Insurance lawyers are preparing for a year of more client adoption of cyber insurance, as organisations face up to a potentially 'catastrophic' risk
Brisbane-based Minter Ellison special counsel Leah Mooney told NZ Lawyer's sister publication that clients really began to pay attention to cyber risk during 2014.
The case that really heightened market awareness of the issue hit in 2013, when Target in the US was hit by a phishing scam masterminded by Russian hackers, exposing the credit and debit card data of 40 million customers and the personal data of up to 70 million customers.
“The reason that made everyone sit up and take notice was because the scale of the hacking was so large,” Mooney explained.
“Also, Target had taken steps to recognise there was a risk of cyber attack and had systems in place to protect its data – in the end, they weren’t followed to the letter when the incident occurred.”
With repercussions including class action lawsuits, hundreds of redundancies and the resignation of its CEO and chairman, the Target case showed in detail the tangible risks of cyber attacks.
It was followed by the same hackers targeting US hardware chain Home Depot, while the recent Sony hacking scandal – revealing publicly embarrassing emails – gripped the public in late 2014.
Mooney said not only were C-suite executives and corporations taking notice of high profile incidents such as these, but insurers were also following through with relevant products.
“Last year insurers as a large group started to offer cyber insurance to the Australian market, following the US and UK markets,” she said.
Mooney said the approach of the local market this year - and the legal work flowing through to lawyers - would depend on how prominent hacking became in the local consciousness.
“It’s really going to depend on whether attacks on the scale of the US will start taking place in Australia,” she said. “We know corporates are sitting up and taking notice and are starting to acquire specialty cyber insurance, but from a claims point of view it will depend on if there are attacks and that starts filtering through into claims,” she said.
Mooney expects corporates to continue to seek the advice of insurance brokers, accountants and lawyers as part of risk exposure reviews, meaning most legal work will likely be front-end.
Lawyers will also have to advise clients on the local policy and regulatory response. To date, this has included an update to the National Plan to Combat Cybercrime in 2013, and amendments to the Privacy Act, which is designed to protect individual personal information.
Mooney said while the current privacy regime does not contain a mandatory obligation for companies to disclose cyber attacks to customers – which is at the heart of the debate over the Privacy Amendment (Privacy Alerts) Bill 2014 currently before the Senate – the Privacy Commissioner has published a Guide to Handling Security Breaches that will ensure companies need to look at their reporting approach - or face a public shaming.
“It [the Guide] recommends that affected individuals and the Commissioner be notified if there is a real risk of serious harm as a result of a cyber breach,” Mooney said.
“The Guide is not a legislative instrument and therefore compliance is not compulsory. Having said that, non-compliance with the Guide is likely to be a key issue in 2015 as companies that fail to notify affected individuals are increasingly facing criticism in the media.”
Clients will need to keep abreast of a discussion paper from the Australian Law Reform Commission published in June last year that recommended the design of a statutory cause of action for serious invasions of privacy, which currently does not exist under common law.
Mooney warned clients that the overall impacts of cyber hacks were potentially ‘catastrophic’, and that corporates shouldn’t assume they are covered by the wording in traditional insurance policies which had often been designed to protect risks to tangible property.