Powered by MOMENTUM MEDIA
Following a half-yearly stocktake on developments in the cyber risk landscape last year, a team of lawyers from Clyde & Co returns to discuss such matters in the wake of COVID-19.
As we enter the second half of the year, and emerge from a time of much uncertainty, it is crucial to analyse the current developments in the cyber risk landscape and provide insights into the key issues facing organisations.
We are now two and a half years into the mandatory data breach notification regime.
In February 2020, the OAIC released its biannual Notifiable Data Breaches Report. The report continues to highlight that a significant portion of data breaches attributes “human error” as the root cause (32 per cent, down from 34 per cent in the year prior).
Against this background, the OAIC continues to raise awareness that human behaviour is one of the most significant vulnerabilities exploited by actors committing cybercrimes. With this in mind, during Privacy Awareness Week earlier this year, the OAIC published a number of very helpful resources for employees and families to utilise, to stay safe online. These materials are a good source of information for addressing privacy risk across organisations.
The report also zones in on the frequency and severity of business email compromise incidents (i.e. mailbox breaches) and entities using mailboxes as a means for storing vast quantities of data. The OAIC sets out the anatomy of such attacks and articulates its very clear expectation that organisations must undertake a robust review of such incidents including assessing data risk (rather than treating them merely as low-grade phishing incidents).
As part of its overall regulatory focus, the OAIC is monitoring for organisations that store too much data in mailboxes (which not only increases the severity of incidents, but may be considered a violation of APP11.2 which requires that organisations periodically destroy/de-identify data when it is no longer required). We recommend that, coming out of COVID-19, all organisations review their data handling practices, and take steps to reduce their data risk by purging unnecessarily retained data.
Sustained cyber attacks against the Australian government and organisations
The Australian government has recently advised the public of a sustained targeting of government agencies and organisations in Australia by a sophisticated but unnamed state-based actor. Irrespective of who is allegedly behind such activity, the Australian Cyber Security Centre (ACSC) has issued detailed guidance to organisations to address such activity.
The ACSC has labelled this cyber campaign as “copy-paste compromises”, coming from the fact that the responsible threat actor has utilised tools copied from open source forums to undertake their activities (i.e. by exploiting vulnerabilities listed on the MITRE ATT&CK framework – which is essentially a shopping list online of known security vulnerabilities).
The threat actor has also been utilising a number of well-known spear-phishing techniques (which are designed to masquerade emails to trick employees into thinking they are corresponding with legitimate people not cybercriminals). This includes:
To reduce the risks of compromise, the ACSC has recommended implementing the following mitigation steps:
There is a risk that should an incident arise out of one of these vulnerabilities being exploited, absent there being good reason not to patch the vulnerabilities, there will be an argument that the entity did not take reasonable steps to secure their systems thereby exposing that entity (or the external IT provider) to liability as a result.
Ransomware trends – ‘big cyber game hunting’
Over the last four months in Australia, we have noticed a trend of “big game cyber hunting” whereby threat actors routinely target mid-market to large-sized organisations with ransomware, knowing that the group can afford to pay large extortion sums. We have recently seen ransomware demands in Australia average at the $1 million to $3 million mark, with some being in excess of $10 million.
Additionally, ransomware matters are now more often than not hybrid in nature. Not only does the ransomware encrypt the target entity’s files and systems, but as part of the attack and prior to deploying the ransomware, the threat actor group takes large quantities of data for later sale or disclosure on the dark web. This allows the threat actor group to further extort the target entity, seeking payment in consideration for deleting the data and not disclosing it online. Should this occur, organisations face significant privacy, commercial and reputational risk.
We recommend that as part of this new trend of targeted and high-profile ransomware attacks, all organisations scenario test their intended response to such an event. This includes completing a decision-making framework around whether the organisation would pay a ransom demand and the steps that will be taken should this occur (including addressing AML/CTF risk). A number of organisations have paid the ransom in such scenarios, justifying it to prevent publication, dissemination and misuse of data.
While the natural starting point is that ransom demands should only be paid as a last resort, should this decision-making framework not be addressed in advance of an incident, decisions are often hastily made by leadership teams leading to unintended and undesirable outcomes. For those entities who are unfortunately impacted by this type of incident, support is available with a number of organisations specialising in responding to this particular type of incident. The ACSC is also coordinating its efforts to assist Australian organisations with responding to this type of incident.
Malicious cyber attacks continue following COVID-19
As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic and subsequent waves, organisations need to continue to address COVID-19-related cyber risk. These include:
The ACSC has prepared a number of helpful resources, which we recommend all organisations read, in understanding how to address the ongoing risks of a distributed workforce. This includes, notably, teaching employees how to spot a phishing scam.
Privacy litigation and regulatory enforcement activity
The past year has seen an increase in litigation and regulatory enforcement action brought against entities relating to data events. Such activity will continue to test Australia’s privacy laws and impact on whether a common law action for breach of privacy will be developed through the courts, or whether it will be left to Parliament to create a statutory tort.
Some of the recent actions which have and will continue to impact on the developing privacy legal jurisprudence are:
We are also aware of increased appetite by funds, plaintiff law firms and privacy counsel to develop class action jurisprudence through strategic test case litigation in the privacy litigation space, although much will likely turn on the outcome of the class action reform inquiry presently underway.
How can corporate counsel address cyber risk?
Increasingly, the legal function of any organisation is being called in to assist with helping the organisation respond to cyber/data-related events. Corporate counsel are well placed to play a leading role in the incident response especially given the need to report to key decision-makers within the business including at board level.
Beyond this, given the recent Capital One decision in the US, in which the court ordered the disclosure of a Mandiant forensic report stating that legal professional privilege did not apply, there has been increased scrutiny around the process of engaging vendors and ensuring that key communications are protected by privilege from later disclosure.
Corporate counsel (and external legal advisers) ought to establish a process for minimising legal risk, while ensuring that the incident response is advanced expeditiously with the legal teams supporting the core response team in containment and recovery efforts.
Finally, to minimise litigation risk in advance of any data privacy action, we recommend that organisations take steps to review their data handling practices and invest in documenting those practices, as well as ensure that entities are compliant with industry best practice standards. This will allow an organisation to demonstrate that they took reasonable steps in any later litigation or regulatory inquiry. Corporate counsel can drive such activities, emphasising the benefits of record keeping as part of good governance.
The authors of this piece are Clyde & Co partner John Moran, senior associates Reece Corbett-Wilkins, Richard Berkahn and Sophie White. Firm associate Gary Bayarsaikhan assisted in preparing the piece.
Jerome Doraisamy is the managing editor of Lawyers Weekly and HR Leader. He is also the author of The Wellness Doctrines book series, an admitted solicitor in New South Wales, and a board director of the Minds Count Foundation.
You can email Jerome at: