this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

The LIV is currently closed to all visitors.

We are working remotely to deliver member services. For more information visit our 

COVID-19 Hub
Select from any of the filters or enter a search term
Calendar
Calendar

Governance: The bored board that learned to care

Governance: The bored board that learned to care

By EJ Wise

Practice & Procedure Technology 

0 Comments


Digital technology is integral to the practice of law. Lawyers have a responsibility to themselves as users of technology and to their clients who use technology.

Snapshot
  • What is visible accountability and what should legal practitioners advising boards know about cyber security? 
  • Does it present any kind of unusual risk and are there associated aspects of legal advice that should raise a red flag?
  • Clients and boards need to have awareness of cyber risk. Understand your own digital footprint and stay clear of cybercrime. Be a better advocate.

Legal practitioners face myriad responsibilities to their clients and, regardless of the practitioners’ area of practice, there are now responsibilities arising to themselves as users of technology in their practice and to their clients because, increasingly, the norm for our clients is that they are dependent on digital technology to do business.

Causing a cyber scene

We begin with a well-established and well-run board of a high-profile company listed on the ASX. The board relied on each other and its executive for concise, responsive and full reporting. When it came to the monthly information technology update there were no surprises. In fact, the update made for a boring read – each month it showed the same green circle showing 100 per cent functionality and no areas of concern.

While looking out the window drinking morning coffee, the CEO received a distressed message from her executive assistant who was unable to open any of the computers in the office and had earlier received an unexpected email via the mobile phone. The CEO asked which button the executive assistant had pressed and if the IT service desk been called. After missing the morning’s work and meetings (no access to the online calendar) the CEO had a discussion with the company’s general counsel.

When and what to advise

For legal practitioners (not only those who advise boards) the question is not what areas of practice does cyber affect but rather what areas of practice does it not affect. Digital technology is integral to the contemporary practice of law. While on the one hand the relevant legal practitioner may be advising on intellectual property, family law, succession law, corporations law, insurance law and so forth the legal practitioner simultaneously faces their own risks in cyber security and in a professional capacity. Does the legal practitioner owe some duty of care to their client to speak about cyber risk? If so, given it might not be their area specialty, what amount of advice discharges such a duty?

Whether you are the in-house general counsel, insurance lawyer, contracted legal adviser or a trusted law firm partner to the corporation in the scenario above, are you prepared and able to answer the urgent questions from the CEO? In answering the questions, are you complying with the urgings of the Legal Practitioners’ Liability Committee (LPLC) to “stay within your lane” when providing legal advice: “Not every client is the right client for you, and it’s both difficult and dangerous to take work you are not experienced in or set up to do”.1

The frequent breaches and well publicised failures across government and the private sector have shown a frightening lack of awareness at board level of the responsibilities regarding cyber governance, risk and compliance. Where a board that you are advising is not yet aware of its responsibilities in relation to cyber, it is likely that it is part of your duty of care to board members as their legal adviser to at least recommend that they accept that cyber risk forms a part of their individual and collective duty on the board and must be addressed. You may need to actively make inquiries of the board in this regard.

A board that has commenced its journey into understanding its cyber risk responsibilities (sadly, often as a consequence of a scenario such as that above – following a ransomware, business email compromise or other cyber crime experience) will rely on the legal advice it receives in relation to cyber security. In responding to a request for cyber specific legal advice, the qualifications and experience that a legal practitioner needs will go beyond mainstream areas of legal practice.

What is ransomware

Life in the law has moved along with technology and in technology. Australia has not (yet) followed other international jurisdictions in making the payment of ransom demands illegal, yet payment of a ransom may not only fail to restore the hijacked technology it may contravene other laws. “Prima facie it is unlawful to pay a ransom to a terrorist organisation or an organisation proscribed by UN sanction.”2

The legal advice to a company or other entity on this matter would at a minimum need to consider obligations under the:

  • Criminal Code Act 1995 (Cth) ss102.1(a), 102.7, 103.2(1) and Division 400 provisions (“instrument” of crime, money laundering, terrorism)
  • Charter of the United Nations Act 1945 – International Convention for the Suppression of the Financing of Terrorism, 9 December 1999 (resolution 54/109) 
  • Corporations Act 2001 (Cth) ss180, 912A and Part F2.1
  • Competition and Consumer Act 2010 (Cth).

“Home Affairs secretary Mike Pezzullo has confirmed the government is considering a mandatory reporting regime for businesses that pay ransoms to cyber criminals.”3

Ransomware attacks are estimated to have cost the Australian economy $1.4 billion in 2020.4

Board responsibilities

Tesla chair Robyn Denholm says it is important for all directors to assume responsibility for cybersecurity, not just those with a technology background:

“To me, there are two types of companies, those that have been penetrated by cyber-attacks, and those that don’t know that they have been, and there isn’t anybody out there that hasn’t been exposed to cyber threats in one form or another.”5

Boards should ask management the following questions about cyber security, Denholm says.

  • What’s going on in my company from a cyber security perspective?
  • What is the cyber security strategy?
  • What is that strategy in a disaster?
  • What’s the communication throughout the organisation of the importance of cyber hygiene?
  • What is the reporting coming back to the board?

In the short term, the two words “visible accountability” should apply to every director. “If you don’t know who’s doing it [overseeing cyber security] and you don’t know whether they are, whether you’re doing it or the company is doing it, answer that question first. And after that, find out how regularly you get information to keep you updated on where things are at.”6

Damien Manuel, director of the Centre for Cyber Security Research and Innovation at Deakin University and chair of the Australian Information Security Association, said that “protecting an organisation from cyber risks is everyone’s role in an entity – we all have a part to play. Improving cyber security is also a journey which requires building and maintaining the right culture, adapting business processes to address digital risks and applying the right level of controls, commensurate with the threats businesses face”.7

At risk

Having boards understand their risks and advising on means to assess and address those risks is not novel and is well within the experience and ability of most legal practitioners. Cyber security as a risk came along well after the broadscale adoption of technology within corporations and has exponentially risen as the complexity and dependence on technology has grown. We might liken this to the advent of the motor vehicle. It initially had few safety features which meant that, given the low numbers of such vehicles on the road, their limited ability to travel at speed and the low number of passengers, risk was relatively low and acceptable. As motor vehicles and their engines increased in size and power more requirements became apparent such as better braking mechanisms, shock absorption and eventually seatbelts. These changes did not fundamentally affect the nature of driving in and living alongside the use of motor vehicles. Public pressure combined with public policy meant that eventually laws and enforcement measures affected even the most reticent user and seatbelts are barely mentioned as an imposition in our lives.

Companies that don’t actively adopt technology are nonetheless affected by it whether through digital payrolls, banking or requirements by governments. Where is the cyber seatbelt for business (or law) and what does it look like? How and when should a company use it and what happens when they do not? What are the consequences? It is a work in progress but it is highly unlikely we will reach an end state as we did with workplace health and safety or indeed motor vehicles.

What we can say as legal practitioners is that a considered approach is necessary. We are not operating in a vacuum. Litigation regarding cybercrime around the world is high and case law is developing rapidly. Our federal and state governments are grappling to create legislation and policy that approaches the right balance between enforceability and relevance.

“Most businesses use the internet at some point to buy, sell or communicate about their services or functions. Setting your business up to securely manage activities online can make a significant difference in reducing the likelihood of common cyber threats impacting your money, data and reputation.”8 The Australian Cyber Security Centre recommends the use of the essential eight prioritised mitigation strategies, however, the means to understand and properly implement those recommendations can be understandably challenging to the typical board member:

  • application control
  • patch applications
  • configure Microsoft Office macro settings
  • user application hardening
  • restrict administration privileges
  • patch operating systems
  • multi factor authentication
  • daily back-ups.9

What may be more relatable for boards is a risk mitigation strategy. This is routinely done for other aspects of the business. It is necessary to first understand the risk in order to address and mitigate it. Where a board does not know what it owns from a technology and cyber perspective, how it is distributed and by whom it is managed, it is likely that when a cyber crime occurs the resolution will be more complex and possibly incomplete. Know your assets and who controls them.

A board, in addition to its legislated responsibilities,10 owes the company a duty of care and it is each board member’s individual responsibility to understand this duty and properly discharge it. As legal practitioners we are in the position of both being trusted to provide good advice and knowing that we cannot possibly know or provide quality advice in all areas of the law. You may advise the board of its need to have awareness of its cyber risk(s), therefore discharging your duty of care to it, but defer providing detailed cyber law advice to those legal practitioners experienced and qualified to do so: “It’s not in a firm’s best interest to take on a wide range of work – particularly if it is outside the firm’s area of expertise or experience.11

Is good cyber insurance the answer for a board

Unlike other more traditional risk matters, insurance against cyber risk does not equal adequate risk consideration, mitigation or assignment. Many cyber insurance policies limit or deny claims which result from social engineering and the delicate art of computing forensics done post breach doesn’t always clearly determine the exact point of entry of the cyber criminal. Indeed, the more sophisticated and experienced the criminal and/or their toolkit, the more likely the exact means of compromise will remain a mystery and in that inconclusive mire many insurance claims are thwarted and breach notifications (under, for example, the Notifiable Data Breach Scheme) complicated.12

Where to turn

Approach an experienced cyber security legal practitioner for specific cyber law advice. If you want to learn more or your firm is looking to include cyber security into its practice portfolio, treat it as you would any other discrete area of practice and ensure that you are taking up this new area of practice deliberately and responsibly.

