciplinary kind of exercise… |
RC:
32:00
33:00 | And that’s one of the key benefits we see, that evolving teamwork and solidarity come through those exercises. So that’s the first thing. The second thing from a purely legal perspective is to and as dumb as it might sound, to really get a good look at your contracts with your supply chain vendors, have a look at the bare basic things like what are the obligations on either party to actually hold data securely, to ensure that you communicate with one another if there is an incident involving either party. So that there’s that communications piece and critically for the privacy act and notifiable data breaches scheme. If there is a data breach on one side of the fence of the supply chain and it involves your data, ensuring that you have a plan in place to understand who will investigate the incident, who will take ownership of notifying customers and the regulator about that incident, because we see often these multiparty data breach incidents become very fragmented in terms of the response and ultimately nobody wins in that scenario and it causes quite a lot of grief and frankly liability exposure as well. The third conversation starter that we have with clients at the moment is about buying cyber insurance. There’s been a lot of talk in the last few years about cyber insurance and it’s certainly starting to grow in terms of it being a product line that people buy, but at the moment you’re looking at probably about 10 to 15% of organisations having cyber insurance. So unlike the US for example where that number is about 50%, there’s a huge room to grow in Australia selling that product and cyber insurance itself is a really great product to offset some of the financial risk of an incident. It covers the losses and the costs and the potential liability exposure that clients have arising out of an incident and so we are recommending the clients if they haven’t already purchased it to at least have a conversation with their broker to understand how cyber insurance could fit within their overall risk management framework and have a good understanding of what that looks like. I think practically speaking as well so insurance isn’t just a promise to pay, it’s not a piece of paper that provides access to capital, although of course that’s at it’s heart what it is, it’s an insurance contract, insurers have spent a lot of money, time and resources and effort building these capability teams around the product itself so that clients can have a toll free number to call at any time of the day, anytime night, pick up the phone and get access to those resources straight away to mitigate those losses. |
DT:
34:00 | I’m glad you mentioned that actually cause we’ve had some other guests on the show from insurers, or who work in insurance, and as you say there’s indemnification under a policy that’s the core of the product, but you also do get access to support in those early stages of making a claim of how to mitigate the loss that’s arising from the situation that goes to their claim. Tell me a bit more about how the policy works? So you may make a notification under the claim, is it a sort of claims made of notified policy where it has to do with a cyber incident taking place during the policy period, or how does it work? |
RC:
35:00
36:00
37:00 | Yes there’s a lot of probably confusion about how cyber insurance works and there’s also a misnomer in the market about that cyber insurance doesn’t pay. And just on that point very quickly, our experience can’t be further from the truth and so I really hope that listeners listening in do consider that this is a viable product and we’re not an insurance company of course, so we are at arm’s length, but we do see the benefit of insurance paying out and helping clients through these scenarios. TIP: Before Reece dives in here, let’s just take a moment to consider the economic impact of a cyberattack on a small to medium sized business, and when cyber insurance might be useful to a business: A study by global cybersecurity firm, Webroot, surveyed 600 SMEs in Australia, the UK and the US, as to the average cost to that business of a cyberattack. In Australia, the average cost of a cyberattack for a small to medium sized business is around $1.89 million. Half of Australian respondents to that study indicated that their business would face costs of more than $1.3 million if critical client or business records were lost. And now to the question of how it works, so it’s really two types of policies built together. The first half of the policy is what’s called a first party costs coverage, in other words it pays for the costs that an organisation incurs in dealing with an incident. Some of those costs include the advisors that they engaged to help with the response to the incident, it could include some business interruption cover if there’s an outage or there’s a loss of revenue as a result of an incident, it could cover depending on the wording itself and the type of cover purchased, it could cover the financial loss of misdirected funds and the fraud events, but really ultimately it’s covering those at most immediate direct financial costs and losses of the client. And just on that point, clients should ensure that if they want to buy all of that cover, they should have a conversation with their insurers because products change overtime, the wording changes, the scope changes