Cyber, Tech and Data Risk Report – Issue 6, December 2023

We’re delighted to publish Issue 6 of our Cyber, Tech and Data Risk Report – our wrap-up of news for the second half of 2023 for insurers, brokers and their customers doing business in Australia and New Zealand in the cyber, tech and data fields.

In our December issue, we cover a number of developments in Australia including legal privilege of forensic reports, the increasing number of data breach class actions, the government response to the Privacy Act Review Report, amendments to the PPIP Act, the proposed mandatory data breach notification scheme in Queensland, OAIC’s legal action against Australian Clinical Labs for cyber breach delay, and cyber insurance recoveries for subrogation claims.

For New Zealand, we cover the introduction of the Privacy Amendment Bill 2023, changes to the government’s approach to dealing with cybercrime, the Office of the Privacy Commissioner (OPC)’s project on privacy rights for children and young people and the OPC’s guidance on the use of AI.

If you would like to discuss anything covered in these articles, please reach out to a member of the team.

Australia

A timely reminder about the privilege status of the forensic investigation report Optus obtained from Deloitte relating to the September 2022 cyber-attack was delivered by Beach J in the Optus class action last month – see the judgment in Robertson v Singtel Optus Pty Ltd [2023] FCA 1392.

While Beach J did not find that mere reference to the report in press releases by Optus would have resulted in a waiver of legal privilege, the issue was rather that the report was never privileged to begin with because the evidence did not establish the dominant purpose was for the provision of legal advice. In his judgment, His Honour was critical of what he characterised as “endeavours to cloak the Deloitte review with legal professional privilege” after work had already commenced.

In his decision, Beach J was clear that reports which have multiple purposes will not be protected by legal professional privilege. In reaching that decision, he considered the various statements, both external (via press releases) and internal (including board material) which showed that the report had been commissioned in advance of the retainer of Deloitte by Optus’ external lawyers. That ultimately led to his conclusion that he could not be satisfied that the dominant purpose for the report was the provision of legal advice, despite the privilege protocol put in place by Optus’ external lawyers in the formal retainer. Interestingly, Beach J found that the reference to the retention of Deloitte in press releases would not have amounted to a waiver of privilege, if it had been established that the report was privileged in the first place. Optus may still appeal the decision and there is also the potential for it to make limited claims for privilege over parts of the report. In a case management hearing following the decision, Beach J indicated that Optus could propose redactions to the report to protect information that it maintains is privileged. Regardless of the ultimate outcome in relation to this report, the decision is a good reminder for organisations of some key issues to keep in mind when commissioning forensic investigation reports after a cyber incident:

  • Be clear at all times on the purpose of reports which are retained in response to cyber incidents.
  • Reports need to be for the dominant purpose of the obtaining legal advice – that does not mean the report cannot be used for other purposes but, if there are dual purposes, then the privilege status may be called into question.
  • It is critical that protocols for the protection of the confidentiality of the report are established at the outset.
  • Legal review of external statements is recommended to guard against waiving privilege.

In recent years, Australia has seen a surge in class action lawsuits stemming from data breach incidents, with businesses facing mounting legal challenges and reputational damage.

This article delves deep into the intricacies of data breach class actions, dissecting the legal framework, its implications for businesses, and the potential road ahead.

Read the full article here.

The Australian Government’s response to the Privacy Act Review Report (which was released on 16 February 2023, and set out 116 privacy reform proposals for public consultation) was released on 28 September. W+K’s Cyber team has summarised the Government’s response, outlining the five key areas with which it agrees with the Report’s proposals. The release of the priority areas and response by the Government sets some clear indications that the Privacy Act amendments are likely to progress imminently over the coming months.

Read the full article here.

On 28 November 2023, amendments to the Privacy and Personal Information Protection Act 1998 (PPIP Act) came into effect, with the most notable change requiring NSW public sector agencies to notify the New South Wales Information and Privacy Commission (NSW IPC) of eligible data breaches on a mandatory basis (MNDB Scheme), replacing the previous voluntary scheme.

The amendments were first passed in November 2022, with agencies provided a 1 year grace period to comply before the changes came into effect.

The MNDB Scheme now closely aligns with the Federal Privacy Act notifiable data breach scheme and requires agencies to notify the IPC and affected individuals where there has been unauthorised access, disclosure or loss of personal information held by an agency which is likely to result in serious harm. Agencies are required to take all reasonable steps to complete their assessment within 30 days after first becoming aware of the incident.

There are several other key amendments to the PPIP Act:

  • Expansion of the definition of ‘public sector agency’ to include NSW state-owned corporations. This means that NSW state-owned corporations will be required to comply with the PIPP Act and the new MNDB Scheme, including for example Hunter Water, Sydney Water and Port Authority NSW.
  • The MNDB Scheme also requires agencies to satisfy other data management/transparency requirements, including to have a publicly accessible data breach policy, maintain an internal data breach incident register, and update their existing Privacy Management Plans.
  • The Commissioner’s powers have also been expanded to cover the new MNDB Scheme, including directing agencies to provide certain information to the Commissioner, recommending agencies to notify individuals of a suspected data breach, and accessing relevant premises to observe agency’s data handling policies and procedures.

A mandatory data breach notification scheme (Scheme) is one step closer for Government agencies in Queensland.

The Queensland Government has recently introduced the Information Privacy and Other Legislation Amendment Bill 2023 (Queensland) to Parliament to establish the Scheme, which would require the Office of the Information Commissioner (Queensland) and affected individuals to be notified of eligible data breaches that would likely result in serious harm.

The requirements of the Scheme are materially similar to the Commonwealth’s Notifiable Data Breaches Scheme under the Privacy Act 1988 (Commonwealth Act) – and this is not the only area where Queensland is seeking to align with the Commonwealth. The Bill also proposes that Queensland move to a single set of privacy principles that align with the Commonwealth Act’s ‘Australian Privacy Principles’ (in contrast to the current, separate set of ‘Information Privacy Principles’ for most personal information, and ‘National Privacy Principles’ for health information). Public consultation on these reforms was sought early last year.

The timing of the Bill is poignant, just weeks after an announcement by the Commonwealth Government to progress its review of the Commonwealth Act. In a media release, the Queensland Government considers the Bill to be a ‘stepping stone’ for further reform following any legislative change arising from the Commonwealth Act review.

Should the Bill pass, Queensland will become only the second state to introduce a mandatory data breach notification scheme, behind New South Wales. Such a scheme has been on the agenda for the Government for several years, following recommendations arising from several public sector culture reviews – most notably the Coaldrake Review.

While mandatory, the Scheme would only relate to data breaches involving Queensland public sector agencies and connected entities. Private sector organisations based in Queensland will continue to be subject to the Privacy Act 1988 (Cth), where applicable.

The OAIC commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs (ACL), following an investigation into ACL’s privacy practices which arose as a result of a data breach suffered by ACL in February 2022. This is the first time that proceedings have been commenced for, amongst other things, delay in notification arising from a data breach. Read more.

If the Federal Court finds there have been serious or repeated interferences with privacy in contravention of section 13 of the Act, ACL could face civil penalties of up to $2.2 million for each contravention (the incident occurred prior to the amendments made to the Privacy Act in December 2022 (under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022), where the penalty provision was revised to $50 million).

The investigation follows a February 2022 data breach of ACL’s Medlab Pathology business, which resulted in unauthorised access to personal information and health information in excess of 100,000 individuals, with some of it being posted on the dark web.

