Think of one of the greatest nightmares of your professional life.
For the management team of a corporation and their in-house counsel, there are few more nightmarish days than when they receive a call from the IT department reporting unauthorised activity in the company’s databases. Over the next few days, the fog lifts and it becomes clear that the company has been the subject of a cyber-attack and personally identifiable data of its customers or employees has been accessed by criminals.
In a recent post, we commented on the representative complaint brought by IMF Bentham against Facebook with the Office of the Australian Information Privacy Commissioner and more broadly the arrival of privacy class actions in Australia.
In this post, we consider a few of the key steps that directors and officers should take to protect themselves from cyber-related class actions and to ensure they are well positioned to deal with the new regulatory landscape in Australia.
What to do immediately after a cyber-attack
In 2017, over 500,000 Australian businesses fell victim to cyber-crime with the average cost to medium-sized businesses being $1.9 million. In our practice, something we have repeatedly seen is that it is often the decisions made in the immediate aftermath of a data breach that will have severe implications for future class action suits.
In light of the increasing regularity of these cyber-attacks, directors and officers cannot wait until an attack occurs to begin to formulate a strategy and in our view must have a carefully devised incident response plan in place. At the very least, this plan will need to:
- Identify the response team that is informed about and deals with the incident on behalf of the company.
- Consider the circumstances where the company should bring in external IT assistance to remedy the breach or otherwise track down the culprits;
- Set out the decision-making processes, including with respect to whether to revert to a recent backup and communications generally; and
- Set out the steps necessary to comply with the Australian Notifiable Data Breach (NDB) scheme and/or the European General Data Protection Regulation (GDPR). If you are interested in further information on these schemes, we have prepared a number of posts on the NDB scheme and the GDPR for your reference.
Putting in place an incident response plan is one of the best steps a company can take to mitigate the impact of a cyber incident as decision-making is easier in a time of planning rather than when the company is dealing with a crisis. As the popular adage goes, failing to plan is planning to fail.
Although obvious, companies should remember to print a copy of the incident response plan. No point having one electronically if you cannot access your computer network.
Cyber insurance is another important measure for directors to mitigate losses caused by cyber breaches. According to Munich Re, the global cyber insurance market grew to about US$3.4 billion in premiums in 2016/17 and it is estimated that premiums could rise to between US$8.5-10 billion by 2020.
The Australian government has encouraged businesses to seek out cyber insurance for both first-party loss (investigation costs, remediation costs, costs of notification to customers or suppliers and business interruption) and third-party loss (compensation, damages, fines and legal costs). We consider cyber insurance to form a critical component of a company’s overall network security infrastructure.
One thing we urge companies to be mindful of is that that general professional indemnity or business interruption insurance may not cover cyber risks. For example, in 2011, Sony experienced a cyber-attack which reportedly lead to losses as high as USD 2 billion. Thereafter, Sony tried to claim against its insurer under a commercial general liability policy and the New York Supreme Court ultimately decided that the insurer was not liable to indemnify Sony for the breach.
Where a company has purchased a cyber insurance policy, we recommend that directors and officers make enquiries about the scope and size of cyber cover and are aware of what steps the insurer recommends be taken in the event of a cyber incident.