overtime so just make sure that those products current. I said there were two sides of the policy so that’s the first part of the policy, the second part of the publicity is the liability claims style policy and that’s no different to your professional risks policy. You were mentioning before the claims made notified policies, it’s no different to that. So what it typically would cover in those cases is any liability exposure or any defence cost that you might incur, any compensation an organisation has to pay to acclimate or enter the extent insurable by law fines and penalties that might be levied against an organisation arising out of incidents. So it really is that kind of backstop liability defence style policy that picks up, and I think practically speaking organisations are buying the policy more for the first part of the policy, getting access to funds reimbursement for their own costs but increasingly overtime as the litigation landscape heats up, as the regulators become more active, organisations are looking to that liability style side of the policy to pick up their exposure. |
DT:
| Yeah so it really is covering not only your exposure to third parties in terms of the loss suffered by third parties as a result of a failure to maintain the security of their data, but also the loss that you’re suffering yourself. Let’s talk about ransomware, this is another discreet kind of cyber incident and it came to the attention of a lot of our listeners probably after the Wannacry attack in 2017, what is ransomware? How does it work? And I imagine there are some probably unique legal issues that ransomware present. |
RC:
38:00
39:00
| There are. TIP: WannaCry was an example of malicious software, or malware, used by cybercriminals to extort money. The WannaCry attack of May 2017 attacked computers using Microsoft Windows as an operating system. It encrypted user data and demanded payment of a ransom in the cryptocurrency, Bitcoin, for the release of the data. The attackers initially demanded $300 worth of Bitcoin, but later increased their demand to $600. They said that if victims did not pay the ransom within 3 days, they were told that their files would be permanently deleted. The usual advice when it comes to ransom payments is not to cave to the pressure, which of course, depending on the data you are unable to access, that might be easier said than done. This advice however, proved wise during the attack. It is said that the Wannacry attackers had no way of actually associating a payment received with a particular victim’s computer, so paying certainly gave no guarantee that your data would be safe. There are mixed reports as to whether affected users who paid their ransom got their data back. So ransomware really is malware which is malicious software, a virus, a computer virus if you will, it’s an attack where the threat actor will gain access to somebody system, they will install this malware and it encrypts the systems and the data. So practically speaking the threat actor will have gained access to the system and then ultimately shut down the organisation’s systems. And that’s where these incidents can have a particular significant impact. So, for example, if you think about healthcare service providers, logistics companies, manufacturing industries, etc they are obviously vulnerable to the immediate impact of this being unavailable. |
DT: | Absolutely. I mean I think it was healthcare that was a particular target in the WannaCry attack. |
RC:
40:00
41:00
42:00 | Yeah exactly right. So the ransomware aspects, so the ransom side of the malware attack is really the threat actor extorting money for their criminal enterprise, trying to monetise their criminal activity. Typically, prior to this year, the way that they did that was they would demand a sum of payment for consideration of the decryption keys, so the keys which would unlock the data and allow the systems to become restored again. So whilst there are a number of legal, ethical, moral, security considerations to play in dealing with whether or not you pay ransom demands to get these keys back, often organisations at their heart will have to weigh up the financial impact of the delay that’s caused by responding to the incident and restoring systems, against the cost benefit of buying the keys. So that’s the price point that clients will typically deal with, and most companies obviously don’t deal with threat actors and they don’t actually pay, but a lot of companies do and frankly companies do with very good reason, and it’s some of those examples about healthcare and things like that. We’ve had our clients in those scenarios where the immediate impact of their unavailability of systems actually put people’s health and wellbeing and lives at risk, so that was a consideration for them. I think this year ransomware has taken on a whole new face. So whereas previously we were talking about systems unavailability and buying off the time it took to restore without the keys, this year threat actors are now taking it one step further and they are holding their clients ransom by threatening to dump data online that they’ve actually taken from that target victims systems prior to exiting the system. The goal he really is to leverage the reputational impact of public disclosure of confidential and sensitive data to extort funds from target companies. These ransom demands are absolutely eye watering, what we’re seeing at the moment is demands averaging USD $1,000,000 and that’s middle ground. We’ve seen others much bigger than that in the tens of millions of dollars, and so really the clients are having to weigh up the risks and the impact to their employees, to their business, to their clients around the disclosure of that data in a public space. Unfortunately, this year it’s throwing up a lot of legal questions, not only just about the legality of paying ransoms, but engaging with criminal enterprises and how do you manage that quagmire altogether. So there’s a lot of legal issues arising out of this. |