The OAIC alleges that from May 2021 to September 2022, ACL contravened section 13G of the Privacy Act 1988 (Cth) (‘Act’) through:

  1. breaches of Australian Privacy Principle (‘APP’) 11.1(b), which requires an APP entity to take such steps as are reasonable in the circumstances to protect personal information
  2. contravention of section 26WH(2), which requires an APP entity to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and to take all reasonable steps to ensure that the assessment is completed within 30 days, and
  3. contravention of section 26WK(2), which requires an APP entity to notify the Australian Information Commissioner of an eligible data breach as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.

The court proceedings instituted here by the OAIC against ACL is the first of its kind and a timely reminder to APP entities regarding steps taken after any data breach around the need to expeditiously assess whether an EDB has occurred, as well as ensure that timely notification is made to any impacted individuals. Additionally, organisations found to have breached these provisions of the Act could face much steeper penalties in the future under the amended provisions of the Act.

On 13 November, ASIC released the results of its recent cyber pulse survey into the cyber capabilities of corporate Australia. The survey identified significant cyber gaps, in particular that many organisations are still being reactive rather than proactive when managing their cybersecurity, as well as a lack of sufficient control and oversight over third party or supply chain risks (presenting easy access to threat actors into organisations’ systems and networks). See the full results of the ASIC pulse survey here.

OAIC notifiable data breaches report for January – June 2023 released:

  • January to June 2023 saw 409 data breaches reported to OAIC.
  • Cybersecurity incidents were the source of 42% of all breaches.
  • The top three cyber-attack methods were:
    • ransomware, which accounted for 31%
    • compromised or stolen credentials for which the method was unknown, which accounted for 29%, and
    • phishing, which accounted for 19%.

Of relevance for entities that suffer eligible data breaches, the OAIC has cautioned APP entities against relying on the presumed motivations of threat actors and absence of evidence of unauthorised access when assessing cyber incidents:

Reliance on these factors can adversely affect the accuracy of a data breach assessment. The OAIC also encourages entities to:

  • Take a cautious approach. If an entity suspects a data breach has occurred but is unable to eliminate that suspicion quickly and confidently, the entity should consider proceeding on the presumption that there has been a data breach. Notification obligations are triggered once there are reasonable grounds to believe that an eligible data breach has occurred. Conclusive or positive evidence of unauthorised access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred.
  • Consider all relevant factors and risks of harm. Entities need to assess a range of relevant factors, when assessing the likelihood of serious harm (s 26WG). Given the objective of the scheme is to promote notification, entities’ assessments should weigh in favour of notifying the OAIC and affected individuals.
  • Focus on unauthorised access. Given the clear risks posed by exfiltration, the OAIC appreciates that initial priority may be given to assessing exfiltrated data and notifying individuals to whom it relates. However, an eligible data breach can occur based on unauthorised access alone and individuals’ data can be stolen by less traceable means, such as screenshots. Therefore, entities should not rely on data exfiltration as the determinative factor for deciding whether an eligible data breach has occurred. Entities need to consider all the information that was accessed by a threat actor, or the information that was accessible to them.

In November 2023 the Australian Signals Directorate (ASD) released its findings from the 2022-23 Financial Year https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023

The ASD responded to over 1,100 cyber security incidents from Australian entities. Of those, 143 related to critical infrastructure and approximately 10% included ransomware. Millions of Australians had their personal information stolen and published on the dark web, because of significant data breaches

Statistics

  • Average cost of cybercrime per report up 14%
    • Small business: $46,000
    • Medium business: $97,200
    • Large business: $71,600
  • Cybercrime reports up 23%
  • Calls to the Australian Cyber Security Hotline up 32%
  • Top 3 cybercrime types for individuals:
    • Identity fraud
    • Online banking fraud
    • Online shopping fraud
  • Top 3 cybercrime types for businesses:
    • Email compromise
    • Business email compromise fraud
    • Online banking fraud

ASD’s ‘Essential Eight’ cyber security mitigation strategies

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

While many in the insurance industry will be familiar with subrogated recoveries, until recently there has been little appetite to pursue recovery actions in Australia for cyber claims.

