A day in the life of incident response privacy counsel

We are delighted to contribute to the April issue of the Privacy Law Bulletin by LexisNexis. Read our full article below.

What is an “incident response privacy counsel”?

Reece: The term is often interchanged with “incident response manager” or “breach coach”. Effectively, it refers to someone who specialises in responding to cyber incidents of all kinds (including but not limited to data breaches), drawing on privacy, technology/data risk and crisis management experience, to drive an outcome.

In practical terms, we make ourselves available around the clock, 7 days a week, to help entities, government agencies and individuals navigate an incident, ensuring they get to where they need to be as quickly as possible. We work with a panel of 80+ vendors who provide all kinds of services including forensics, network security, dark web monitoring, threat intelligence, notification support, and data risk remediation to resolve the incident.

We also act for the impacted entity in regulatory investigations and third-party claims following an event — which informs the incident response process to mitigate long term exposure.

Richard: Our role is to provide step-by-step guidance to affected entities and, in doing so, we help them mitigate their immediate losses and regain trust with their staff, customers and business to business (B2B) stakeholders. We are often written into cyber insurance policies as first responders or as the recommended legal service provider, and work with the insured entity to report to insurers and achieve alignment on the approach being adopted. In our experience, insurers are very keen to work closely alongside their clients during an incident and ensure they are supported throughout the journey — and our advice is always to consult insurers step by step.

While we primarily act for insured entities (ie, entities with cyber insurance), our estimates are that at present only about 15–20% of the Australian market has cyber insurance and so increasingly we are acting for the corporate uninsured market (ie, companies that have incidents but which are uninsured) providing the exact same service.

As a broader trend prediction, we expect that more companies will purchase cyber insurance and, if the US market is a good indicator of the future position, will likely reach saturation point (50% of companies with insurance) in the next 3–5 years, although there is more work to be done in promoting the value of cyber insurance to companies and government agencies to get there.

What are three key tips for good incident response?

Reece: Before an incident, it is critical that entities develop a Cyber/Data Breach Incident Response Plan and test it annually (and whenever members of the core Incident Response Team join the organisation). Increasingly, supply chain vendors and insurers are asking for copies of plans as evidence of preparedness maturity. The OAIC may also ask for a copy following a notification of an Eligible Data Breach, particularly if the organisation’s response to the incident was weak, and so it pays to have a plan in place to demonstrate proactive risk management and ensure a streamlined response.

Richard: During an incident, it is critical to maintain trust with all affected stakeholders. This includes employees, which is every organisation’s key asset, as well as business partners, third party vendors, funders/ shareholders, customers, regulators and wider industry stakeholders.

To help maintain trust, organisations should complete a stakeholder map upon first identifying an incident — which will inform the plan for how to manage each of those stakeholders’ actual or perceived concerns arising out of an incident, and will bring the various functions of the business together to manage the incident (ie, HR, risk, community relations, legal, media management etc). Organisations will typically be judged by third parties (and regulators) based on their response to the incident, and not necessarily the occurrence of the incident itself, which is why incident response preparedness is key.

Reece: After an incident, organisations should conduct a post incident review and identify opportunities to improve incident response resilience and wider data handling issues. The OAIC will typically ask for proof of improvement steps taken by the organisation postincident. This process is also useful for rebuilding stakeholder trust as organisations can demonstrate that they have uplifted their processes or practices. This process is also critical for purchasing/renewing insurance policies as insurers will want to understand that the root/contributory cause of loss has been addressed and that there are no ongoing causal factors left unaddressed. Some consultancy firms are currently pushing impacted entities to publicly discuss incidents to destigmatise cyber risk, particularly ransomware incidents. While we agree that the approach of sharing lessons learned is valuable, it needs to be managed carefully so as not to expose the impacted entity to claims risk (for example by publicly tabling weaknesses in security/data handling practices that were exploited) and should not be mandatorily required (especially regarding the payment of ransoms). However, approached in the right way, impacted entities do have an opportunity to inform the wider community of cyber risk and steps that can be taken to mitigate current events. In this way, impacted entities can help raise the standards across the board and contribute to protecting the wider business community — which is critical as the economy rebounds from COVID-19. The Australian Cyber Security Centre (ACSC) also has a key role to play in sharing knowledge, as does the insurance industry.

What are the main types of incidents that you are dealing with?

Reece: As the incident response managers for entities (and their insurers), we see a wide variety of engagements ranging in size, profile and industry of affected entities. In terms of incident types, the five most common are:

1. business email compromise (BEC)
2. ransomware
3. lost/stolen devices
4. vendor data breaches
5. data leakage through control misconfiguration/ human error

There is a mixture of internally/externally and inadvertently/maliciously caused incidents, although cyber crime/state-sponsored activity is where we see most activity.

The benefit of being aligned with the insurance industry in acting for impacted entities is that we can leverage the insurance industry’s experience of dealing with the same types of incidents around the world to spot and respond to incident trends. In this way, entities can gain “herd immunity” by learning from the experience of other affected entities in responding to a particular type of incident — they don’t have to “go it alone” thinking they are solely impacted. There are also cost efficiencies to be gained.

For example, by working with insurers and key stakeholders such as the ACSC, over the years we have assisted the industry respond to key events that have shaped the cyber security/privacy landscape — including the trojan-malware events of 2017 (NotPetya and Wannacry), business email compromise surge since 2016–2017 (and associated payment misdirection losses), Emotet spreading in 2019, big-game-hunting ransomware in 2020 (still continuing), nation-state activity in 2020–2021 (still continuing) and other major events such as supply chain compromise activity (there are a number on foot presently).

As well as helping drive industry response to these major events, we have also assisted clients respond to a number of different incident types including “white hat” security researchers reporting vulnerabilities, dumpster diving (stealing data from rubbish bins), break and enters where USBs and other devices are stolen, insider threats (jaded ex-employees and IT contractors posting data online or stealing intellectual property), industry wide multi party data breaches (involving well known software as a service (SAAS)/ platform as a service (PAAS) providers, managed service providers (MSPs) and third party contractors), global data breaches involving social media, dating and gaming websites, and the more traditional cyber-crime/fraud activity involving funds transfers and theft of data for financial gain.

Richard: By capturing data from our engagements we can observe and report on industry trends. As Reece has touched on earlier, presently ransomware incidents feature highly — making up 32% of current incidents, BECs are 36%, and the remaining 32% is everything else. The top three industries targeted are Professional Services, Financial Services and Healthcare/Technology. By comparison, in June last year, the numbers were 24% ransomware, 24% BECs, and 52% everything else, and the top three industries targeted were Healthcare, Retail and Professional/Financial Services. This means that (and consistent with the ACSC, Office of the Australian Information Commissioner (OAIC), Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA) and Australian Competition and Consumer Commission (ACCC) industry reporting) ransomware is a key incident type affecting Australian companies with an 8% frequency increase year-on-year (based on what we are seeing), with Healthcare and Professional Services industries being heavily affected.

However, the data noted above does not tell the whole story — because while we are only seeing an 8% increase in the number of ransomware events occurring since last year, the severity of ransomware incidents has significantly increased. The effort and time required to respond to these incidents, as well as the associated financial losses, are typically much more significant than other incident types and in previous years. There is also increased regulatory exposure, and organisations need to pay very careful attention to funds tracing and sanctions risk, which is a murky area and part of a constantly evolving regulatory landscape.

If we are to protect our economy from ransomware, we need a multi-disciplinary approach combining the expertise of privacy professionals, policy makers, law enforcement, insurance and IT security teams. Privacy and technology lawyers have a real opportunity to engage with the debate on whether paying ransoms should be made illegal (our view is that the question is not as simple as some might think) and what other measures can be adopted to protect our economy from this risk.

What are the thorny privacy issues that you see in your line of work?

Reece: Now that the notifiable data breaches (NDB) scheme has been in force for 3 years, conducting “serious harm” assessments and responding to incidents in a timely manner is no longer a novel process and the OAIC expects that entities notify affected individuals promptly where required. Despite this, some multi-partydata-breaches continue to be mishandled and the OAIC has signalled that all parties to the breach need to ensure that they comply with their residual assessment and notification obligations, irrespective of the other parties’ approach.

In responding to this issue, more can be done to develop incident response processes involving vendor data breaches and putting in place stronger contractual terms to manage supply chain risk by addressing how an incident will be handled post-incident. This is particularly relevant in the current environment, with several high-profile supply chain attacks impacting Australian companies and agencies (including the legal industry).

Separately, when responding to an incident, a major weakness is not having a clear picture of what data is held by an entity and where on the systems it is stored. This blind spot often causes delays in assessing and notifying incidents and can lead to costly reviews of impacted data (particularly unstructured data). Where companies decide to notify cohorts before data has been reviewed, this can lead to premature over-notification (which can cause undue alarm and distress and unnecessary notification costs), or broad-brush notifications being made to affected individuals without the requisite level of specificity around what data is at risk and what specifically needs to be done to mitigate that risk. In conducting a data risk assessment, there is a real balance that needs to be struck between notifying in a timely manner vs notifying in a meaningful and accurate way. The OAIC has already signalled that several defective notifications have been made and ordered entities to re-notify. We anticipate that getting notifications wrong (ie, over notifying or not notifying correctly) will lead to increased third party consumer claims risk in the coming years, as the jurisprudence around compensating data breaches evolves and classes of individuals seek recompense.

Finally, with the OAIC now becoming more active in the regulatory enforcement space (notably through Commissioner-initiated investigations (CIIs), determinations, penalty proceedings and representative complaints) we anticipate there will be precedent setting decisions which will guide the industry’s approach on what is considered best practice in handling/protecting data in compliance with the Australian Privacy Principles (APPs), responding appropriately to data breaches and compensating/remedying privacy non-compliance.

We are already starting to see early decisions filter through public determinations and correspondence with the OAIC, however we anticipate the OAIC’s public regulatory activity will be the next frontier in shaping the privacy compliance landscape. Although not strictly “privacy” related, the same can be said for the recent ASIC and ACCC litigation against tech companies and financial advisors and APRA’s and other industry initiatives, which are starting to shape conversations with and actions of entities and their directors and officers to uplift security and privacy practices.

Richard: Whenever an incident occurs there is almost always an underlying data handling issue that is exposed. In remediating a breach issues that typically arise are: out of date privacy policies (APP 1.3); dealing with unsolicited personal information (APP4) inadvertently collected by the entity; unauthorised disclosure of data (APP 6) through poor employment practices; implementing security uplifts and gaining accreditation (to comply with APP11.1); data retention/deletion/de-identification issues (APP11.2); data access requests and correction of data post notification (APPs 12 and 13); and issues surrounding the collection and use of TFNs and government identifiers (identified through the breach of such data).

Against this background, most entities will use a data incident as an opportunity to uplift their privacy posture. This is partly driven by a desire to regain trust with employees and customers and partly in anticipation of any resulting litigation and regulatory investigation. One of the main benefits of a law firm leading the incident response is that if certain steps are taken, legal professional privilege can be claimed over investigations and remediation work. IT providers and security/privacy consultants simply cannot provide that assurance and as we move into a heated regulatory investigation/claims environment, this will be a key issue. In-house legal teams and external counsel should put “legal professional privilege” higher on the agenda, especially for material events with likely long tail claims exposure.

Companies must also be mindful of ever-changing privacy/industry laws within Australia, regionally and globally. For example, mandatory notification laws have been introduced in Japan in June 2020, New Zealand in December 2020 and Singapore in February 2021. Companies must keep a close eye on what is happening around the world and be mindful of issues around interoperability and, when embarking on a multi jurisdictional notification campaign, ensuring local compliance with notification form/content/timing requirements, differences in regulatory appetite and increasing consumer awareness/claims risk across the jurisdictions.

One key trend which we are closely watching with the current tech litigation is the extra-territorial reach of our local laws to offshore companies and the impacts on behaviour of global companies doing business in Australia — particularly the tech giants who have proven that they are willing to shut down their services in Australia in response to laws that do not suit them. It will also be interesting to see how the upcoming changes to the Privacy Laws impact corporate Australia’s attitude to privacy, particularly small businesses not currently caught by the Laws, but which handle sensitive data (and have data breaches!).

What is your message to future privacy practitioners looking to get into this space?

Reece: Cybercrime behaviour and appetite, geopolitical tension, new technologies, external market conditions such as COVID-19 and law reform will continue to alter the face and nature of “cyber” risk. If you want to work in this area you will be forever challenged in a space that is fast paced and forever changing, which I personally find quite rewarding.

There is an endless amount of opportunity to collaborate with the broader industry on new projects, ideas and ways of managing risk — not just from a legal perspective — but also from a broader business risk and growth opportunity perspective. Focus on soft skills development and establishing relationships within the industry to gain a broader perspective of managing data/privacy risk. More can be done to bridge the traditional privacy/ insurance/IT security forums and bring the brightest minds together.

Finally, the legal/tech/insurance industries are traditionally male-dominated and so there is an opportunity for more female participation and leadership across the industries. This is something that should be actively promoted from grassroots to the top levels of organisations and industry and is something we are actively working towards as we build and grow our own team.

Richard: Too often I see general counsel teams and execs hand over control of the incident to the IT or risk team to manage. By contrast, some of the best and most rewarding engagements I have worked on were those where the in-house legal team led or played a vital role in the response. This is typically because the legal team has the ear to the decision makers of the business or the delegated authority to make key decisions and are trained to manage all kinds of crises and risk. Legal teams also sit across multiple functions including regulatory compliance, HR, risk, vendor contracting, and Australian Securities Exchange/public communications and can manoeuvre between the teams required to manage the response.

I encourage all in-house practitioners to strongly engage with the subject matter of data privacy and in the time of crisis — put up your hand to lead or actively support the response. Don’t be afraid to ask the tech and forensic teams what they mean by their findings, as often their findings will have a direct and material impact on the legal questions in issue. It is important that all teams are working closely together in the time of crisis to manage the risk holistically.

Finally, as a community, we are at an intersection. On one hand we can see the true value of data and technology used well (the NSW contact tracing efforts is a great example). However, on the other hand, we are also becoming much more aware of our rights and longer-term implications of technology and data risk (a cursory glance at the Australian Financial Review’s latest headlines will show that this is now a front-page news issue, much more so than 5 years ago).

With new technologies such as internet of things (IOT), facial recognition and biometric data, nanotechnology manufacturing, digital IDs and increased use of robotics (to name a few hot topic advancements), it will be interesting to see how community attitudes continue to shape best practice and ethical business culture. We all have a part to play in shaping the future of tech, data and privacy risk.