Part 1 - Privacy Act Amendments and Keeping Lawyers in the Incident War Room: A Conversation with Cyber Lawyer Annie Haggar.
This is the first installment of a three-part interview series with Annie Haggar, Principal at CyberGC. In part 1 we delve into Annie's thoughts on privacy legislation amendments since the Optus and Medicare breach, as well as why it is important to include lawyers during incident response!
Vaughan: Hello and welcome to CydShow. I'm Vaughan Shanks, co-founder and CEO of Cydarm Technologies. Today, I'm delighted to be joined by Annie Haggar from CyberGC.
Annie: Hey, Vaughan, thanks for having me. It's truly great to be here.
Vaughan: Thank you for joining. As a cyber lawyer, your expertise presents a fascinating intersection of disciplines, particularly pertinent in today's ever-evolving landscape.
So, let's rewind about a year, or more precisely, 13 months since the passing of the Privacy legislation amendments. What, if anything, has changed since then?
Annie: The changes a year ago stemmed from an emergency response to the Optus and Medicare breach, coinciding with a broader review of the Privacy Act already in progress. Instead of awaiting the completion of the ongoing review, the government opted not to delay emergency measures. They implemented these measures first and patiently awaited the conclusion of the Privacy Act review. Over the past twelve months, emergency response measures were introduced, the existing review concluded, and the government responded to the findings.
The subsequent phase involves an extended process of drafting amendments and legislation, eventually presenting them in parliament. The necessity for the emergency response arose from the historically low penalties for breaching the Privacy Act, which some large corporations regarded as merely the cost of doing business—approximately $2.2 million.
The government acknowledged the need for urgency, recognizing that people weren't taking privacy breaches seriously enough. Consequently, the new changes align the consequences for breaching the Privacy Act more closely with a GDPR regime, imposing penalties of $50 million or 30% of an organization's annual turnover—significant figures, particularly the latter.
Vaughan: Sorry, just a sec. I did some back-of-the-envelope calculations, and if another Medibank breach occurred today, they could potentially face a maximum fine of $2 billion. Is that the right ballpark we're talking about?
Annie: Yes, that's the ballpark we're discussing. Rather than Australian big businesses considering it a mere rounding error on their balance sheets, the substantial penalty adds to the myriad costs incurred during a cyber breach. Beyond fines, the actual costs of investigation and recovery reach tens of millions of dollars. Consider the impact on share prices, reputational damage, loss of business, and ongoing lawsuits, as seen in the cases of Optus and Medibank—still in progress. The final costs remain uncertain. Not to mention, if one were to contemplate paying a ransom, which one should avoid, it would pale in comparison to the overall damage costs.
Vaughan: Right, absolutely.
Annie: The ransom, a mere couple of million dollars, falls into the chump change, rounding error space. It doesn't represent the actual cost we're discussing here, and that's precisely the focus of the government's emergency responses. An intriguing aspect lies in the formal response to the Privacy Act report. Historically, there was an exemption for small businesses, relieving those with a turnover of less than 3 million from Privacy Act compliance—considered somewhat onerous. This exemption is disappearing, implying that all Australian businesses dealing with personal data will now have obligations to protect it.
The Privacy Act reforms will also introduce shorter response time frames, dropping from 30 days to approximately 72 hours—an alignment with GDPR indications.
Vaughan: Right, and other regulations.
Annie: Exactly. This change not only simplifies the process but also eliminates complex, overlapping time frames for different regulatory regimes. However, simplicity doesn't necessarily translate to ease for those managing the incident.
Vaughan: So, how does this impact individuals on the front lines dealing with incidents, including those in incident response, and your legal colleagues involved in that?
Annie: Absolutely. It boils down to effective preparation, a timeless requirement. A robust incident response involves meticulous planning, encompassing not just a technical document but scenarios, war games, tabletop exercises, ensuring everyone knows their role. Legal reporting requirements are just one facet of an organization's responsibilities. There's the technical response to expel threat actors and recover systems, along with communication response and assessing risk and impact on the overall organization.
Changes to the Privacy Act will influence whom you report to. However, this landscape will shift again with the introduction of the 2023-2030 Cybersecurity Strategy. The government plans to implement a single reporting function, streamlining reporting by having one reporting button on Cyber Gov Au. This function will distribute reporting information across all relevant regulators, simplifying compliance for Australian businesses within tight time frames.
Vaughan: Indeed, very practical. It brings to mind one of the clauses in these reporting regimes stating you must report under all circumstances, but also, if you've reported to anyone else, you must report to us.
Annie: It seems maintaining such a situation without consolidating reporting is challenging. Previously, I recommended organizations maintain a matrix detailing who they were regulated by, the contact details, portals, and time frames for each agency. The new approach, with one central reporting button and set of information, simplifies the process. We should streamline the process with a singular reporting button and a centralized set of information, all accessible through one website in the event of a breach. However, this approach doesn't alleviate the complexities faced by multinational companies. While they'll have one reporting button for Australia, managing reporting in other jurisdictions remains intricate.