We are now seeing a growing interest from insurers to pursue subrogated recovery claims against technology professionals in respect of ransomware, data exfiltration and system downtime, which are said to be attributable to failures by external technology providers.

This newfound desire is understandable where the Australian Signals Directorate has indicated that it receives on average a report of cybercrime every six minutes1, often leading to significant expenditure for insurers for first and third-party losses, forensic investigation costs, network restoration, ransom payments, regulatory penalties and business interruption.

Against this backdrop, it is unsurprising that insurers are increasingly looking to explore their own subrogation rights to recoup their losses from those whose acts or omissions can be said to have caused the incident. Subrogation can be an effective means of holding responsible parties accountable and, in turn, helping to lessen the financial burden on the insurer.

While there is an increased appetite, there is not yet an established body of caselaw in respect of these claims and, accordingly, subrogated recoveries for cyber claims are not without their difficulties where parties are effectively navigating uncharted territory.

Wotton + Kearney has significant experience in handling subrogated claims following cyber incidents. We set out some of the critical issues which must be considered where seeking to explore subrogated recoveries for cyber claims.

Forensic Investigations

Forensic investigations provide the roadmap for any recovery action and should identify how the incident occurred, what security measures were (and were not) in place at the time, and how the attack could have been prevented.

Forensic investigations will help flush out the key liability issues, such as whether appropriate steps were taken to secure the insured’s network and assist with the early identification of potential recovery targets. Working closely with forensic investigators during the claims process will also assist with clarifying the technical aspects of the incident, which are often critical in understanding how and why any purported wrongdoing of technology professionals caused or contributed to the incident.

Often there are multiple third-party service providers who perform separate but interrelated roles, and it is critical that any forensic investigation considers the involvement of any network and data providers, managed service providers, antivirus software vendors, software installation services and ad hoc break/fix IT services.

Early identification of potential recovery targets through forensic investigations will also allow insurers to determine the viability of any recovery action at an early stage by considering whether the recovery target is based overseas, was also a victim of the incident, and/or is uninsured for its losses and any liability to third parties.

Terms of Engagement

The nature of any formal contract between an insured and recovery targets is often a determining factor in any recovery action.

If a written contract does exist, insurers will need to determine:

  1. who is responsible for managing cybersecurity, configuring data backups or patching software vulnerabilities, and
  2. does the contract purport to limit or exclude liability? If so, do the terms give rise to legal arguments around unfair contract terms and consumer protection laws?

Where there is no written contract or agreement, recovery becomes more difficult as insurers will need to prove the existence of the contract (either by conduct and/or orally) by relying on other evidence of cybersecurity obligations performed, or services provided more generally.

Causation

Recoveries against technology professionals are typically founded in negligence, breach of contract, and/or misleading or deceptive conduct in respect to the technology professional’s systems or competency.

This raises an associated issue of causation, where the increasing sophistication of threat actors poses real questions as to the ability of third-party providers to prevent a cyber-attack in any event.

Another factor which is often prevalent in cyber recoveries is determining whether factors outside of the control of the recovery target have contributed to the loss sought to be recovered by insurers. Common examples of this are poor record management, shared responsibility for maintaining computer systems/updates, delays in responding to incidents, and where business interruption/loss is claimed, the nature of the communications sent by the insured to its clients.

The evolving landscape of cyber threats and the legal intricacies surrounding them require insurers to adapt and refine their strategies to navigate these complex cases effectively, particularly as cyber-attacks can occur simultaneously along multiple aspects of the same technology supply chain.

The ability for an insurer to squarely attribute liability for an incident where there are multiple parties involved is a highly complex undertaking well-illustrated in the Singaporean High Court decision in Razer v Capgemini [2022] SHC 310 and the subsequent appeal (Razer Decision).

Razer Decision

In the third issue of our Cyber, Tech and Data Risk Report, we discussed developments in the trial between American-Singaporean gaming hardware manufacturer Razer and IT vendor Capgemini over a 2020 data breach.

