Why robust cross-border cyber and privacy capabilities are essential

Enabled by technology and liberalising trade agreements, more businesses are expanding their global presence, opening doors for unprecedented growth and innovation. However, this remarkable reach simultaneously presents new risks, particularly when it comes to navigating data storage, individual’s privacy and cybersecurity.

The escalating risk posed by ransomware or malware attack, often perpetrated by international criminal networks, has thrust the issue of coordinating a multi-jurisdictional cyber breach response into the spotlight. 

Co-ordinating a Cyber Breach Response Across Jurisdictions

Amid a data breach, time is of the essence to ensure business continuity and security and businesses must simultaneously tackle both the cyber threat itself and the intricacies of managing diverse legal and regulatory environments.

The logistical challenges of juggling time-zones, resources and language barriers are substantial, but even more difficult is navigating and satisfying the complexities of divergent privacy regulations between regions. While UK and European businesses operate under stringent General Data Protection Regulation (GDPR) requirements, a new landscape of privacy and cybersecurity regulation is still evolving in Australia and New Zealand.

Even between Australia and our trans-Tasman neighbour, there are some important differences between our approaches to privacy regulation that organisations need to be aware of.  For example, while Australia has strengthened sanctions for non-compliance with privacy standards, New Zealand’s penalties are insignificant by comparison. But New Zealand has a tort for invasion of privacy, while Australia is still considering amending the Privacy Act 1988 to cater for such a common law duty.

Following the much-publicised Medibank, Optus and Latitude breaches, Australian organisations are operating in a context where public demand for data privacy frequently surpasses the legal frameworks in place.  These breaches may not fall within a single state or country. Take Latitude where millions of individuals’ sensitive data was impacted in Australia, but the scale of the impact on New Zealand was even larger due to a subsidiary having much broader reach in the community (1 on 5 New Zealanders). 

Regulators are stepping in to fill the void, tightening enforcement against organisations that breach their cyber security and privacy obligations. While the focus has been on large scale breaches, Australian Securities and Investments Commission (ASIC) recently confirmed it will actively examine cases of cyber incidents where directors and executives failed to take reasonable cyber resilience strategies, or properly invest in or mitigate the known and likely cyber risks to their organisation.

Given recent breaches and Australia’s landmark decision ASIC v RI Advice Group Pty Ltd in 2022, ASIC’s announcement isn’t surprising. In that case, the Federal Court accepted that organisations have a duty to take reasonable steps to mitigate cyber threats. RI Advice Group, despite taking steps to manage ongoing cyber incidents, failed due to inadequate documentation and controls, breaching the Corporations Act 2001 (Cth).

Looking back at the development of jurisprudence and legislation around data protection and cyber breach across Asia Pacific, this decision will almost certainly extend to directors and officers of all companies, small or large, who have a legal obligation to discharge their duties with reasonable care and diligence, and cyber risk mitigation and cyber resilience are an integral plank in business continuity programs. 

An evolving challenge

Constant monitoring of global privacy framework developments is required to keep pace with cross-border privacy and cybersecurity landscape. For example, with news that the Commonwealth government has committed to 38 of the 116 proposed changes to the Privacy Act 1988, organisations doing business in / with Australia will likely need to respond to enhanced privacy requirements soon.

Four of the most significant changes anticipated soon are: work to end the small business exemption and force compliance with the Privacy Act 1988; 72-hour notification of data breaches; implementing a tort of privacy; and enabling class actions in privacy

Similarly, new privacy legislation remains dynamic in New Zealand, where the Privacy Act Amendment Bill is in motion, bringing New Zealand’s data collection rules closer in line with GDPR obligations, but the Consumer Data Right Bill remains in draft form, possibly to be introduced in 2024.

Tech support is not the answer

Privacy and cyber risk are business issues, not singularly a CTO/IT problem. Given the very real and costly risks, it’s imperative to develop and deploy governance and privacy strategies that minimise cyber peril ahead of time.

And should the worst happen, be mindful that a full incident response is complex and generally best serviced by a single firm, providing continuity, and saving on time and money.

Look to identify a specialist legal partner in advance who can provide comprehensive advice to build robust governance, security and privacy frameworks, and has capability to deliver full incident response support across those jurisdictions where you hold customer data, including:

• Coordination of the remediation processes.
• Act as the response interface for regulatory notification requirements.
• Liaison with enforcement authorities (domestic or global).
• Deliver reporting to boards, investors or other key business stakeholders.
• Provide crisis communication.
• Conduct post-incident reviews and advice on improvements.

In some cases, there will also be need for IT forensic support and multivendor assistance for ransom negotiators.

Take away advice

• GDPR continues to set the gold-standard in privacy and cyber frameworks. If your business is dealing with multiple jurisdictions including UK or European customers (or have EU or UK operations), align privacy provisions with GDPR regime to drive enterprise-wide standardisation and meet / over-service the regulatory requirements set by other jurisdictions.
• It is a truism that it is not a case of if but when a data breach will happen; develop and deploy privacy and cyber strategies that minimise cyber perils well in advance. They will stand you in good stead when there is scrutiny from customers, regulators, media and other stakeholders.
• Time is money and response times are critical during a cyber incident to ensure business continuity and security.  Having a single firm managing a crisis provides continuity and saves time and money.
• Privacy frameworks remain dynamic in Australia and New Zealand. Recent review of the Privacy Acts are likely to introduce new provisions that will tighten requirements on Boards and directors, as well as removing the small business exemption.

Mark Anderson is a privacy and cyber lawyer at Law Squared