find the latest legal job
Corporate/Commercial Lawyers (2-5 years PAE)
Category: Corporate and Commercial Law | Location: Adelaide SA 5000
· Specialist commercial law firm · Long-term career progression
View details
Graduate Lawyer / Up to 1.5 yr PAE Lawyer
Category: Personal Injury Law | Location: Brisbane CBD & Inner Suburbs Brisbane QLD
· Mentoring Opportunity in Regional QLD · Personal Injury Law
View details
Corporate and Commercial Partner
Category: Corporate and Commercial Law | Location: Adelaide SA 5000
· Full time · Join a leading Adelaide commercial law firm
View details
In-house Legal Counsel & Commercial Lawyers
Category: Corporate and Commercial Law | Location: All Sydney NSW
· Providing lawyers with flexibility and control over when they work, how they work and who they work for.
View details
In-house Legal Counsel & Commercial Lawyers
Category: Corporate and Commercial Law | Location: All Melbourne VIC
· Providing lawyers with flexibility and control over when they work, how they work and who they work for.
View details
Security breaches force lawyers to rethink cyber laws

Security breaches force lawyers to rethink cyber laws

Recent cyber attacks have caused law makers to rethink cyber crime laws, writes Middletons partner Dudley Kneller.

Recent cyber attacks have caused law makers to rethink cyber crime laws, writes Middletons partner Dudley Kneller.

With yet another security breach coming to light in recent days it seems inevitable that some form of mandatory breach notification laws and enhanced cyber crime laws are just a matter of time. Just over a month after Justice, Home Affairs and Minister for Privacy and Freedom of Information Brendan O’Connor stated that development of mandatory breach notification laws appears to be "necessary", Citigroup, the Australian Institute of Company Directors (AICD) and Distribute.IT have all experienced serious data security breaches. 

Earlier this month Citigroup announced that hackers had accessed Citigroup's online system which allows customers to manage their bank cards. The data compromised included names, account numbers, email addresses and other contact information.  Approximately 360,000 customers were affected, significantly more than the initial figure of 210,000 initially provided by Citigroup.

Although the breach was discovered by Citigroup on 10 May, Citigroup was slow off the mark. Customers were not immediately notified and replacement cards were not issued to affected customers until over 2 weeks later. The public was made aware a further week after that.  

In Australia the AICD breach occurred when a laptop was stolen from its Sydney office during a scheduled power outage when the building's security doors were disabled.  The laptop held the information of about 28,000 members (including directors of some of Australia's largest companies, government bodies and charities) and 38,000 customers (including public and private companies).  The data consisted of names, residential addresses, phone numbers and dates of birth.

In the last few days Australian webhosting provider, Distribute.IT, experienced the most serious breach yet which has had devastating consequences for the company and customers affected.  The hack resulted in the loss of data of about 4,800 web sites. Distribute.IT initially spent some days trying to recover the data, only to declare that it was "unrecoverable" due to the extent of the damage to its systems.  In the last few days NetRegistry opportunistically acquired the distressed company and they are now working closely with affected customers to transfer them across.

All of these breaches have serious consequences for the organisations involved as well as their customers. The Distribute.IT breach in particular left the company particularly exposed. Delays in notifying customers, inadequate security measures and unauthorised disclosure of personal information all pose significant risk to companies affected by security breaches. The costs involved in rectifying the breaches, issuing new cards and notifying affected customers, is significant. Impact on reputation cannot be underestimated either. These breaches have attracted broad interest from the media as well as from government. Regulators and companies affected by the breaches will have to work hard to reestablish trust from their customers and other stakeholders.

All this comes less than two months after a security breach at Sony sparked renewed Government interest in mandatory breach notification laws. The breach to Sony's servers resulted in hackers obtaining over 100 million users' account information and analysts have indicated that they expect that the breach will cost Sony about $200 million to recover from.  Sony's failure to notify users until a week after discovery of the breach attracted broad criticism.


However, the issue of mandatory notification is not something new. The Australian Law Reform Commission (ALRC) pushed for the introduction of mandatory notification requirements in its 2008 review of Australian privacy law. 

Specific recommendations included the introduction of a mandatory notification system requiring businesses to notify the Privacy Commissioner and affected persons that specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person. The recommendations also included a civil penalty system, to be enforced by the Privacy Commissioner where a business fails to issue a notification. 

When businesses can expect the mandatory requirements to come into effect and what form these mandatory notification requirements will take is yet unclear. 

The Government has not stopped there however. Following renewed interest in mandatory breach notification laws the Government last week introduced the Cybercrime Legislation Amendment Bill 2011 (Bill) to Parliament.  The key changes proposed in the Bill include enhanced investigation procedures granting authorities preservation powers, development of an international network of information for investigating agencies and an increase in the number of cybercrime offences. The Bill brings Australia into line with the Council of Europe Convention on Cybercrime.

With the introduction of mandatory notification rules now seemingly inevitable and the  strengthening of cybercrime laws with proposed new legislation last week, businesses who have taken steps to prepare will not only minimise exposure to negative publicity and risk of resulting liability, but they will also be best placed to respond to the likely introduction of new regulatory frameworks moving forward.

Like this story? Read more:

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

The legal budget breakdown 2017

Security breaches force lawyers to rethink cyber laws
lawyersweekly logo
Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Dec 13 2017
Young humanitarian lawyer California-bound
A young Australian lawyer will be travelling to the US next year for a prestigious nine-month study ...
Jackie Rhodes
Dec 12 2017
Report sheds light on LGBTQI inclusion in law firms
A recent report has revealed the varying perceptions on LGBTQI diversity and inclusion in the Austra...
Women in business
Dec 12 2017
Annabel Crabb headlines Women in Business Forum
Political journalist Annabel Crabb has appeared at the Coleman Greig Lawyers Women in Business Forum...
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...