Cyber security litigation predictions

2018 Litigation Forecast

Getting on with business while the regulatory landscape catches up

Cyber threats to business escalated around the world in 2017. Ransomware attacks, such as NotPetya, Bad Rabbit and WannaCry, disrupted businesses worldwide. High profile data breaches made global headlines, including the Equifax breach which exposed the personal information of almost half the population of the United States. The costs of cybercrime continued to climb as defending against and responding to cyberattacks became an accepted and critical component of business operations.

The scene is being set by changing legislative and regulatory regimes in Australia and Europe

Against the backdrop of the evolving and ever-present cybercrime threat, international statutory and regulatory regimes governing data storage and security continue to be updated. Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2016 will take effect in 2018 and requires entities regulated under the Privacy Act to notify the Australian Information Commissioner and affected individuals of any eligible data breach. This mirrors the European Union’s General Data Protection Regulation, which contains a mandatory breach disclosure provision and will take effect on 25 May 2018 following the culmination of a two year transition period.

Whether the disclosures required will result in follow-on litigation (such as individual or class-action claims for negligence, breach of contract, breach of privacy, or derivative shareholder litigation) remains to be seen. However, this has been the experience in the United States where similar disclosures are already required.

New Zealand’s data and cyber security framework awaiting reform

In New Zealand, the legislative and regulatory hiatus over reform of data and cyber security continues, but there are signs that change is on the horizon.  Currently New Zealand does not mandate disclosures of data breaches, but the Law Commission’s long standing recommendations for amending the Privacy Act include mandatory reporting of privacy breaches, as well as stronger powers for the Privacy Commissioner, new offences and increased fines (these recommendations having been on hold since 2011).

The new Government has stated that the stalled privacy reforms have put New Zealand behind the rest of the world. Labour has committed to implementing most of the Law Commission proposals to strengthen consumer protections, and the Greens and New Zealand First have expressed similar sentiments. Alongside a change of Government, we expect implementation of the Privacy Amendments across the Tasman will give renewed impetus to developing New Zealand’s policy and updating the 2011 reform recommendations.

Focus on “breach coaches” looks set to continue – with a positive impact on breach response and recovery

In the past year we have seen insurers take on an increasingly active role in assisting organisations to respond proactively to cyber events, including adopting the “cyber breach coach” model.

In 2018 we expect to see a strong push towards such pre-planning of incident response, with more organisations being encouraged to utilise “breach coaches” (usually crisis management and/or legal experts), who can quickly and easily engage pre-committed data forensic, PR and other experts as needed upon discovery of a cyber-incident. In the case of a data breach, this strategy can help reduce the harm from potential or actual disclosures of customer or employee personal information, or a company’s confidential and commercially sensitive material.

There are already signs that this approach may be reducing the role of litigation in resolving post-incident disputes in this country, particularly disputes over the adequacy of an organisation’s response to cyber breaches.

Cyber security planning makes commercial sense

Regardless of whether or when new legislation is introduced, New Zealand organisations are well served by ensuring they have their own policies and practices in place to assess, identify, manage and respond to cyber threats. Given the risks, the business case for developing and implementing a robust cyber plan is a straightforward one. If your organisation has yet to put a cyber-readiness plan in place, MinterEllisonRuddWatts’ cyber security toolkit  can help you get started.

Duty to disclose a data breach?

If your organisation suffers a data breach, your organisation may have contractual or other obligation to disclose that a breach has occurred, depending on the nature of your business and the characteristics of the breach (and may have a strong business reason for disclosure in any event). Consider:

  • Privacy Act implications of the breach
  • Contractual obligations with suppliers and other third parties
  • Whether a cyber-insurance policy is triggered
  • Whether you have any regulatory risk reporting obligations
  • Extra-jurisdictional requirements: if your company does business offshore, are disclosure obligations trigged, e.g. under the General Data Protection Regulations or Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2016?
  • Communications strategy for notifying affected parties and addressing media inquiries, if applicable.

Who can help

Related Articles