DT:
| Yeah I mean that’s an entirely separate kind of ethical quandary, particularly for a large organisation that probably has an anti-corruption and bribery policy to grapple with making a payment to a criminal to protect the security of their data. I suppose that’s as much a legal issue as it is an ethical one really. The point you raised was interesting that at the end of the day it is a cost benefit analysis or an analysis of the economic value of being locked out of your system for another 2, 3, 4, 6 hours over paying the ransom and getting back to normal. |
RC:
43:00
44:00 | Completely. And from a purely legal position because we are asked it all the time, is it legal to pay? The answer is it’s not expressly illegal to pay, and then that isn’t really why they won’t understand the risk that sits around it. To your point about anti-bribery corruption, clients do have to consider very very carefully whether or not they are paying a sanction entity or somebody in a sanctioned country so that they do have that anti money laundering counter terrorism funding considerations at play. There is an entire supply chain of vendors that assist with all this. They facilitate the payment, they sanction check the recipient entity, there are a number of things that you can do to protect yourself around that, but ultimately our advice to clients is that paying a ransom demand should be an absolute last resort and only made in the most pressing and justifiable circumstances before it’s made. But the decision-making framework is complex depending on whether client themselves is a publicly listed entity, privately held company, government agency, whether or not there’s an impact to their data, competitive advantage if their IP is leaked, whether or not there’s an impact on people’s health and wellbeing, a number of factors which go into this, not just legal. Ethical is a good point, I think a lot of organisations start from the point that they don’t want to pay, certainly starting point that I don’t want to engage, but increasingly depending on the severity of the incident that ultimately may come into play. |
DT:
| Yeah it’s a very difficult question. Now I don’t think we could have a episode about privacy law or privacy law issues without talking about privacy policies, they’re pretty ubiquitous in privacy practise and certainly I think every organisation with a website or an online service has one, but the privacy policy which sets out how you collect, use or disclose personal information can have an impact on the consequences of a data breach can’t it? |
RC:
45:00
46:00
47:00
| I like the way you described as being the privacy policy itself which sets out the way in which an organisation controls data, or handles data, has an impact over incidents. The privacy policy itself, assuming it reflects the way which a company does actually handle its data, certainly does have an impact, but to the point that you’re making, its an incredibly good point, and I think over the last few years we’ve seen society shift towards the great awakening, and this is spurred on by the Cambridge Analytica incident a few years ago, in particular where individuals, organisations are starting to now appreciate the value of data, but also the risks of misuse of data. TIP: Most of us have, at the very least, heard of the Cambridge Analytica scandal. For those of us who aren’t too familiar with it, here is a simple breakdown of what you need to know. Cambridge Analytica secretly used the data of 50 million Facebook users without their permission. The data was acquired via a third-party app, created by a researcher at Cambridge University’s Psychometrics Centre, which was downloaded by 300,000 people. This gave the researcher, and by extension, Cambridge Analytica, access to not only their own data but that of their friends’ as well, which is how we get to that much larger 50 million figure. Cambridge Analytica used the collected data to create psychographic profiles of these Facebook users and using those profiles, deliver targeted political advertisements to the profiled Facebook users as part of the 2016 Trump presidential campaign. And also starting to have a greater awareness and expectation around how data should be handled. What’s become apparent overtime is the way that a company handles data has a direct and immediate impact on the severity of a breach. What we’re seeing is organisations who mismanage or perhaps don’t pay enough consideration to the way in which they handle data across the entire life cycle of data, so the birth of data when they first collect it, the life of data in terms of how they handle it, how they store it, who they share it with, how they secure it, and ultimately the death of data. In other words when they delete data or de-identify data, decisions made along that entire journey ultimately have a very direct impact on the breach itself. So we’re seeing, as a good example at the moment, we’re seeing organisations who have collected data for 10, 15 years and not had any regard to whether or not in fact they need that data anymore, and frankly not deleting it within their obligations under of the privacy act as required, we’re seeing a huge amount of data being released out into the open because they haven’t handled the data appropriately across its life cycle. And so one of the big pushes that we, the OAIC, and the other privacy advocates at the moment are starting to have with clients is data minimization as a concept. Which is if you don’t need data, don’t collect it, because of course if you don’t hold it, it can never be misused. To the extent that you do collect it, that’s okay, have a plan in place for the exit of that data from your systems. In other words, use it for as long as necessary and justifiable, retain it for the minimum years that you are required so say 7 years for employee records just another example, and at that point delete it or de-identify it, have a process for purging data on a routine basis. |
DT: 48:00 | It’s such a tension there isn’t there and I think a few years ago there was probably a perspective of well data is everything, big data insights are how we’re going to gain competitive advantage, collect everything you can, store everything you can, and have this valuable asset at the ready when and if you can use it. But I like this idea of this idea of data minimization, of being forward thinking and thinking about the uses to which data can actually be put as a risk mitigation measure. That data is an asset, but the misuse of data is a liability, and potentially a very large one. |
RC:
49:00 | That’s the point you know, we come across as lawyers I think as constantly looking for the negative in every scenario and constantly advising on the risks and you know if you listen to lawyers all day long you might never actually become might never…That’s right exactly so a lot of this isn’t bad news, it’s just trying to re-emphasise the point that you can put got it to incredibly good use. I mean you look at the heated discussion a couple of months ago around contact tracing, and whether or not people should download the app, and you know we don’t need to go into the politics around that, but certainly there are very good examples like that where you can put data to very good use. It’s just around ensuring that there’s frameworks and controls and limitations around all of that, including if you just take their contact tracing app as an example, there was a very clear exit strategy of when the end of that app would come about and what would be done with the data at that point. So as long as there’s those plans in place, I think people can feel very secure in the way which data is used by those companies. |
DT:
50:00 | Just going back to the privacy policy, I think you know your answer raises the threshold point that our listeners and their clients should be really aware of, which is the you’re actually have to act in accordance with your privacy policy and if you operations don’t match your privacy policy, that’s a more fundamental issue, but I suppose what you’re saying is as well for those of our listeners who are advising clients on privacy policies, it’s important to not just look at how data is collected, used and disclosed but also how it stored and destroyed. |
RC:
51:00
| Exactly right and I think the privacy policy is interesting, I mean there’s a lot of shift away from it being a tick box exercise where it has to have the minimum requirements in compliance with the laws. You know some have opted in, some have opted out, there’s different ways to express it to ensure that consumers ultimately have informed consent when they are actually ticking yes to accepting the terms of the privacy policy. So there’s a lot of there’s a lot of discussion at the moment about how to ensure that privacy policy itself is properly communicated to individuals, but I think behind the privacy policy itself, I really think clients need to set a cultural standard about how they want to use data and ultimately manage data whilst it’s in their possession. And you start to look at companies around the world like Apple is a great example where they’re actually using security of their systems, so their phones for example, and their computers, and some of the settings that they’re pushing through their technology, as a means of gaining competitive advantage from their competitors. So I think the better discussion is over the next 5 to 10 years because data is here to stay and its use and collection is here to stay. I think the better discussion will end up being how do companies position themselves competitively against one another by using privacy and security settings as a means for competitive advantage. |
DT: | Interesting, because consumers are really conscious of the contents of, if not of the legal document itself of a privacy policy then at least the extent to which their data is being collected, and I don’t think it’s enough now to just have that boilerplate document downloaded from a legal precedent site or something. It actually does need to be attuned to what your customers expect from you. |
RC: 52:00
