05 March 2024
4 min read
Published by:
Once a data breach has occurred, a well-organised business reaches for its incident response plan which the leadership team holds in both soft and hard copy and have, as a minimum, undertaken regular desktop simulations of activating it. If you are developing your incident response plan on the day of the incident, you are already failing.
Dealing with a data breach, whether it be an external hack, disgruntled insider or human error, is generally an evolving scene that takes discipline, planning and a structure to respond to. Whether you are a consumer-facing business such as Medibank, Optus and Dymocks (who have all been subject to breaches in the last year) or a B2B organisation and have key customers and suppliers with expectations about the security of their confidential data, there is a lot to do and many stakeholders and regulators to manage.
While most people are aware of the obligation to notify breaches of personal information that may pose a risk of serious harm under the Privacy Act, various regulators may require other forms of notification. For example, the Security of Critical Infrastructure Act 2018 (Cth) requires certain organisations to immediately send a notification to the Department of Home Affairs.
The Australian Prudential Regulation Authority (APRA) requires notifications from organisations it regulates, and it has several practice statements that set out what its requirements are.
If you are a listed company investigating a breach, you must ask yourself whether this is an event that could be price sensitive and therefore you need to notify the ASX under the continuous disclosure regime. This question may not be apparent initially, but evolves over time as information about the extent of the breach becomes apparent and the investigation continues.
Similarly, if you hold an Australian Financial Services Licence from the Australian Securities & Investments Commission (ASIC), this may well be a reportable event. ASIC looks very closely at directors in relation to their cyber and privacy compliance obligations.
The European General Data Protection Regulation (GDPR) has been in place since 2018 and requires notification of breaches within 72 hours. This is generally regarded as the global ‘gold standard’ and many multinationals have adopted this standard in their contracts with third parties where data may be exchanged. This means you may be contractually obligated to notify several counterparties.
Other common contractual obligations are for 24 hours, 48 hours, as soon as possible or as soon as reasonably possible.
Have you collated a contract register of all the key contracts where data is shared so that the notification process can begin, and stakeholder engagement can be managed? If you haven’t, this is a task you should undertake well ahead of and in anticipation of a crisis.
It is trite to say that managing the communications around a data breach is a project whose parameters change day to day and even hour to hour as information becomes available. Once a breach has been discovered, a process needs to be followed to understand the nature of the breach and the likely ramifications. We all know that organisations who share nothing and persist with a “nothing to see here” approach appear arrogant and face a backlash from consumers as a consequence. The opposite end of the spectrum is oversharing, which brings additional legal risks.
Keeping information about the nature of the breach confidential is something that needs to be finely balanced. When the business is sharing knowledge with media, they need to be mindful of legal professional privilege. Publicly saying “you have had advice” may waive that privilege. Think about future class action possibilities.
As lawyers, we regularly work with legal counsel, risk managers, company secretaries and management teams in relation to minimising risk in data breaches and cyber-attacks. Our role is to consider, assess and advise on the legal risks relating to both regulators and counterparties, employees and contractors, and to balance these with the work that others are doing in relation to media and reputation management, technical investigations and other relevant work.
When a breach occurs, there is an increased workload on the management team and irrespective of that, it is important that ‘business as usual’ is not disrupted. This means additional resources are required. Lawyers can help in project management and planning, proofreading and generally bringing an independent analytical approach to manage the crisis.
In addition to overseeing tasks against the incident response plan and dealing with contingencies, lawyers bring prior experience in similar positions.
Many people see privacy and data management as a low risk issue. However, the major breaches that occurred in 2023 have caused boards to refocus their allocation of resources and budget to consider at least a moderate investment in preparation for an adverse event. The old saying “failing to plan is planning to fail” holds true in the case of a breach in our experience.
If you need assistance in preparing an incident response plan or have any questions regarding this article, please get in touch with a member of our team below.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by: