The world of cyber and data protection – what you should know

The waves of new technologies are building momentum and showing no signs of slowing down any time soon. 

Now is the time to give cyber security and data protection and privacy the attention it deserves, and needs.  Technology is bringing a combination of new risks, new variations on old risks and much more aggressive risks.

From its inception we have advised our clients on their obligations under the Privacy Act 1988 (Cth) (Act) and the need to identify and protect their data.

We have been at the forefront of helping our clients engage in commerce and conduct their businesses in an ever changing digital world. 

And we can assist our clients managing the risk association with cyber crime, and the fall out should our clients be affected.

We are now developing our expertise in the new areas of digital commerce, with the increasing use of blockchain technology in commercial applications, to new forms of fundraising.

The Cyber and Data Protection Practice Group has been established, so that we can continue to provide our clients from all industry sectors with the services they need.

Data protection and privacy

The amount of data held by organisations continues to increase.  The risk of a data breach- and the effect of a data breach- is also increasing.

If your organisation has an annual turnover (not profit) of $3 million or more, you will likely be subject to the Act and its related laws.

The Act was amended in 2014 to bring it into the electronic world.  Further amendments relating to mandatory reporting of data breaches come into effect in February 2018.

Our experience is that many organisations are still blissfully unaware of their obligations under the Act, and have made little or no effort to comply with it. 

Under the Act, you are currently required to have a privacy policy as well as have means in place to deal with compliance and issues that might arise under the Act.

Under the forthcoming amendment to the Privacy Act (effective from February 2018), your obligations will become more onerous – organisations will also be required to:

  • have a data breach response plan.
  • disclose significant data breaches both to the individuals who are the subject of the breach and the Office of the Australian Information Commissioner. 

Even if you are currently complying with the requirements under the Act, chances are, like most organisations, you may not yet have the internal polices in place to be ready to comply with these new obligations.  We have seen too many organisations who fail to comply with these requirements suffer the consequences, both in the form of penalties and disruption to their business.

Cyber security

It is hard to miss the increased number of incidents of malicious activity against computer network or systems, disrupting businesses in Australia and all over the world, and which have had significant media coverage.  Rich text editor, editor1, Press ALT 0 for helpIn the US recently a breach at a credit reporting agency compromised the personal information of nearly 150 million people, resulting in investigations by the regulatory agencies and which saw the departure of both its CIO and CSO.

Disruptions can range from a breach of customers’ data, to a total denial of service resulting in a shut down of operations.

Prevention and making sure your organisation is cyber resilient is important.  Recent events have shown, however, that no organisation is immune from cyber attacks.

Internal governance

It is in your best interests and your organisation’s best practice to confront these very real threats, and have strategies in place to deal with any cyber attacks or data breaches.

Even if compliance with the Privacy Act is not your primary concern, do not underestimate the potential reputational damage a cyber attack can have on your business.

You should also be asking yourself the following questions:

  • Do you have a proper understanding of cyber risks, to ensure you can ameliorate the risk of loss?
  • What are your most important digital assets, which require protection?
  • What HR policies does your organisation have to mitigate the risk of a cyber attack occurring, for example, through regulating staff members’ use of external USBs?
  • What arrangements does your organisation have for the storing of data externally, such as on the cloud system?
  • How do your organisation’s contractual agreements allocate obligations for the protection of data and for the distribution of risk and liability, for example, do your contracts address which party should bear the loss in the event of a cyber attack or data breach?

Significant organisations in Australia and elsewhere, who would consider that they have very good security, have been the subject of successful attacks.

If you are concerned about the sufficiency of your internal governance on the use of technology, data protection, or compliance with the Privacy Act, we have the expertise and experience to advise you in relation to all aspects of these issues.

Digital commerce and distributed ledger technology: the blockchain

At Lavan we are ever vigilant in keeping up to date in the changing world of digital commerce.

We have been following trends in cryptocurrency since 2014, when few had even heard of Bitcoin.

We are monitoring the application of blockchain technology in commercial applications, and its use in fundraising.  We are excited and enthusiastic about the next wave of innovators.

At Lavan we have the experience, the knowledge and the capability to help you with your legal needs in an ever changing digital landscape.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.