The first port of call following a data breach should be a specialist lawyer who can coordinate a response under the protection of legal professional privilege, one insurance partner says.
Norton Rose Fulbright, which is currently acting for Ashley Madison in a minor capacity in the US, held a seminar on the role of ‘data breach coaches’ in Sydney last week.
“Ashley Madison put this whole thing on the map – nothing like a bit of titillation to get people interested,” NRF partner Tricia Hobson (pictured) told Lawyers Weekly.
A ‘data breach coach’ is a lawyer who acts like a project manager to organise the immediate response when data is stolen from a client, she said.
“If a company suffers a breach they pick up the phone, ring the data breach coach and that lawyer knows exactly what to do to try to contain the damage for that company.”
The lawyer will contact the relevant vendors that can help “contain the fallout from the breach as quickly as possible”.
“Now that will include […] the people who can get into the system at the company and check whether or not the breach is live (i.e. is the hacker still in the system?).
“They will assess what kind of damage has been done, what sort of data has been compromised and they will look at ways to deal with that and to fix the problem.”
The designated lawyer or legal team also deal with the PR elements at play and help the client handle the media and concerned customers.
“They're a hand holder for the company,” Ms Hobson explained.
Cyberattacks often deal a double blow to clients: there is the first party loss to the company itself and then there is the potential litigation against the company by customers.
“One of the reasons it is important to be a lawyer is because we can cloak what we do in legal professional privilege,” said Ms Hobson.
“If you are going to get sued […] you want everything you do [after] you discover the breach to be protected by legal professional privilege.”
You've been hacked! Who ya gonna call?
The concept of a data breach coach is relatively new to Australia, but is quite popular in the US and UK.
One of the reasons is that Australia does not yet have mandatory data breach disclosure requirements (although the federal government has indicated that it will introduce new notification laws by the end of 2015).
“Most companies are being hacked all the time,” said Ms Hobson. “In Australia we haven't [seen] too many yet because we don't have mandatory breach requirements, but that doesn't mean it is not happening – it is.
“There are two sorts of companies – those who have been hacked and those who will be hacked and there is no one who doesn't fall within that subset.”
NRF’s team in Australia has been drawing on knowledge from their colleagues overseas to introduce the concept of a data breach coach to insurers and clients.
Ms Hobson said that other firms are behind the eight ball when it comes to this kind of service.
“Some are saying that they can do it, [but] they are starting from scratch here because they don't have US and UK colleagues to draw on,” she said.
The NRF insurance team is a finalist for the Australian Law Awards Insurance Team of the Year award. Other finalists include Hall & Wilcox, Holman Webb, Lander & Rogers Lawyers, Meridian Lawyers, Saltwater Insurance Consultants, TurksLegal and Wotton + Kearney.
The Australian Law Awards will be presented at The Westin Sydney on 17 September – purchase tickets here.