Preventing a cyber breach investigation being used against your business

Calls for safe harbour laws to protect organisations from information gathered during investigations of data breaches being used against them in legal actions are gaining traction. The Minister for Home Affairs has flagged new safe harbour laws along with the establishment of a new Cyber Incident Review Board which will be able undertake “no fault” investigations into cyber breaches.

This comes off the back of the tension between:

• on the one hand, an organisation endeavouring to protect itself from third parties gaining access to and using against it information about the cause of cyber breaches gathered during an investigation; and
• on the other hand, the timely reporting and sharing of information with government agencies to assist in the limitation of damage, the gathering of intelligence about threat actors and prevention of future attacks.
  

Currently, when a cyber incident occurs, businesses can protect against third parties gaining access to information (which could be used in legal actions against the business) by ensuring from the outset, that the investigation is carried out under the umbrella of legal professional privilege (LPP). This protection arises where the investigation is undertaken on a confidential basis for the dominant or main purpose of obtaining legal advice on the implications of the breach – including such things as the businesses regulatory responsibilities, contractual obligations and exposure to claims.

In a recent case in a class action against Optus, the Federal Court considered whether an investigation conducted by Optus into the major cyber breach last year was covered by LPP.

In this case the Court decided that the investigation was not covered by LPP. As a result the information gathered had to be disclosed and can be used against Optus in the class action proceedings.

Essentially the reason for this was that Optus failed to set up the investigation at the beginning in a way which demonstrated that obtaining legal advice was the main purpose of the investigation. The Optus board had passed resolutions and Optus made public statements saying that its investigation was directed to other purposes – such as to identify the root cause of the breach, to review its management of cyber risk and to review its incident response and reporting processes.

What this case shows is the importance of:

• establishing the scope and purpose of an investigation from the very outset under the instructions and supervision of your legal advisers; and
• ensuring that the actions and communications of the organisation and its stakeholders are consistent with the purpose of obtaining legal advice.
  

This article provides general comments only. It does not purport to be legal advice. Before acting on the basis of any material contained in this article, we recommend that you seek professional advice.

Our team of cyber and information security specialists advises clients at each stage of the data lifecycle – from proactive risk management to incident response and recovery.

From the outset, we work closely with our clients to identify and manage internal and external data privacy and security risks through legal documentation, establishment of appropriate board and management governance arrangements, policies and procedures, on-boarding arrangements and IT protection.

Should a cyber incident or information breach occur our team will be right by your side to advise and assist you with response, damage mitigation, recovery and obtaining legal remedies.

Find out more about how our expert cyber and information security team can assist your business here.

The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.

Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.

Find out more about our involvement with the Cyber Alliance Group here.