An example of what a cyber security law firm provides to clients that is not able to be provided by a cyber security (non law) firm is the protection of the solicitor-client relationship itself. In the United States, the Capitol One (bank) breach led to a class action in which the plaintiffs were granted permission by the court to access the forensic analysis of the breach that had led to the compromise of their personal information. Capitol One brought the argument that the forensic report was a confidential communication between the client (Capitol One) and their legal team. However, as the report had been produced prior to the involvement of the legal team by a managed service provider that the company was already in a relationship with, the argument failed and the plaintiffs were granted access to the forensic report – any reckless or negligent failures on their part to secure their operations and data were now public information.13

For the majority of legal practitioners (not cyber security specialist legal practitioners), a good habit is providing clients with the LPLC’s “Cyber security – how to protect yourself - client brochure”.14 It is clearly within the remit of your relationship with the client and is a useful addition to all client engagement going forward. Providing boards or other clients with specific cyber security legal advice without the necessary expertise is a risk which on its face may be a poor practice management decision.

Conclusion

Cyber grief: Unfortunately, the company’s failure to understand its cyber responsibilities meant there was no cyber security team to back up data or prevent the ransomware. This meant the company was unable to recover data before it was leaked into the dark web. Ultimately, the company became insolvent due to investor lack of confidence, law suits and the inability to recover its own data. Shareholders are in the process of determining what causes of action they have against board members.15

Advise clients and boards of their need to be aware of their cyber risk(s) and if in doubt seek assistance from qualified and experienced cyber law specialists. Understand your own digital technology footprint, risks and governance as it will help you stay clear of preventable cyber crime and better advise your clients. ■


EJ Wise is principal of Wise Law, a Royal Australian Air Force veteran of 21 years and an internationally recognised expert in cyber law and cyber operations. She is on various boards and committees including the LIV Technology and Innovation Committee and is a university lecturer.

  1. LPLC, “5 practice essentials”, LIJ 95(5), May 2021, p65.
  2. Bowles, D, “Is it ethical (or legal) for law firms to pay cyber-ransom?”, 8 December 2017, https://www.qls.com.au/getattachment/2ee73b54-fd00-4ad6-882a-54a5b2e88451/doc20171208_is_it_ethical_or_legal_for_law_firms_to_pay_cyber-ransom_final_djb.pdf.
  3. Mason, M, “Business could face mandatory reporting of cyber payouts: Pezzullo.”, AFR, 24 May 2021, https://www.afr.com/technology/business-could-face-mandatory-reporting-of-cyber-payouts-pezzullo-20210524-p57uol.
  4. Note 3 above.
  5. Dempsey, Shelley, “Five cyber-security questions for boards in 2020”, Australian Institute of Company Directors, 21 September 2020, http://aicd.companydirectors.com.au/membership/membership-update/five-cyber-security-questions-for-boards-in-2020.
  6. Note 5 above.
  7. Note 5 above.
  8. Australian Cyber Security Centre, 2021, “Protecting your business online”, https://www.cyber.gov.au/acsc/small-and-medium-businesses/protecting-your-business-online.
  9. Australian Cyber Security Centre, 2017, “Essential Eight Maturity Model”, https://www.cyber.gov.au/sites/default/files/2020-06/PROTECT%20-%20Essential%20Eight%20Maturity%20Model%20%28June%202020%29.pdf.
  10. See for example ss180 or 912A of the Corporations Act 2001 (Cth), the Banking, Executive Accountability Regime, the Financial Accountability Regime, or the APRA CPS234 requirements.
  11. LPLC, 2019 “Engagement/Retainer management: It’s OK to say no when it’s not the right matter for you”, August 2019, https://lplc.com.au/uploads/main/Resources/LPLC-Articles/Engagement-Habit_-Right-Matter.pdf.
  12. For more on cyber insurance please see Wise, EJ, 2020 “Cyber Insurance: Necessity or Nicety”, LIJ 94(4), April 2020, pp36-39.
  13. See In re: Capital One Customer Data Security Breach Litigation, ED Va, No 1:19-md-02915, also see a similar US case where the defendant has been compelled to produce: Guo Wengui v Clark Hill, PLC, Civil Action No. 19-3195 (JEB) (DDC Jan 12, 2021). 
  14. LPLC, 2018, “Cyber security – how to protect yourself - client brochure”, 5 Feb 2018, https://lplc.com.au/resources/client-resources/cyber-security-protect-client-brochure.
  15. In November 2020 Levitas Capital was forced to close after a major breach caused by a scam emailed zoom call link: Grigg, A & Whyte, J, “Hacked Sydney hedge fund part of $170m cyber crime spree”, 24 November 2020, https://www.afr.com/companies/financial-services/hacked-sydney-hedge-fund-part-of-170m-cyber-crime-spree-20201123-p56h24. In 2019 the American Medical Collections Agency filed for bankruptcy as parent company to the one breached: Nohe, P, “Breached into Bankruptcy”, 19 June 2019, The SSL Store, https://www.thesslstore.com/blog/amca-files-for-bankruptcy-just-months-after-data-breach/.

Views expressed on liv.asn.au (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment