Cybersecurity Legal Obligations

[A] Firstly this is not legal advice. This is my own experience of having to pick up the pieces in hindsight. Security data breaches will often involve some duties by the Board or the Chief Information Security Officer (“CISO”) in charge of the entire security of the organization. Hence to be successful the claimant has to establish duties against the Board and/or CISO and whether the defendants have acted reasonably. For example, was it reasonable to use Real Data in a test environment and worst allow the test environment to open vide an API and even publish this on GitHub? Many of these general fiduciary duties are baked into statutes such as Companies/Corporation Law, Privacy Act (by whatever names), and others by private contracts such as Privacy Policy or Data Retention Policy. If a CISO also acts as a company director, then they could face shareholder actions for breach of duty following data and privacy breaches based on damage to company value. This mirrors the trend in other jurisdictions such as the U.S. where CISOs have already been the subject of high-profile claims for breach of duty. Litigation is always time-consuming takes a lot of the Board’s attention and is costly, is rare to even recover half the expenses on lawyers, and therefore the strategy is always to control the information/disclosure and negotiate. In most cases claimants are represented by litigation funders in class actions, they are likely to look for a quick exit as well instead of tying up in a long-drawn case where justice had yet to catch up with the technology.

[B] It is without doubt anymore that personal data is accessible now to anyone with the means and motivation. For example, the problem is not one-sided the existence of bad actors follows the existence of sloppy defenses. In short, the reason why one's data is being sold on the dark web is monetary value or is blackmailable. For example, the fact that credit card numbers are not randomized is a major reason why they can be monetized.?Surely the better way is to have randomized numbers on demand and live for say 30 mins only as a solution. In this way there is no reason why any merchant would want to store your credit card data and therefore no reason for bad actors to breach into the store's database as said data is of no value beyond 30 mins. Is a common sense and practical solution and yet today most credit cards come in plastic and with fixed numbers with added CVV. Luckily Alliance Bank in Malaysia is now offering a digital random number credit card that can only be used within 30 mins. Is like an OTP. Hopefully, this will deter the most motivated hackers. But in case you find yourself having trouble sleeping at night then perhaps the following may help to litigate proof your security breaches.

1.??????Privilege is critical. So far only lawyers and their clients have this and this protection can be useful especially when the opposition is asking for meeting notes after a breach. Commonly, litigants are making very early requests to see internal memos, communications, and forensic reports. Therefore it is important that you have a heart-to-heart with your lawyer to set up privilege properly as part of your communication chain, else you will need to disclose all the materials sought. Note that privilege only extends to anticipated litigation, so the opposition will argue that a purchase order 12 months prior could not contemplate litigation. Another way is to avoid taking or keeping any notes but this may not be feasible nor reasonable given the need for transparency and recordings.

2.??????Be careful as to what information is recorded. As it is impossible to avoid, the next is to be smart as to what is recorded on those reports. ?The thing about reports is that they are written after an event so it is important to keep a clear head and audit trail of the decisions taken and why. One needs to be objective. For example, while dealing with an immediately challenging situation, it is not unusual for ill-judged comments (often from high level personnel) to be said and recorded in writing, which can be unhelpful in later legal proceedings. It is particularly important that everyone understands which communications are likely to have the protection of legal privilege in relevant jurisdictions and which will not. Again make sure you have a lawyer overseeing this before signing off.

3.??????Documents ready. CISO should be able to provide documented policies and procedures including artifacts of compliance, screenshots of security configuration settings, firewall logs, access audit logs, user computer system and application access request forms, and employee security training records when requested.

4.??????Response plan must be litigative proof. Examine the plan to make sure key service providers’ details are updated. Ie your lawyers, your external vendor service providers etc. Whether the internal line of communication is good (who to do what). Ie whom to call on instructing lawyers, and chain of command (whether approval is needed). Who are the key service providers to call? What are the internal lines of communication? Who makes the call on instructing lawyers and other key advisors? Is it the CISO or does it require other approvals? If the system is down, how do key personnel handling the breach communicate securely? What type of breach is most likely to impact the company and who are the counterparties/clients most likely to be affected? What do the data privacy clauses in contracts with counterparties require? Are there notification requirements in those contracts? It should read like a playbook and mock rehearsal done once a year. A rule of thumb is that if a response plan can’t stand up to questions about whether your protocols follow local laws and industry standards, you need to act fast to address those gaps.

5.??????CyberSecurity law. As CISO, you will need to be knowledgeable of the laws-rules applicable to your industry and geographic regions. In Australia, the government had proposed strengthening the law and seeking public feedback. In particular, it sought to see whether a civil prohibition should be introduced for failing to provide consumer guarantee remedies under the ACL regime (pg 54). It also sought to expand the Privacy Act to include plaintiffs to litigate a claim for breach of their privacy which is not possible today. Also on the table is permitting class actions (due to the costs) or permitting OAIC to bring cases on behalf of individuals or groups of consumers. More pertinent is that the Government is also considering whether the small business exception from the Privacy Act should be retained, and how any changes would interact with a direct right of action.

6.??????Insurance. You must have this and read the fine print but it can be your worst nightmare too. Litigation can have direct implications on cyber insurance matters, too, impacting things like coverage exceptions, renewals, and new business. Insurers look favorably on companies that bounce back the fastest are those that put their customers first by being transparent, doing whatever it takes to help impacted customers minimize the impact, and sharing the steps they plan to take to ensure it doesn’t happen again.

[C] Finally, most clients would ask what am I getting from my lawyers. Lawyers will generally do the following around the time of the breach and pre-litigation period:

1.??????Advising on press statements in view of protecting your reputation. As I said keeping quiet is not ideal as desperate clients will voice their concerns via social media to bring the heat to your organization. The best response is to provide assistance to your clients.

2.??????Anticipating the plaintiffs’ next move such as in discovery applications and negotiating for settlement.

3.??????Responding to authorities’ investigation which takes up most of the time.

4.??????Once litigation is initiated, lawyers will implement a litigation strategy based on what information they can obtain from you. Say by attacking plaintiffs’ lack of standing to sue, weak evidence of injuries – no actual financial losses due to the breach, and class claims through enforcement of arbitration clauses. Note that in the latest saga in the US in the case of Clemens v. ExecuPharm Inc decided in Sept 2022, courts will continue to find ways to let data breach litigation go forward even if the affected consumers have not suffered identity theft or fraud from misuse of their information. In Clemens, the court concluded with a very broad statement: “Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact.” In contrast to June 2021 wherein TransUnion LLC v. Ramirez, the US Supreme Court held quite bluntly that risk of future harm does not provide standing for a damages claim.