Moreover, the centralized reporting doesn't exempt non-regulators from being informed. Employees, shareholders, and stakeholders will still need to be notified. It just simplifies the regulatory reporting process.
Vaughan: Absolutely and this, of course, simplifies the legal situation, providing a smooth transition into another recent concern that has arisen: Can we conduct incident response without involving lawyers? Now, Annie, is this a recipe for trouble, or is it a pragmatic approach? What's your perspective as a lawyer?
Annie: As a lawyer, I firmly believe we shouldn't be excluded from the room. I understand what it's like in the heat of a moment when you're trying to do the technical response, you're trying to understand the extent of a breach and you have somebody, anybody, lawyer or not, who is inexperienced and doesn't understand how a cyberattack plays out, nor what an incident response means in terms of technical communications and legal response. As a consequence, that person can get in the way! Now, this can happen regardless of whether you're a lawyer, a CFO, a CEO. If you don't know what's happening, you can be a hindrance in the incident response rather than a help.
However, should legal advisors be barred from situations fraught with legal risks, not only during the incident but also throughout potential litigation and organizational exposure? Certainly not. Legal experts need first-hand information to provide the best advice to the organization, the Board of Directors, and the executive team. Excluding them from the process and offering only partial information results in advice that lacks a comprehensive understanding of the entire scenario.
So, how do you strike a balance between having inexperienced individuals in the room and obtaining sound legal advice? The key is to provide training and opportunities for practice. Include them in incident response planning, scenarios, and tabletop exercises. Grant them access to expert cybersecurity lawyers and breach coaches, ensuring they don't become hindrances in the room. They need the necessary help and experience to respond effectively, especially when dealing with a cyber incident for the first time.
It's crucial to acknowledge the need for more lawyers with expertise in cybersecurity, and I want to emphasize the value of firms like CyberGC. Recalling an incident from a couple of years ago involving Toll Group, where their lawyers actively resisted the government's attempts to obtain information about the breach, highlights the importance of legal expertise in such scenarios.
Vaughan: Reflecting on Toll Group's case a couple of years ago, where they resisted government assistance, and more recently with Optus attempting to prevent the disclosure of their post-incident report based on legal privilege, it seems adversarial and counterproductive. This situation won't benefit anyone.
Annie: Addressing this problem involves considering two distinct scenarios. First, when the government seeks to understand a live breach, especially in critical infrastructure situations, where the impact extends to the security of the Australian community. In such cases, the government should rightfully access information as it becomes a matter of national security. The Security of Critical Infrastructure Act and the recent strategy release indicate plans to include mechanisms for the government to access information from a breach with restricted use rights. Organizations like Toll hesitated to freely interact with the government during incidents due to uncertainty about how the exchanged information would be utilized. If handed to regulators with enforcement powers, it could lead to fines or court cases, creating reluctance due to potential liability. The strategy outlines a crucial development, ensuring that the interaction between ACSC and a company under attack will serve the purpose of supporting the company during the attack, acting as a safe harbor arrangement to avoid litigation.
On the other hand, the Optus scenario, involving a class action from impacted customers, introduces a different dimension. Legal professional privilege becomes significant in litigation, where parties must disclose all relevant documentation unless covered by this privilege. Legal professional privilege serves as a shield, safeguarding confidential communications between a lawyer and their client, as well as documents created for the primary purpose of legal advice. However, this privilege doesn't extend to all internal reports, such as routine cybersecurity assessments, as they lack the dominant purpose of legal advice. On the contrary, incident response reports following major breaches become highly sensitive legal documents during discovery.
These reports detail the specifics of the breach, including vulnerabilities exploited by threat actors, potential liabilities, and damages. By applying legal privilege to incident response reports, organizations aim to prevent their discovery in future court cases, minimizing additional harm to their defence against lawsuits. While not everything qualifies for privilege, companies like Optus have an obligation to strategically use it to prevent the public disclosure of potentially damaging information.
Regarding Safe Harbour and legal privilege, they are distinct concepts. Safe Harbour protects against government actions but doesn't shield against third-party claims. In cases like Optus and Medibank facing class actions for Privacy Act breaches, Safe Harbour might mitigate government-initiated actions, but it doesn't cover claims like breach of confidentiality, intellectual property rights, or breach of contract.
The challenge lies in finding a balance between maintaining essential records for effective operations and avoiding undue legal risks. Privileging everything is impractical and slows down processes. The advice is to be mindful of what you document, ensuring truthful records without hastily communicating unconfirmed hypotheses during incidents. Daily stand-up calls and voice communications are favored, documenting details when confidence in the facts is established, preventing legal exposure and confusion.
Vaughan: Sound like good advice!