Clever Use of the Power to Order Pre-Action Discovery
The New South Wales Supreme Court has ordered Channel Nine to provide a draft story to a plaintiff…
This article is the second article in our series on data breaches and cyber security. Please click here to read our first article “Cyber Security: prevention is the best cure”.
So, you have just learned that your company experienced a cyber incident and a likely data breach. Whether hackers stole personal information from your corporate server, a disgruntled employee stole customer information, or personal information was accidentally published on your company’s website, you are probably thinking “what do we do now?”
Effectively responding to a cyber incident and data breach involves four key actions: (1) Contain; (2) Assess; (3) Notify and (4) Review. The overriding principle is harm minimisation – minimising the potential harm to affected individuals and to your company – both financially and reputationally.
Step 1 – Contain: firstly, it is crucial to take steps to confirm that a data breach has occurred. Once confirmed, you must take immediate action to secure your systems and fix vulnerabilities to contain the breach and prevent any further compromise of personal information.
The steps to be taken to contain the breach will depend on the nature of the breach. However, some common actions include:
Step 2 – Assess: once your company has, where possible, contained a data breach, you must assess the risk of harm that affected individuals could suffer because of the breach. This will require an investigation into the cause of the breach and the surrounding circumstances.
It is important that you have the right team in place to accurately assess the risk. To this end, involving Hamilton Locke in this process at the very outset is important as we have a specialised privacy and data security team who can lead the risk assessment and help minimise any financial loss and reputational damage. We have strategic arrangements with a variety of forensic, cyber security and insurance companies for urgent incident response situations who can work alongside your in-house team.
Once instructing us, we assemble the investigators and notify your insurers of the cyber incident on your behalf. As communications between you and Hamilton Locke’s lawyers are protected by legal professional privilege, all communications will be confidential if your organisation faces legal consequences arising from the data breach.
As part of the assessment process, you must consider the severity of any harm that could arise for affected individuals and the likelihood of such harm eventuating. The greater the severity and the greater the likelihood, then the higher the risk.
Some factors to take into consideration when assessing risk are:
Also, consider whether the information is protected by one or more security measures (e.g. password protected or encrypted) and the likelihood that those measures could be overcome.
Step 3 – Notify: whether your company chooses to notify affected individuals of a data breach will largely be determined by the outcome of the assessment carried out in step 2.
When deciding whether to notify affected individuals about a data breach, you must consider:
Under the NBD Scheme, organisations covered by the Privacy Act 1988 (Cth) must, within 30 days of discovering a data breach, assess the breach to determine whether there has been an eligible data breach. If during the assessment period, the organisation determines that there has been an eligible data breach, the organisation must notify the Office of the Australian Information Commissioner (OAIC) as well as the affected individuals.
Step 4: Review: When your company has handled the privacy impacts of the breach, it should then conduct a review of the data breach and identify appropriate measures to implement that will prevent, or reduce the chances of, similar incidents occurring in the future.
A review may include:
Hamilton Locke has legal practitioners experienced in advising on privacy obligations and managing data breaches and cyber-attacks. If you require assistance, please contact Alex Ninis (Partner) or Sarah Gilkes (Partner).
Written by Serpil Bilgic.