While Jones Day partner Adam Salter (pictured) isn’t aware of any dedicated cyber security practices at other law firms in Australia, he believes that will change.

“The practice area is evolving quickly at the moment,” Mr Salter told Lawyers Weekly.

“I think there will be a need for more of this type of advice and I think there will be the development of standalone practices.”

For a long time, privacy law in Australia has been focused on the Australian Privacy Principles and their predecessor, the National Privacy Principles, meaning a lot of legal work around privacy was relatively simple, according to Mr Salter.

“I think it’s fair to say because the legislation was ‘lighter touch’ in past years, it wasn't as serious an issue for clients as what it is now,” he said.

“With the development of technology and the enhanced use of technology in all manners of business, and the concerns about hacking of personal information, cyber security is becoming much more of an issue with clients who are concerned about liability, not only to end-user consumers but also in the context of breaching contracts with customers.”

For instance, when negotiating supply contracts with major customers like banks, utilities or telecommunications companies, such contracts now impose significant obligations and supporting (often uncapped) indemnification for privacy-related obligations, according to Mr Salter.

“It’s now not just a matter of clients being concerned about fines or penalties being imposed on them by the privacy regulator, but also falling foul of contractual obligations.”

In the US this is leading to more significant litigation: not just class action litigation led by consumers, but also business-to-business litigation for failing to comply with these obligations.

This means cyber security work is no longer just a matter of advice about privacy principles and drafting policies, but also about defending against, and seeking to avoid, litigation.

“The thing that hasn't really hit Australia – it has certainly hit the US and I think it will come here – is the litigation arising out of data breaches, and the reason for that is there will now be a trigger for people to put their hands up and say, 'We have had a serious data breach',” he said.

“I wouldn’t be surprised if plaintiff class action law firms upskill in this area very quickly, because I think they will see it’s fertile ground for the class action litigation, not only for consumers but potentially for franchisees, and so firms will inevitably get work defending that litigation.”

Mandatory notification

Another factor that may contribute to the increase of cyber security-related work is the introduction of mandatory data breach notification legislation in Australia.

“As I understand it, 47 out of the 50 jurisdictions in the United States already have such legislation, as does Europe, so Australia is well behind in that regard,” Mr Salter said.

“There have been several attempts of introducing the legislation and it's been a bit of a political football, but there now appears to be bipartisan support.”

Mr Salter said the reason this is so important is that the previous guidelines about breach notification and remedial actions arising out of a breach were not mandatory.

“If the bill passes, Australian businesses must report serious data breaches to affected individuals and the Information Commissioner. There will be accompanying fines and penalties for failing to comply and, as with all other forms of compliance, once there's a nasty stick that goes with non-compliance, in-house compliance departments then spend a lot of time addressing it,” he said.

“This is very much at the top of the worry list for directors and for compliance officers at our clients.”