In December 2022, the Singaporean High Court awarded Razer $6.5 million in damages including $6.1 million in loss of profits from Razer’s e-commerce platform, along with additional costs for engaging a law firm and a forensic expert.

Capgemini filed an appeal of the High Court’s decision and argued that it should only have to pay “nominal damages” instead of the $6.5 million awarded at first instance.

During the appeal hearing, Capgemini’s lead counsel argued that Razer:

  1. failed to prove damages for loss of profit
  2. did not adequately mitigate its losses by delaying response to warnings, and
  3. should be considered contributorily negligent for the delay.

Capgemini claimed that Razer’s cybersecurity and compliance process architect did not take reasonable steps to address the data leak. They highlighted Razer’s admission that its process architect had failed to respond immediately and escalate warnings received from Capgemini.

Capgemini pointed out that Razer had issued a warning letter to its process architect, emphasising that the extent of the issue could have been significantly reduced if she had responded appropriately. However, the judge did not consider the letter to be significant in determining contributory negligence.

Razer’s lead counsel questioned the extent of delay that would constitute a breach and one of the judges on appeal expressed concern over Razer’s failure to promptly respond to the warnings and questioned why contributory negligence should be considered zero. Razer agreed that there was a delay but argued that they were not negligent overall.

The Court directed both parties to discuss a possible reduction in damages if contributory negligence or failure to mitigate on Razer’s part is established. The court otherwise reserved its decision.

The case highlights the complexities in attributing liability to external and internal technology professionals in circumstances where both parties have a part to play in data breach response. The extent to which the Court considers Razer contributed to its own negligence by reason of the delay to respond to warnings issued by Capgemini will prove telling for future cases concerning contributory negligence allegations in technology professional claims.

1Cyber Threat Report, Australian Signals Directorate, 14 November 2023, 2.

New Zealand

In September, the Privacy Amendment Bill 2023 was introduced to Parliament. The Bill, which amends the recently adopted Privacy Act 2020 fills a “gap” in the current regulation in circumstances where agencies collect personal information indirectly.

The Privacy Act 2020 requires agencies provide certain information to individuals when collecting personal information directly (under Information Privacy Principle 3 (IPP3)). This includes information about the collection, what the information may be used for, and the individual’s rights under the Act. In a bid to bolster transparency and individual privacy rights, the Bill extends the notification requirement to collection of personal information indirectly, or from sources other than the individual in question.

The Bill imposes this requirement through a new information privacy principle – IPP3A. As with IPP3, IPP3A requires that individuals are notified of: the collection and the purpose of it, the intended recipients of the information, details of the agency collecting and/or holding the information, if collection is authorised or required by law, the particulars of that law, and the individual’s rights to access and correct the information.

As with IPP3, there are exceptions to the IPP3A requirements. These include where the information is publicly available, or the individual has already been made aware of the information referred to in the notification.

When the Bill is passed into, law agencies will need to assess their notification practices and ensure that they are complying with the Privacy Act 2020 when collection personal information from individuals and third party/indirect sources.

On 31 July, the Government released a 2022 report from the Cyber Security Advisory Committee (CSAC), which sheds some light on the future of the Government’s role in cyber incident response in New Zealand.1 The CSAC made sweeping recommendations which included:

  • creation of a ‘single front door’ agency for notification of cyber incidents and coordination of response resources
  • implementation of minimum cyber risk management guidelines for New Zealand companies
  • introduction of mandatory reporting of cyber incidents and ransom payments in specified industries/sectors
  • an oversight regime for ISPs and MSPs, including mandatory cyber incident reporting requirements
  • a review of the cyber insurance market led by the Reserve Bank of New Zealand, and
  • direct intervention to strengthen the cybersecurity labour market through migration, training and working with education providers.

At this stage, the Government has proceeded with just one of the CSAC report’s recommendations. On 31 August 2023, CERT NZ was folded into the GCSB, with then GCSB Minister Andrew Little confirming that an improved operation model will take effect in 2024. This appears to be the first step towards the creation of a “single front door”, with the intention of streamlining the Government’s outreach and assistance to entities impacted by cybercrime. In the meantime, CERT NZ and NCSC will continue to deliver existing functions. We await the Government’s next steps in this area with great interest.

Of note are the CSAC’s comments of the state of cyber insurance in New Zealand, in particular the under-insurance of New Zealand businesses when it comes to cyber incidents. Given the change in Government since July, it remains to be seen whether the remainder of the CSAC’s recommendations will be implemented.

1https://www.dpmc.govt.nz/sites/default/files/2023-07/pr-nz-cabinet-csac-report-back-workstreams-1-2-3.pdf

In September this year, the Office of the Privacy Commissioner (OPC) launched a project on children and young peoples’ privacy rights.

The OPC is currently seeking input from professionals who work with, and advocate for, children. Input will then be sought from the wider community, including children, in early 2024.

The Privacy Act 2020 contains specific requirements addressing the collection of information of, from and about children and young people, although these are relatively limited. The OPC’s currently project seeks to assess the effectiveness of these requirements to establish if further guidance is required.

This latest project coincides with a recent statement from OPC regarding reports of schools considering deployment of CCTV in school bathrooms to combat negative behaviour such as bullying and vaping. The OPC did not advise against this action but recommended that schools conduct a privacy impact assessment to ensure all relevant considerations are engaged with, including less intrusive options.

The announced project and recent commentary reflect a clear focus on children’s privacy for 2024. Whether this results in amendments to the Act, or more formal guidance or regulation around processing of children and young people’s information, remains to be seen. Agencies dealing with children and young person’s personal information would be well advised to keep a close eye on any output from the OPC in this area, which we will continue to provide updates on.

Following various regulatory and legislative developments overseas, and the release of a preliminary practice note in May, the OPC has released its formal guidance on the use of AI and the application of the information privacy principles (IPPs).1

The guidance starts by setting out a limited number of technologies (or descriptions of technologies) that the OPC considers to be “AI” for the purposes of the advice. It goes on to detail the ways these technologies may engage the Privacy Act 2020 and how entities may utilise AI responsibly.

Of particular note are the OPC’s expectations for agencies using AI, which include:

  1. approval of senior leadership based on full consideration of risks and mitigations
  2. consideration of whether a generative AI tool is necessary and proportionate given potential privacy impacts and consider whether you could take a different approach
  3. completion of privacy impact assessments before a tool is used
  4. transparency – informing individuals how, when and why a tool is used
  5. engagement with Māori around potential risks and impacts to the taonga of their information
  6. procedures to ensure accuracy of, and access to, information
  7. human review prior to acting on AI outputs to reduce risks of inaccuracy and bias, and
  8. adequate controls over retention and disclosure of information by AI tools.

The latest guidance document acknowledges the recent rise in generative AI, which has driven an upswing in guidance and regulatory scrutiny. Given the sudden but seemingly sustained take-up of these technologies, we anticipate that the guidance note will be the start of regulation and guidance in this area, rather than the finished article. For the meantime, the guidance represents a robust and considered starting point for those considering the adoption of AI tools. If you are considering adopting AI tools and have any queries, do reach out to a member of W+K’s Cyber, Privacy + Data Security team to discuss.

1https://www.privacy.org.nz/assets/New-order/Resources-/Publications/Guidance-resources/AI-Guidance-Resources-/AI-and-the-Information-Privacy-Principles.pdf

W+K is pleased to be ranked for data protection for the very first time in Australia and New Zealand in the 2024 Chambers Asia-Pacific legal rankings.

W+K’s Cyber, Privacy + Data Security team will be on-call, monitoring cyberxmas@wottonkearney.com.au and our Cyber Incident Hotline over the break. We are available to take instructions, triage calls and help with urgent incidents. Find out more here.