How in-house counsel can champion privacy in cyber security
Legal departments are critical to weaving a culture of privacy into their business on a day-to-day basis, according to a lawyer.
Ahead of the Corporate Counsel Summit 2023, Eli Fisher — senior legal counsel at Paramount Australia & New Zealand (parent company of Network 10) — said the most effective cyber security practice is “undoubtedly” interdisciplinary, and in-house counsel can play an important role.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
At the summit, Mr Fisher will provide lessons for in-house counsel from cyber security frontlines, outline new regulatory reforms around privacy laws that they need to be aware of, and unpack the role they could play in improving their organisation’s cyber security maturity.
Two-pronged approach to cyber security
There are two layers to the in-house counsel’s role in bolstering their organisation’s cyber security posture, he explained.
One is the day-to-day business-as-usual (BAU) level, and the second is cyber security amid a crisis, data breach or ransomware attack.
On the BAU level, lawyers could champion and design privacy policies into business projects of the day and weave it into the company culture, he proposed.
“This includes advising on the information security, confidentiality and privacy aspects of commercial transactions, and working with third-party business partners on their own data management and security if those partners are going to come anywhere near the databases or systems,” he told Lawyers Weekly.
“In addition, lawyers have to keep reminding the various business departments of ongoing security and data minimisation practices. Then there’s training and continuing internal education campaigns about cyber threats and security.”
Mr Fisher urged in-house counsel to collaborate with and learn from subject matter experts in this field, adding that he works with an accomplished information security team both locally and globally.
“The team is composed of experts who are passionate about good data management and protecting the business’s reputation and the security of our customers,” he said.
What to do in a crisis
Conversely, a successful cyber security approach in a crisis will be directed by legal to achieve compliance with statutory and contractual obligations while being cognisant of legal exposure and maintaining the privilege in internal communications, Mr Fisher said.
He underscored the importance of collaboration across every department and employee in the business when bolstering its cyber security measures.
“The best lawyers won’t try to do everything themselves, but will work collaboratively with their colleagues in the information security and tech teams as well as any external cyber consultants to understand the nature of the crisis and which systems are impacted,” Mr Fisher said.
“They will also work with the public relations or communications team to put forth and maintain a consistent message that alerts without alarming the impacted individuals, the public, and the various government agencies that might need to be notified. The business development and sales teams will be key to managing relationships.”
Government takes heavy-handed approach to privacy law
The data breaches at Optus and Medibank were major cyber security incidents late last year that shocked the country and saw new reforms enacted and come into effect, including increases to penalties.
Mr Fisher said the maximum penalty for serious or repeated interferences with privacy for companies has increased from $2.2 million to the greater of:
- $50 million;
- three times the value of the benefit obtained attributable to the breach; or
- if the court cannot determine the value of the benefit, then 30 per cent of the adjusted turnover of the company during the breach period.
The previous Liberal government had proposed an increase to the maximum penalty to $10 million or 10 per cent of turnover — approximately five times the status quo.
The current government passed a bill with “real alacrity”, raising the maximum to five times that, or around 25 times the status quo, he noted.
Mr Fisher underscored that this reform is an increase in maximums, not in actual penalties.
“Really, the maximum is moot if initiatives to enforce privacy law never approach anywhere near the previous maximum,” he said.
“Why I think the government’s zeal to increase the maximums is so important is because it reveals a political appetite to enforce privacy law more strictly. The government is sending a message, and I think that’s new in this space.”
Privacy law now a key pillar of risk assessment
The economic and reputational fallout from the major data breaches in late 2022 has changed the way businesses think about their privacy and data collection practices, Mr Fisher said.
It has captured the interest of mainstream media and business commentators in data security more so than in the past, while the government has also taken a keener interest.
Businesses are investing and preparing themselves more for cyber security incidents.
“I think it’s also fair to say that the Australian public has become more vocal in asserting its expectations and demanding that they are met,” Mr Fisher observed.
“Whereas once privacy law in Australia was almost viewed as a set of mostly-unenforced customer-service guidelines – how not to upset or creep out your customers – now it’s a key pillar of the business community’s risk and liability assessments – and rightly so.”
He concluded: “In short, it is now more than ever before absolutely critical to get cyber security right”.
To hear more from Eli Fisher about how legal departments could collaborate with every department in their organisation to shore up its cyber security defences and what approach they should take during a crisis, come along to the Corporate Counsel Summit 2023.
It will be held on Thursday, 25 May, at Sofitel Sydney Wentworth.