Why cyber security is everyone’s business
The recent introduction of the Notifiable Data Breaches (NDB) Scheme in February this year, as well as the GDPR in Europe in May, has brought cyber security to the attention of Australia’s business community, writes Helaine Leggat.
To give an idea of the scale of the problem, the Office of the Australian Information Commissioner (OAIC) was notified of 242 breaches in the current reporting period, which ran from 1 April to 30 June 2018.
Both the NDB Scheme (an amendment to the Privacy Act) and the GDPR provide for the protection of personally identifiable information. Protection is impossible without security.
While the requirements of the NDB scheme have prompted businesses to sit up and take notice of cyber security, the GDPR is even more onerous when it comes to compliance. If your company has an establishment in the EU, offers goods and services in the EU, or monitors the behaviour of individuals in the EU, then you’re subject to the European law, which has massive penalties for non-compliance, and requires companies provide additional customer rights such as the right to erasure or the ‘right to be forgotten.’
With all the talk about the NDB scheme and the GDPR, however, there has been little attention paid to its implications for law firms and their clients that are subject to the NDB.
Privacy law is not theoretical, it needs to be implemented into a client environment through policies, practices, procedures and the law of contract to manage the complex supply chain relationships that will determine where blame falls if there is a breach.
Lawyers must appreciate the technical aspects of cyber security if they’re going to provide the advice and support their client organisations need. To do this, they should cultivate strong relationships with their in-house security and IT personnel. Cyber law and cyber security are receiving increased attention from boards and management, and lawyers have plenty to do in terms of advising clients in relation to contracts with suppliers – even small suppliers, as well as managing legal and other implications of disclosure.
One cyber security challenge currently faced by lawyers is the complex web of relationships with multiple, different-sized suppliers, some of which do not have to comply with privacy law, but which offer services to companies that do.
Lawyers must ensure that questions do not remain about who is responsible for disclosure of a breach when there are several parties involved.
There are good reasons for companies to focus on cyber security, aside from the legal requirement to disclose when there is a breach. According to a recent Frost & Sullivan report commissioned by Microsoft, more than 55 per cent of Australian organisations that were surveyed had experienced a cyber security incident in the last twelve months.
Of those survey respondents who didn’t know if they had been affected, 20 percent hadn’t conducted proper forensics or a data breach assessment.
Sixty-six per cent of respondents indicated their enterprise had postponed digital transformation programs because of cyber security concerns. This is particularly worrying for the Australian economy, as digital transformation efforts are expected to add $45 billion by 2021. Organisations that are putting off digital transformation are not only holding their companies back, but they are putting a brake on the wider Australian economy.
Lawyers need to develop a good understanding that where there is a breach, there is a need to preserve evidence and audit trails so that an investigation can take place and trustworthy evidence is obtained for court proceedings. That’s why it’s important to have synergistic relationships with the information technology, security and forensics departments of the organisations they are working for and better still, have this capability within the law firm itself.
In addition to laws, regulators like APRA are increasingly imposing compliance requirements on businesses. The result is that boards realise that cyber security is something that affects their organisational reputation, the value of their brand, and their personal liability. Lawyers must stand prepared to advise boards on their legal and business obligations, as well as to provide them with advice on issues of corporate and data governance, including disclosure.
Increasingly, boards are realising that the cost involved in cyber security preparedness, and its associated risk, is money well spent. This is not just because of the reputational impact, but also because the regulators – as well as the OAIC – can impose penalties when a breach occurs. For too long, cyber security has been swept under the carpet, and now, with the NDB, and similar (but more powerful) laws such as the GDPR in Europe, security has become a cost of doing business.
What it all adds up to is that cyber security is everyone’s business. It’s a matter for the legal profession, it’s a matter for boards, and it’s even a matter for smaller companies that are not directly subject to the law. Most importantly it is a matter for all individuals who should be able to trust the businesses that process their personal information. All law firms must make sure their clients’ suppliers are compliant and can pass security audits, and encourage client in-house departments to work together (privacy, security, IT, governance, risk, compliance and legal).
This will help ensure that their client organisations are adhering to the law, and help boards take cyber security in hand as a matter concerning the very core of their businesses.
Helaine Leggat is a board director for the Australian Information Security Association (AISA) and head of cyberlaw at Sladen Legal.