There has been a marked shift in perception of cyber security events, with organisations who are subject to a breach no longer being seen as a “victim” of a hacking crime, but delinquent actors who did not take proper steps to secure their assets. Consequently, cyber security is not just an IT issue, but one which must be centrally managed and governed by organisations and their boards.
In an increasingly inter-connected world, businesses are collecting, using and exploiting vast amounts of data. New uses for data are imagined or implemented on a daily basis. IT systems are becoming more distributed, and data is stored and processed both in-house and externally in a range of environments, on-shore, offshore and in the cloud.
Cyber security and privacy breaches are potentially front-page events, which affect not only legal obligations, but also a business’ brand, reputation and (potentially) share price. Businesses have to navigate a myriad of legislative and contractual obligations which govern their handling and use of data, collected about increasingly sophisticated and privacy-aware consumers, and with increasing scrutiny by regulators.
Significantly, the rigour which organisations in the US are required to place on governance of cyber security risk is being pushed into Australia by regulators and the government. This can be seen in recent moves by the Federal Government to announce mandatory privacy breach notification legislation and ASIC’s recent cyber resilience “Health Check” report, which in part adopts the US National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. Cyber security issues have never been more important.
G+T's cyber security work covers the life-cycle of cyber-security risk:
Click here to view image.
Planning for and dealing with cyber security breaches requires a multi-disciplinary team with deep technology and data protection expertise:
- privacy and data: our privacy and data team understands that privacy compliance does not start and end with the preparation of a privacy or cyber security policy, but that an organisation’s handling of personal information and sensitive data must reflect privacy and security-by-design;
- regulatory: our regulatory and corporate teams are accustomed to dealing with regulators that have an interest in, and may need to be notified in relation to, cybersecurity issues, including the OAIC, ASIC and APRA;
- litigation: our litigation group includes a dedicated team of over 25 lawyers who focus on protecting data and commercially sensitive information. Over the last decade we have run some of the country’s most high profile disputes in relation to IP and commercially sensitive information, and routinely work with IT forensic providers to investigate and respond to cyber security breaches; and
- technology: we have one of the largest dedicated technology legal teams in Australia. Our team understands technology and risk, and works with our clients to focus on key issues in a complex and fast-moving technology landscape.
We have more than a decade of experience in conducting and managing the investigation of online data breaches and computer hacking in a range of industry sectors including retailing, financial services, entertainment and ICT.
Much of our investigation and enforcement work is confidential for obvious reasons. Examples of our recent experience includes:
- Investigation of code hacking of entertainment products giving unauthorised access and control over remote computer systems, including gathering and analysis of forensic information, preparation and execution of a strategy to confront the suspect, and securing a result to minimise further unauthorised and hacking behaviour. The suspect was subsequently turned into an informant.
- Investigation of international hacking ring via a major participant in Australia, including analysis of data locating suspect, preparation and execution of a plan for direct contact, management and resolution of the claim to achieve result, and capturing of data as evidence concerning remote assets used by accomplices.
- Assisting a large Australian corporate to respond to a major security incident by its IT outsourcer, including analysis of contractual obligations and legal claims, and negotiation and documentation of monetary and non-monetary settlements.
- Working with a major electronics manufacturer to identify a computer network hacker, and liaising with the state police force and arranging surveillance on the suspect.
- Investigating the use of Trojan and tunnelling software by a rival business to extract critical information through unauthorised access to a client computer system, including filing of legal proceedings to obtain disclosure of information by way of preliminary discovery and resolution of unauthorised access claim.
- Working with IT forensic investigators and lawyers in the U.S and Austria to identify a syndicate responsible for developing tools that were designed to circumvent copy control software. Using Australian Court processes to obtain orders in the Federal Court of Australia to obtain the contact details of the people using those IP addresses and for the purposes of executing search orders at their homes.