Following the Optus data breach, Mr Winokur said that legal departments should be doing a number of proactive things to be better prepared to protect their organisations from cyber crime.

“I see this cyber as a really holistic business risk, and one that the legal department should be really managing the way that it manages all types of risks. I actually recommend proactively having communication packs ready for these types of incidents,” he said.

“So, in the case of Optus, for example, they should have pre-written communications that would go out to customers or regulators or the media, assuming if they got hit by ransomware, if they got hit with a major data breach; they can fill in the details, but they should have templates ready to go, so you’re not scrambling once an incident happens to try and get those communications. They 100 per cent should be drafted with the input of legal, so that’s what legal teams should be doing in my opinion; they should be setting up communications packs.”

In addition, there are a number of regulatory reforms Mr Winokur said are likely to come in — particularly around the Privacy Act.

“One of the key issues with the Optus attack has been questions around how much data Optus [was] holding, and whether there was really a need to continue to hold onto things like driver’s licences, passports, [and] Medicare cards, long after accounts had been opened. Now, I think that that will become the subject of the OAIC’s investigation, and it may well form part of any privacy reform, which I’m predicting will be forthcoming from the government any week now,” he explained.

“Privacy reform has been on the cards for some time, and I think that the Optus breach will be the straw that breaks the camel’s back and that we will see amendments to the Privacy Act very shortly, which will drastically increase the maximum penalty that the Office of the Australian Information Commissioner can seek to impose on companies.”

Therefore, putting in place good cyber systems is going to become an obligation, according to Mr Winokur, who said that this would be in addition to a current obligation to “take reasonable steps” to delete or de-identify data once it’s no longer needed.

VIEW ALL

“In my experience, most companies in Australia are not up to scratch when it comes to having in place reasonable steps to deal with the deletion and de-identification of data. And to me, that is the one thing that if anyone from any in-house counsel team is listening in today, if there’s one takeaway from today, I’d implore them to really stop and think about the whole process of data collection and retention and think about the idea of de-identification and deletion,” he added.  

“Really stop and think, how is my organisation placed in this process? Do we do things at a level that the OAIC would expect if the magnifying glass was put onto us? And if the answer is, well, no, we could be better, or no, we really haven’t thought through that properly, then I would encourage the organisation to really stop and think about their whole data management process from scratch, and really start looking at ways that the business can implement new systems or come up with a new data retention policy to make sure that by the time these privacy reforms are enacted [their company is ready].”

In terms of practical things legal departments can do to mitigate cyber risk, Mr Winokur’s number one recommendation was to engage with cyber experts and run through a “simulated attack”.

“It could be a ransomware incident; it could be a major data breach. And what we like to do is to actually work through the company’s incident response plan, and we make sure that it’s up to date, that it’s tested, [and] that it’s fit for purpose.

“And that process itself will identify whether there [are] any areas that are needed for improvement, and make sure that all the regulatory considerations are being considered in a timely way. It might be that we’re able to identify that there’s some more work to be done on the communication side of things. When the IT people are involved, they might identify some gaps in terms of logging and things like that, that can be really important to make sure that a speedy response can be achieved,” he said.

“Bring in external experts with experience to run through effectively simulated attacks, to identify where the organisation may have some gaps, and also to put the leadership team through the various sorts of issues that they might go through if an attack happens so that they’re thinking about the issues.”

Moreover, a big cyber attack can mean “major reputational damage” to the organisation and its profitability — and Mr Winokur warned legal departments to be prepared.

“Every legal team should be taking steps with the organisation to make themselves a far harder victim. Don’t leave the front door open, [and] don’t leave the window open to let the cyber criminals come in. Make sure you’ve got the bars, make sure you’ve got the sign up saying we’ve got an alarm here, make sure the CCTV footage is on,” he concluded.

“And just be prepared. Just really have a game plan so that if you are unfortunately attacked, you’ve already got your tested plan in place, [and] you could roll it out. And if you do that, I think companies will be as well placed as they can be.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Eden Winokur, click below: