Speakers
Synopsis
After experiencing a massive cyberattack, Optus commissioned an analysis of the cause. Optus said its purpose was internal only: to have an external expert’s opinion on how the data breach had occurred, and the appropriateness and timeliness of the root cause analysis and the steps for remediation made by the Optus internal team. When the resulting report came out, Optus tried to keep it secret, claiming legal professional privilege. But the court (and the appeal court) disagreed. That report is now in the hands of the class action lawyers suing Optus over the data breach.
HBL Ebsworth, after their data breach, obtained an injunction against persons unknown to prohibit secondary republication of information stolen from HWLE by (also unknown) hackers. That injunction may have significantly limited damage suffered by HWLE clients as a result of the breach, and aided HWLE in addressing an investigation by the OAIC as to whether HWLE took reasonable steps to protect the hacked personal information.
Practical legal management of cyber incidents is about a lot more than deciding whether or not you have a notifiable data breach.
However, most legal presentations focus on the NDB scheme. By contrast, this panel will discuss the practical legal risk management issues that are seldom discussed, but which are critically important in mitigating litigation risk and secondary disclosures arising from cyber incidents.
In time-critical crisis management of a cyber incident, key decisions may be well-intentioned, but legally fraught and ultimately proven to be the wrong decision. This panel will discuss how these pitfalls can be avoided.
The discussion will be aimed at non-lawyers who work with legal advisers in cyber-incident management and designed to provide practical pointers to aid decision-making by crisis management teams working at speed and under pressure.
