Cyber is a rapidly growing and evolving risk that impacts all organisations in Australia. Understanding cyber risk and taking steps to mitigate it can be critical for an organisation’s financial well-being and reputation. To achieve this, organisations need to be prepared for a cyber incident, know how to respond effectively if an incident occurs and understand their regulatory obligations.

Our leading cyber team can assist you in relation to all aspects of cyber risk. Our team is comprised of lawyers who have acted for or advised hundreds of organisations in connection with Australian and multinational cyber security and data breach incidents, including on some of Australia’s largest and most high-profile matters. These organisations have ranged from large ASX-listed companies, corporates, SMEs, insurers and insureds.

Partners Eden Winokur and Jacqui Barrett discuss the key lessons regarding cyber due diligence in M&A transactions that can be learned from the Marriott case after it acquired the Starwood company, which had been subject to a cyberattack.

Our services include:

  • Managing the engagement of our network of leading cyber security and other experts where necessary to respond to an incident;
  • providing privacy and other legal advice in respect of actual or suspected data breaches or security incidents, including drafting notifications to and engaging with the Office of the Australian Information Commissioner, other regulators and individuals affected by data breaches;
  • providing advice on communications with third parties, including the organisation’s leadership team, customers, employees and the public;
  • defending or bringing litigated claims in connection with cyber incidents, particularly in relation to ransomware attacks, data breaches, social engineering fraud and system outages;
  • advising on cyber insurance coverage; and
  • providing pre-incident and post-incident advisory services to executives, boards and key individuals within organisations regarding cyber risk and responding to incidents.


Our team's experience includes:

  • acting as incident response manager and legal advisor for a multinational publicly-listed financial services company in connection with a major data breach. The matter involved directing a forensic investigation into the data breach and advising on legal obligations with various regulators including the OAIC, ASIC and APRA. Based on the forensic investigation, the organisation was able to take remedial steps to avoid the reputational damage associated with a widespread public notification.
  • acting as incident response manager and legal advisor to a client who provides technology and data services to local governments and universities following discovery of an incident involving an experienced nation-state threat actor. The matter included directing leading IT cyber security experts to investigate the source and eradicate the threat, a voluntary notification to the OAIC and handling queries from key third-party customers. The client was able to continue its business with little disruption and its loss was minimised. This success can be attributed to identifying and engaging the right experts, and open and collaborative dealings with the OAIC.
  • acting for various organisations in disputes relating to social engineering fraud after a hacking incident, which resulted in an invoice being fraudulently altered and money being inadvertently paid to a threat actor.
  • acting for insurers providing cyber insurance policy advice for a large number of claims and in respect of a wide range of coverage issues.
  • board and executive training on a variety of topics, including:
    • claim trends and key risks;
    • how to best manage and respond to an incident, including incident response planning;
    • simulated incidents, primarily for ransomware, data breaches, business email compromise and social engineer fraud;
    • regulatory developments associated with cyber;
    • data retention obligations and policies;
    • contractual obligations arising from a network security incident or data breach; and
    • communications and reputational risk assessments.

Key contacts

Eden is a leading cyber, privacy, disputes and insurance lawyer who heads the Hall & Wilcox cyber practice.

Alison has more than 20 years’ experience in a wide-ranging employment and privacy practice.

John Gray

Partner, Technology & Digital Economy Co-Lead and NSW Government Co-Lead

John is a corporate lawyer specialising in technology and IP law, particularly for IT, telecommunications and media clients.

Sumith Perera

Chief Operating Officer


Sumith is the Chief Operating Officer and the national Head of Corporate Services at Hall & Wilcox.

Our team

Sam is a general insurance lawyer with experience in large and complex litigation.

Related thinking

Cyber| 15 Dec 2023

Fashion fraudsters exposed: the battle against domain spoofing

Certain kinds of scams are becoming increasingly common for brand owners within the retail and fashion industries. From email to website spoofing, we examine the rising threats to these industries.

Cyber| 30 Nov 2023

Cybersecurity for directors: fail to prepare, prepare to fail

Directors and officers of corporations are expected to play a proactive role in protecting their companies from cyber risks.

Cyber| 15 Nov 2023

Court guidance on privilege and cyber forensic reports in Australia

The Federal Court has ruled that Optus cannot claim legal privilege in a forensic report prepared by Deloitte following the September 2022 cyber attack and data breach.

Cyber| 04 Oct 2023

Privacy Act changes on the horizon: Federal Government response to Privacy Act Review report

We outline the Report’s recommendations and what businesses may need to change to comply with new privacy obligations.