In this episode, Andrew Horne, a Partner in the Auckland litigation team, and Senior Solicitor Joy Guo discuss the practical steps businesses can take to prevent and respond to a cyber breach. Andrew and Joy set out best practice guidelines for directors and boards on managing cyber risks, and key considerations that should form part of a cyber response plan. They also provide some top tips on how to protect privilege following a cyber breach incident, drawing on key lessons from a recent decision from the Optus class action in Australia.
[00:00:59:08 - 00:02:26:10] Andrew and Joy start off with talking about the increasing cyber security risks facing businesses and the potential impacts. Joy talks about recent cases in New Zealand and Australia that have resulted in litigation and regulatory investigations.
[00:02:50:12 - 00:03:51:01] Andrew and Joy gives some top tips drawn from guidance issued by the Institute of Directors New Zealand and the Australian Securities and Investments Commission on managing cyber risks.
Links to guidance and resources from the Institute of Directors and the Australian Securities and Investments Commission are set out here and here.
[00:03:51:03 - 00:04:34:11] The pair then discuss the key considerations for boards and directors including the need to establish a cybersecurity strategy.
[00:05:30:07 - 00:06:30:06] Andrew and Joy talk about managing cyber risks. They talk about the need to establish an enterprise-wide cyber risk management framework, regularly update cybersecurity measures and infrastructure, and manage third-party risks through due diligence and contract terms.
[00:06:59:17 - 00:08:36:13] Andrew and Joy talk about how to effectively respond to cyber incidents. They emphasise the need to ensure a comprehensive cyber and data breach response plan is in place. They also refer to the Privacy Commissioner's guidelines on dealing with a privacy breach and well as our own podcast episode Tech Suite: How to manage a data breach: Plan Assess, Notify with Richard Wells and Suzy McMillan
[00:11:04:11 - 00:13:25:11] Joy gives an overview of the Optus class action and the recent Federal Court of Australia decision on legal professional privilege. Andrew and Joy explains the key differences in the law governing legal professional privilege in New Zealand and Australia, and offers some top tips on protecting privilege following a cyber incident.
[00:16:00:24 - 00:17:02:09] Lastly, Andrew gives practical advice to prepare for cyber incidents. He says boards should consider legal professional privilege before commissioning reports and highlights the importance of demonstrating the dominant purpose for privilege.
Information in this episode is accurate as at the date of recording, 09 February 2024.
Please get in touch to receive an episode transcript. Please don’t forget to rate, review or follow MinterEllisonRuddWatts wherever you get your podcasts. You can also sign up to receive litigation updates via your inbox here.
Please contact Andrew Horne, Joy Guo or our Litigation team if you need legal advice and guidance on any of the topics discussed in the episode.
You can read our full Litigation Forecast 2024 article on “Cyber risk and litigation – some guidelines for directors and boards” here.