53:00 | Exactly right, and the public expectation around pricing, and this comes back to my point about the great awakening that consumers have caught onto arising out of the Cambridge Analytica scandal, is that organisations do comply with best practise. One thing that we’re seeing at the moment is because you’ve got this patchwork of data protection laws around the world and different thresholds and different standards and some countries not even having robust data protection laws in place at all, you have this situation where some companies are looking to comply with the high watermark of what best practise looks like, and they may be doing something of voluntary basis particularly if they operate in multiple jurisdictions and they’re really setting themselves apart from the rest. I don’t know that you can make that comment about all organisations. I think some organisations really do need to consider their obligations in various countries, particularly if they operate in multiple jurisdictions, and really understand what best practise looks like and apply that across the board. Of course, as long as that’s not onerous and doesn’t limit their ability to do business in countries which we understand use probably some of the key drivers to these organisations, perhaps taking the middle ground approach, but generally speaking I think organisations are well served by having at their heart a cultural alignment with what best practise looks like. |
DT:
| I’m glad you mentioned that patchwork and the need to sort of hold yourself to the high watermark with that caveat that so far as your operations allow you to you should be doing that. Because there is a proliferation of privacy legislation around the world now and it could be difficult and indeed I think probably a lot more operationally onerous to have region specific privacy settings for your business. Before we finish up today, we’ve talked about a lot of things, we talked about different kinds of cyber incidents, ransomware, phishing, the unique position of law firms in phishing attacks, we’ve talked about cyber insurance, privacy policy settings, the future need for businesses to use their privacy settings to obtain a competitive advantage, but if there’s one thing that you’d like to leave our listeners with before we conclude today Reece, what would that be? |
RC: 54:00
55:00 | That’s a great question. I think listeners should take away cyber risk and technology risk as something that they can engage with at all levels. Now if the listener is a law firm, whether they are advising on privacy or whether or not they are a small business trying to run a company and ensure that their clients data is secure, or whether or not they’re just at home online shopping, or their kids are interacting with others online, I think people should really try and run towards cyber risk as something that they can engage with, like any subject. It’s just something that they need to become aware of, become familiar with, and subscribe to various resources to upskill themselves about that. There are some very easy wins that organisations and individuals can do to ensure that they are aware of the latest trends and best practise. The AOIC has some great resources, the ACCC scam watch website has some incredibly great resources on you know latest cyber-attacks impacting the economy. The AOIC and the cyber.gov.au websites have some great resources. So I would recommend to anybody that they just simply start to engage with the material, whether or not they do so for their own professional practise and helping their clients, or because they want to protect their family at home. Whatever that looks like, I think as an economy if we can engage with the subject, then we will do really well out of it. |
DT:
| Those are great resources and we’ll be putting links to all of those in our show notes, but I suppose, and as you said before, you can approach your understanding of cyber incidents and privacy and inside security from a personal perspective and that will develop into a professional understanding of the area as well. So Reece, I really enjoyed our conversation today, thanks so much for joining me on Hearsay. |
RC: | Thanks David, appreciate being on. Thank you. |
DT:
56:00 | You’ve been listening to the Hearsay podcast, I’d like to thank our guest Reece Corbett-Wilkins from Clyde and Co for coming on the show. Now if you are in Australian legal practitioner you can claim one continuing professional development point for listening to this episode. Whether an activity entitles you to claim a CPD point is self-assessed, but we suggest this episode constitutes an activity in the substantive law field. If you’ve claimed 5 CPD points for audio content already this CPD year, you may need to access our multimedia content to claim further points from listening to Hearsay. Visit htlp.com.au for more information on claiming and tracking your points on our platform. The Hearsay team is Tim Edmeades who produced this episode, Kirti Kumar who researched it, Araceli Robledo who manages all our marketing activities and me, David Turner, your interviewer. Hearsay is a project by Nicola Cosgrove and Chris Cruickshank the co-founders of Assured Legal Solutions, making complex simple. You can find all of our episodes as well as summary papers, transcripts, quizzes and more at htlp.com.au. That’s HTLP for Hearsay The Legal Podcast.com.au. Thanks for listening. |
You must be a subscriber to access this content.