Speaking on an episode of The Lawyers Weekly Show, produced in partnership with Commonwealth Bank and co-hosted by national director of professional services Daniela Pasini, Mr North spoke about the state of affairs in cyber risk and data and regulatory concerns to be aware of.

In the last year, there have been some “significant” changes to the legislative landscape within the cyber and technology space, with penalties in particular now heftier.

“If you look back 12 months ago, the civil penalties that applied under the Australian Privacy Act were fairly lightweight. For a serious or repeated interference of privacy, the maximum civil penalty was $2.2 million. And if you think about the fines that apply under other legislations, such as the Competition Act, Competition and Consumer Act, that is relatively small, and some would say it was probably not an appropriate response or incentive for organisations to protect personal information appropriately,” Mr North outlined.

“At the end of last year, that changed quite dramatically. The penalties were very significantly increased. So, the penalty that now potentially applies for serious or repeated interferences with privacy, the greater of 50 million Australians, three times the value of any benefit obtained by the organisation, or 30 per cent of annual turnover.

“So, there are very significant penalties now. We might see the OAIC in the coming years seek to set a precedent for Australian organisations, in seeking to have the federal court apply a very significant penalty in the cyber space, where personal information is accessed as a result of an organisation’s failure to, I guess, appropriately protect it.”

Last year, the OAIC was also given new powers to step into a data breach and require the organisation to demonstrate it was complying with those legal obligations, Mr North explained.

“I think that is just reflective of the government’s view: that in some cases, Australian organisations aren’t responding appropriately to cyber breaches. They’re taking too long, for example, to notify affected individuals or the regulators. So in that scenario, I think we’re going to see a more aggressive regulator in the privacy space, more akin to how the ACCC goes about enforcing the Competition and Consumer Act. We’re likely to see more regulatory reform.

VIEW ALL

“The Attorney-General has asked for a report from his department on further changes to privacy law. And those changes could be quite wide-ranging, and they’re likely to bring the Australian Privacy Act closer to the European law, the GDPR, which is considered to be the high watermark in terms of privacy regulation around the world. But in the cyber space, we could see a tort of invasion of privacy legislated, and that would be quite transformative for the legal market in Australia,” he said.

“Currently, if you are an individual that has had your data stolen by a cyber criminal, you can seek compensation, a compensation award from the OAIC. And the OAIC has some powers to award compensation, but there’s no right to sue the organisation involved.”

In light of these new regulations and penalties, Mr North emphasised that cyber insurance is an “essential part of cyber resilience” within organisations, although it is getting harder and harder to obtain.

“In order to obtain cyber insurance now, insurers are requiring you to demonstrate cyber resilience, [and] that you’ve got appropriate technical defences in place, that you have appropriate procedures to respond to a breach if it occurs, that you’ve got appropriate board oversight in place. All of those things are required in order to obtain insurance now.

“What I would recommend is that if you’re seeking insurance, cyber insurance is up for renewal in six months’ time or a year’s time, that you start to take steps to make sure you are resilient before you apply for renewal because it’s going to affect your premium, and there is the possibility that you will have insurance declined if you’re not cyber fit. The other area in insurance that is kind of moving at the moment is in relation to ransoms. Last year, we saw a really significant increase in ransom claims by cyber attackers,” he added.

“[Typically, that would be covered] by your insurance. But now, the insurers are asking for co-contributions by the insured. They will pay 50 per cent, but the co-insured also has to pay 50 per cent. So, the coverage is starting to narrow because insurers are seeing this as a significant risk for them and their organisations, because as these cyber attacks are so prevalent now, the risk that the insurers have to pay out significantly on them has increased.”

Moreover, smaller firms, in particular, are more at risk, according to Mr North.

“Let’s say a large bank is very sophisticated in the cyber space, and their chances of breaking down the defences are not that good. But one way to attack the big organisation is to access one of their suppliers, attack one of their suppliers. And if you think about law firms, they hold some really sensitive data on behalf of their clients, who may be significant[ly] large organisations,” he concluded.

“I think law firms need to invest in cyber resilience themselves. It’s not just an issue for them to advise their clients on; it’s an issue for their businesses. And as we all know, we hold some pretty sensitive information on behalf of our clients, and that’s attractive to cyber criminals.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with James North, click below: