Cyber, Privacy and Data Protection
These attacks can result in ransomware events and data breaches, which compromise privacy and confidential information, and require a rapid response to minimise legal and reputational damage to an organisation. They can also cause significant business interruption.
With the growing prevalence of cybercrime in Australia and globally, companies and individuals are at risk of a range of legal risks and harms resulting from cyber incidents.
Our team of specialist cyber and privacy lawyers are at the forefront of the rapidly changing legal practice area. We assist clients of all sizes with different types of cyber, privacy and data protection law matters. This includes responding to cyber incidents (and engaging appropriate vendors), advising on the full range of privacy compliance obligations, responding to regulatory investigations, managing cyber insurance claims and assisting with cyber related disputes (direct actions, recovery actions or class actions).
Our market-leading team has collectively handled over a thousand cyber, privacy and data protection incidents. This includes some of the largest and most complex incidents in Australia and other jurisdictions.
In addition to cyber incident response work, we provide pre or post incident cyber advisory services to executives, boards, and other key individuals within organisations. Our cyber advisory services include cyber simulations (such as table tops), training and workshops, assessments, reviews and preparation of policies, and building out whole-of-business plans to mitigate cyber risk.
The team includes leading front end privacy and data protection lawyers. We have a wealth of experience advising private and public sector clients on compliance and best practice with the constantly evolving Australian privacy and data protection legal framework. We also collaborate with legal counsel in other jurisdictions to provide assistance to our clients managing the application of international privacy laws, including the General Data Protection Regulation (GDPR).
‘There are few firms at the forefront of the explosion of issues surrounding cyber protection, cyber insurance and changes to the privacy landscape. Hall & Wilcox have been able to provide sound and timely advice consistently, whilst understanding our business needs and proactively sending advice/bulletins to help us keep ahead.’
Our cyber team works with ASX listed entities, corporates, SMEs, insurers and others to provide legal advice in relation to cyber risk.
We offer a comprehensive cyber incident management solution covering the whole life-cycle of a cyber incident, including:
- providing a cyber incident response hotline that operates 24/7/365 to ensure we promptly respond when a client requires assistance in relation to a cyber incident;
- providing legal advice, incident management and guidance regarding privacy, other regulatory obligations and third-party risk;
- assisting with notifications to regulators and individuals in accordance with applicable privacy obligations in connection with cyber incidents;
- vendor co-ordination and management in relation to each aspect of responding to a cyber incident;
- global coordination of cyber incidents affecting entities operating or providing services in various jurisdictions;
- handling disputes and regulatory investigations relating to cyber incidents, including class actions, recovery actions or insurance disputes;
- cyber insurance coverage advice; and
- pre or post incident cyber advisory and readiness services.
We have the expertise to handle all aspects of a cyber security incident or data breach, including in relation to privacy, ASX disclosure, AFSL conditions, APRA requirements, security of critical infrastructure and directors’ duties. We have an established and expert vendor network and are happy to work with our clients’ preferred vendors.
We advise on all privacy and data protection issues, including regulatory and compliance obligations, advice on protections in cloud and outsourcing arrangements, conducting privacy impact assessments, and assisting with complaints for breaches of privacy.
Specifically, we:
- develop and implement privacy policies, collection and consent notices, data retention policies, and compliance programs, including management and employee training programs;
- advise on legal compliance obligations under the Privacy Act 1988 (Cth) and applicable State and Territory privacy legislation and health records legislation;
- advise on specific privacy legislation queries, including matters such as consent, use and disclosure for a ‘secondary purpose’, data retention, cross-border data transfers, and access and correction requests;
- advise in response to privacy complaints and regulatory investigations undertaken by various regulators including the OAIC, ACMA and others;
- draft and advise on privacy and data protection clauses in supplier and other third-party contracts and data transfer deeds;
- provide legal advice with regard to actual or suspected data breaches involving compromised personal information;
- prepare submissions and responses to the OAIC and other regulators; and
- act for organisations in investigations and conferences by the OAIC and other regulators.
- Acted as incident response manager and legal adviser for a multinational publicly listed financial services company in connection with a major data breach. The matter involved directing a forensic investigation into the data breach and advising the company on its legal obligations with various regulators including the OAIC, ASIC and APRA. Our approach significantly mitigated the reputational risk in connection with the incident.
- Acted for one of the world’s leading publishers in relation to a significant ransomware incident. The matter involved liaising with legal counsel in other jurisdictions and developing strategies to address and reduce the risk of harm for affected individuals. Our proactive approach with the OAIC was well received and resulted in the client saving time, and reducing potential costs and reputational damage associated with the incident.
- Acted for a significant Australian large public company in the infrastructure sector arising from a significant multiparty data breach that affected hundreds of thousands of individuals. The team developed an efficient and effective tailored notification strategy which assisted individuals mitigate the risk of serious harm.
- Acted for an Australian publicly listed company in relation to an investigation by ASIC in connection with a ransom payment. Our involvement included liaising with ASIC and responding to requests for information as part of the investigation. The strategy we developed enabled our client to save significant time and cost in responding to the requests, and resulted in ASIC being satisfied that there was no breach of law and who then closed its investigation.
- Acted for a medium-sized technology and data company in relation to malware deployed by a sophisticated threat actor. We engaged leading cybersecurity experts to eradicate
the threat prior to the deployment of ransomware, and assisted with a voluntary notification to the OAIC and the handling of communications with third-party customers. Our client avoided
a mass notification to close to a million customers. Business interruption and loss in connection with the incident was minimised.
- Providing privacy and data protection advice to a leading global technology solutions provider in relation to medical coding software artificial intelligence (AI) platform that is being introduced into the Australian market.
- Assisting a large executive search firm with a complete privacy audit of their operations and privacy-related documents. This included advice on the application of the Privacy Act 1988 (Cth) and other relevant privacy and health records laws and drafting and amending a suite of documents, including their privacy policy, privacy statement, various candidate consent forms, information security policy, and various proposal and marketing documents.
- Undertaking a review of the data management practices of one of Australia’s largest retailers and distributors. This work included reviewing and preparing privacy, data collection and data retention policies, as well as updating third-party supplier contracts in relation to compliance with Australian privacy law and data breach notification obligations.
- Advising an association of private schools in relation to the privacy law issues and risks associated with their migration to a new centralised HR management system, including preparing a comprehensive and detailed Privacy Impact Assessment which considered a range of factors relating to information flow, such as how personal information would be transferred and stored, and an assessment of the security measures required to ensure the security and integrity of the information.
- Assisting a vehicle manufacturer in relation to the preparation of agreements to facilitate data sharing about customers with its dealers, to ensure compliance with privacy and data protection legislative requirements.
- Conducting a privacy audit, advice and implementation of compliance improvement plan including privacy policies and procedures, data retention and destruction policies, data breach response plans, business continuity plans and staff training for a large corporate group with multiple business units and subsidiaries and multi-sector operations. This required a tailored privacy by design approach working closely with business stakeholders to map all data flows, existing policies and procedures to conduct a gap analysis and identify risks including working closely with the IT team on complex internal systems and managing consents required or missing from prior business acquisitions, through to implementation of recommendations and compliance rectification phases.