News and developments
Cyber risk and litigation: Some guidelines for directors and boards
Cyber risk is among the top risks facing businesses and other organisations today. New Zealand businesses reported $39.6m in losses from cyber crime in the two years leading up to 2023, and this figure includes only those which reported their losses [1].
Internationally, cyber crime is estimated to cost businesses $10.5 trillion annually by 2025 [2]. Furthermore, in addition to losses to cyber criminals and resulting losses to individuals and investors, regulators in New Zealand and abroad are increasingly taking a close interest in what regulated firms are doing to manage cybersecurity risks.
Increased cyber crime results in increased litigation. Claims are made against companies that are victims of cyberattacks that result in private and personal information of their customers and others being released. Claims are made upon insurers when losses are suffered. Remedies are sought from banks and other financial institutions that do not prevent customers’ losses resulting from cyber crime. Regulators are increasingly focusing upon the adequacy or regulated entities’ cyber protections and the steps being taken by their boards.
Recently, the personal information of 9.7 million Medibank customers was stolen and posted online after its insurer declined to pay a ransom demand. This has resulted in two class actions in the Federal Court of Australia and a proceeding on behalf of the shareholders in the Victorian Supreme Court. In New Zealand, the Latitude cyberattack in March last year exposed the personal records of 14 million customers, including a million New Zealand driver’s license numbers and 40,000 passport records. In response, the New Zealand Privacy Commissioner and the Australian Information Commissioner commenced a joint privacy investigation, a $1 million lawsuit has also been filed by one of the customers affected and registrations are open for a potential class action against Latitude.
Company boards should take note. The World Economic Forum has expressed a view that boards need stronger foundations to govern cyber risks effectively [3]. In an Institute of Directors / ASB Bank survey, just 54% of directors reported that their boards regularly discuss cyber risk and are confident that their organisations have the capacity to respond to a cyberattack or incident [4].
In this article, we provide key considerations for how directors and boards might mitigate cybersecurity risks and respond to a cyber incident if one occurs.
The Australian Securities and Investments Commission (ASIC) has set out guidelines for good practice in cyber resilience [5] and has said that good cybersecurity strategy and governance are characterised by board ownership and responsive and agile governance models. The Institute of Directors New Zealand has also published a ‘practical guide’ to cyber risk [6].In light of these materials and our experience, we set out below some key tips on managing cybersecurity risks.
Boards have a responsibility to hold management to account in establishing a fully integrated organisational approach to cybersecurity. Organisations should approach cybersecurity as an enterprise-wide risk, rather than treating it only as an IT issue. A cybersecurity strategy should outline a comprehensive approach to risk management, incident response, and recovery. The World Economic Forum’s Principles of board governance of cyber risk is a useful reference for developing a cybersecurity strategy.
2.Give cybersecurity regular attention on the agenda and continue to build cyber competency:
While directors do not need to be cyber experts, they need a sufficient level of understanding to stay on top of key risks and issues. They should consult external expertise where appropriate. It is helpful to ensure that there is cybersecurity expertise at senior management levels and that senior management updates the board on any key changes to cyber vulnerabilities or the wider cyber risk environment. It is helpful to refer to the Institute of Directors guidance on reporting cybersecurity to boards on how to improve cybersecurity reporting.
It is critical that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation and keep abreast of changing regulatory expectations. A helpful resource is our recent cover to cover article on recent regulatory developments in this area. Regulators such as the Financial Markets Authority and the Privacy Commissioner, as well as insurers, may require notification and/or investigation of cyber and privacy breach incidents.
Management should identify which cyber risks to avoid, accept, mitigate or transfer through insurance. They may then formulate specific plans associated with each approach. It is helpful to refer to CERT NZ’s 11 top tips for cybersecurity for practical guidance on managing cyber risks.
In the long run, organisational changes to improve cybersecurity processes are likely to pay for themselves. Directors should consider:
In the event of a cyber breach, an assessment and remediation of the breach will likely be most effective and credible in the eyes of stakeholders, such as the Privacy Commissioner and affected individuals, if undertaken within the context of a tested data breach response plan. The New Zealand Privacy Commissioner and the Office of the Australian Information Commissioner have set out four key steps in dealing with a privacy breach: contain, assess, notify and prevent / review.
In the event of a cyber incident, it is important to be prepared. As the Institute of Directors has observed, organisations that have not planned for an incident tend to perform badly; they tend to panic and waste time and energy working out their approach, while the attacker continues to disrupt services or access confidential data [7].
We set out some key steps and considerations that could form part of a cyber response plan.
Identify and contain
Identify and contain the breach to prevent further data loss. This may involve taking affected systems offline or restricting access.
Assess the impact
Determine what data has been compromised, how many individuals are affected, and what the potential consequences could be. This will help in formulating a response.
Notify relevant parties
If the breach meets the threshold of ‘serious harm’ under the Privacy Act 2020, organisations are required to notify the Privacy Commissioner and affected individuals “as soon as reasonably practicable.” See our podcast on the various factors that should be considered when assessing the ‘serious harm’ threshold, and how organisations should interpret the requirement to notify “as soon as reasonably practicable”.
Investigate and remediate
Investigate how the breach occurred and take steps to fix those vulnerabilities and prevent future breaches.
Keep proper records
Keep records of the assessment of the breach, response, and any remediation. This is particularly important if an organisation is called upon to justify not reporting a breach because it has judged it unlikely to cause serious harm. Note however that these records are likely to be discoverable in any litigation, so ensure that they are prepared with this in mind, avoiding any unhelpful statements or critical comments.
Consider privilege issues
Legally privileged documents may be withheld in litigation or during a regulatory investigation, but it is critical that the right steps are taken before and during a cyber incident to maintain and avoid inadvertently waiving privilege. Communications will typically be privileged where they take place with a legal advisor for the purpose of giving or receiving legal services. Communications may also be privileged where they are made for the dominant purpose of preparing for an anticipated legal proceeding. However, communications made for other purposes, or communications that are not intended to be confidential, will not be privileged.
In the event of a cyber incident, communications and documents with the following purposes are at an increased risk of requiring disclosure in litigation:
The recent Optus class action proceeding highlights this issue, which we discuss next.
When a cyber incident occurs, the affected organisation may wish to commission an investigation (whether internal or external) into the incident. This can be risky, as the resulting report may be helpful to litigants who bring proceedings against the organisation and/or its directors. The report may identify what was done wrong and may criticise the organisation.
A recent Federal Court of Australia judgment underscores the importance of proper privilege protocols before an incident occurs. Belatedly setting up privilege protocols and processes will not retrospectively confer legal privilege upon an investigation report. The purposes of preparing the report, and evidence which demonstrate those purposes, are critical when a privilege claim is challenged. In September 2022, Optus, the Australian telecommunications service provider, suffered a data breach that affected the personal information of up to 10 million customers. Optus engaged external solicitors to provide legal advice and instructed Deloitte to conduct a forensic review of the attack and complete a report.
Following these events, a class action claim was brought against Optus in the Federal Court of Australia claiming that that it failed to protect or take reasonable steps to protect customers’ personal information. The Deloitte forensic review contained information relevant to the claim, but Optus refused to discover it and similar documents, claiming that they were subject to legal professional privilege.
The Federal Court found that the report was not privileged, despite Optus claiming that its dominant purpose was for the purpose of legal advice or litigation. The Judge placed considerable weight on a press release issued by Optus shortly after the data breach [8] which included the following comment [9]: "this review will help ensure we understand how it occurred and how we can prevent it from occurring again. It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists”
The Court held that the Deloitte report was not privileged because it was prepared for a number of purposes, not for the dominant or overriding purpose of legal advice or litigation. While one of the purposes of the report was to provide legal advice for the purpose of litigation or regulatory proceedings, other purposes included identifying the circumstances and root causes of the cyberattack, rectification, and reviewing Optus’ management of cyber risk in relation to its policies and processes.
There are differences in the law governing legal advice privilege in New Zealand and Australia. Unlike in Australia, New Zealand’s statutory definition of legal advice privilege makes no mention of the need for a dominant purpose, although the statutory definition of litigation privilege does. It is possible that the New Zealand courts may require only that legal advice was only one of the purposes for which a report was created, but this does not appear to have been settled, so it would be prudent for organisations to assume that reports will only be protected where their primary purpose was to inform legal advice.
Another difference is that in Australia, a third-party expert report may be protected by legal advice privilege if it was produced for the primary purpose of enabling lawyers to provide legal advice. In New Zealand, the relevant provision of the Evidence Act describes legal advice privilege only with respect to documents passing between clients and their lawyers, not third parties such as experts. It is possible that legal advice privilege may attach on the basis that the third parties are agents of the client, but that will depend on the facts of each case. Litigation privilege is different, as privilege will attach to documents prepared by third parties where the dominant purpose was to enable the client to instruct lawyers, so where litigation is reasonably contemplated that may be a more effective method of protecting a report. Ensuring that a report is protected by legal privilege is not straightforward and should be considered carefully from the outset.
Best practice steps for protecting legal privilege:
Establish and follow legal privilege protocols:
Establishing proper privilege and confidentiality protocols prevents inadvertent waivers of privilege in a stressful and time-sensitive scenario such as a cyber breach. Seek legal advice early: Understanding disclosure and reporting obligations following a cyber incident is crucial. Protecting documents with privilege may also be important. Promptly consulting a legal adviser will assist in navigating these priorities.
Be clear when stating the purposes of inquiries:
To claim privilege in respect of documents or communications created as part of an inquiry into a cyber incident, in summary, the document or communication must be created by the client for the purpose of legal advice or by the client or a third party for the dominant purpose of preparing for a legal proceeding. To assist in successfully asserting privilege over these materials, the legal purpose must be unambiguously stated and supported by contemporaneous evidence. It is also important to ensure consistency in the messaging of internal and external communications, which Optus did not do effectively.
Exercise particular care with multipurpose reports and documents:
Where a report is commissioned for a number of purposes, a privilege claim is at risk of challenge. Documents prepared by in-house counsel may be more prone to challenge than if prepared by external legal advisers, as in-house staff more often provide non-legal business and strategic advice which does not attract privilege.
Cyber risks increasingly result in litigation.We see this trend continuing. Organisations should respond by preparing to counter cyber risks and have a well-developed plan for responding to a cyber event that
provides not only for the IT response but also for the legal risk that follows.