Speaking on an episode of The Lawyers Weekly Show, produced in partnership with Commonwealth Bank and co-hosted by national director of professional services Daniela Pasini, Mr North spoke about the state of affairs in cyber risk and data, as well as technology in general and what will constitute best practice moving forward. 

While Corrs’ technology practice isn’t limited to cyber, Mr North said it’s the area that the firm has seen the most growth in recently. 

“Cyber is not new; it’s been around [and] it’s been a problem for business for a significant period. But last year, we saw a really significant uptick or increase in the number of attacks against Australian businesses and also the sophistication and scale of the attacks. There were a number of very high-profile attacks that everyone will be familiar with, that have really significant ramifications for the health of the organisations involved,” he explained. 

“It’s something that boards in Australian corporations can no longer ignore, if they were ignoring them. This has become an area that was essentially handled by the IT and the security teams. It’s really become a whole organisation issue. And lawyers very much need to play their part in, I guess, making their organisations cyber resilient, less vulnerable to attacks, but also well placed to recover it from an incident if it occurs. And it’s a skill set that we as external lawyers, particularly in the technology field, need to have, but also in-house counsel as well.”

Most lawyers within the cyber space, Mr North said, get involved with the area of breach reporting under obligations within the Privacy Act. 

“Under the Privacy Act, there are various legal obligations imposed on companies to take good care of the personal information of their customers, of their employees and contractors. And there are also obligations on the company to investigate cyber attacks and report breaches, if and when they occur. 

“So there’s a very important role that lawyers can play in the aftermath of an incident, in identifying whether personal information has been accessed by a bad actor, as we call them in the industry, and whether the consequences of that bad actor having access to personal information, is likely to cause those individuals serious harm. And that’s a very important investigation because if that threshold is met, there’s an obligation on the organisation to notify the affected individuals and to notify the regulator, the OAIC,” he explained. 

VIEW ALL

“And so, what comes into that assessment is the type of information that has been accessed. Australian organisations are increasingly holding very sensitive personal information. So, to take an example, an insurer may hold the personal information of their customers that relates to their health history, what treatments they’ve had, et cetera. If that information is disclosed, then that is potentially embarrassing to the individuals, and they may suffer some sort of harm.”

Banks are also a good example of this, as they are legally required to identify who their customers are. 

“Banks are required to collect identity information such as passports [and] driver’s licenses from their customers, in an effort to make sure that their customers aren’t involved in money laundering. And the banking systems aren’t used to promote money laundering. The banks are required to keep that information in their systems for as long as they’re servicing that customer and for a period afterwards,” Mr North added. 

“That information is really what you might call the honey pot for cyber security attackers because if they can get a hold of that information, they can use it to commit financial fraud, for example, opening new credit cards in the name of the customer. So it’s essential that that information is properly protected. And if it is accessed by bad actors, then the company meets its obligations under the Privacy Act to notify the affected individuals and to support them to take steps to protect themselves. And that might involve getting a new passport, getting a new driver’s license, for example. 

“So, there’s a very significant role at that very basic level for lawyers to play, in making sure organisations are aware of their obligations to keep personal information secure and to respond to breaches promptly and appropriately, if and when a cyber attack occurs.”

In terms of what best practice within the cyber space actually looks like in larger organisations, Mr North said there’s often a variety of “upgrades” Corrs look at for their clients. 

“First, we’d look at their policies and procedures and make sure that they have a process to respond to a cyber attack, if and when it occurs. And there’s a number of different things involved in that. First, there needs to be monitoring of their systems to identify unusual behaviour, which might signify that an attack has occurred. Then those alerts need to be reported to senior management, including lawyers, including the general counsel, for example. And if it’s serious, potentially to the board. So, the full organisation is aware that a cyber attack has occurred,” he added.

“In the past, organisations fell down, whereby the information regarding an attack was limited to the IT team. And for example, the general council wasn’t aware of it or the board wasn’t aware of it. And as a result, because, let’s say, the IT team weren’t aware of the legal obligations of the company to respond to that attack, there was no appropriate response from the organisation. So that’s the first step. The appropriate people in the organisation, including the lawyers, need to know if the systems of the organisation have been compromised.”

Secondly, organisations need to make sure they have a policy and procedure in place to respond to cyber attacks, to identify whether personal information has been breached and how and when to notify different teams within the organisation. This requires “appropriate skills’’ at the board level.

“All the regulators have made it clear that boards are ultimately responsible for cyber security within an organisation. And Australian boards historically have not had the skills, the tech skills, to be able to appropriately supervise their organisation’s response to a cyber incident. So, we work a lot with our clients in making sure the reporting lines are appropriate and that there’s suitable board oversight of a cyber incident. 

“And increasingly what we are doing, because cyber is a crisis, it’s very important that everyone knows their roles and how they’re going to respond, if and when this occurs. And therefore, we are conducting with our clients, the most sophisticated clients, cyber sim simulations. And we did one yesterday, actually. And that involves a two-to-three-hour session with the crisis management team, with the board,” Mr North added. 

“Everyone’s brought together with very little notice, and a cyber security scenario is put before the team. And they roleplay the response to that cyber security incident, as if it was real. And we think that’s incredibly important because when a cyber attack occurs, you’ve got very little time. It’s possible that the press is already aware of it. The organisation is going to be under extreme stress. It’s very important that everyone knows what role they have to play in advance of that occurring. So, we think best practice really does involve training at the executive level in how to respond to an incident.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with James North, click below: