Your 2024 corporate guide to cyber security and data breaches

Key Takeaways

There is little doubt that the protection of personal client data is of utmost importance to any corporation. The data breaches at Optus, Medibank, Latitude and several other high profile organisations, only serve as a stark reminder of the devastating consequences which can occur when data falls into the wrong hands.

The impact on a company’s profits and revenue is one aspect. However, it is invariably the damage to a corporation’s brand and reputation in the marketplace which is of a far greater severity. Clients can lose confidence in an organisation almost overnight, and a reputation which has taken years to foster can be destroyed by one cyber incident — particularly where that incident reaches international headlines. Companies, and the directors behind those organisations, need to ensure that they have appropriate processes and plans in place to deal with all probable scenarios when it comes to the protection of client data — particularly data of a sensitive, confidential or personal nature.

Perhaps one positive aspect to emerge from recent data breaches at high profile players, including Telstra, Telsa and the corporate regulator themselves, is that the reporting of cyberattacks has now increased, ie if anything companies and individuals are now becoming more technically savvy and responsive, which can only be a good thing.

The ACSC, OAIC, ASD and ASIC provide a wealth of information to assist you in understanding your obligations when it comes to data security and privacy.

Refer also to CCH iKnowConnect, our online legal research platform for more information. We have a whole practice area dedicated to Privacy Law. Our content in Company Law and Compliance & Business Law is also highly relevant. We also provide regular news stories on topics such as the Optus data breach and ASIC’s approach to regulating AI which you can access on our legal research platform.

Executive Summary

Welcome to our newly updated 2024 guide to corporate cyber security and data breaches.

We have restructured our guide and are excited to present the following 3 new chapters:

• Chapter 4 — Directors’ duties when it comes to cyber security,
• Chapter 5 — The interaction between cyber security and Artificial Intelligence (AI) — A help or a hinderance?, and
• Chapter 10 — Building a cyber resilient organisation.

There is little doubt that a lot has happened in the cyber security space over the past 2 years. The data breaches at both Optus and Medibank Private (Medibank) in the latter half of 2022, and Latitude Financial (Latitude) in March 2023, demonstrated that both the scale and sophistication of cyber-attacks and data breaches are increasing, not just in Australia, but at an international level. Increased connectivity brings great benefits, but also great risk. As of December 2023, the estimated cost of cyber-attacks on the global economy was expected to top $10.5 trillion. Such sophisticated cyber-attacks are also becoming increasingly harder to detect.

Robert Mueller, former director of the FBI from 2001 to 2013, famously quoted:

“There are only two types of companies: those that have been hacked, and those that will be”.

A data breach at a large organisation can have widespread reverberations not just within Australia, but also on the global stage. For Optus and Medibank, the data breaches in 2022 resulted in the security systems and procedures of 2 of Australia’s largest corporations suddenly and without warning been thrown under the spotlight for all to see. In particular, the leak of personal health information as a result of the Medibank data breach placed thousands of vulnerable Australians at risk, when it comes to everyday “transactions” such as applying for a job, applying for credit or seeking a reference. Latitude suffered a similar fate in March 2023 with millions of private client financial records stolen. The data breach affected over 14 million Latitude customers in both Australia and New Zealand after hackers gained access to Latitude employee login credentials which were then used to pilfer personal data from other, third-party, service providers.

It appears that it is only a matter of time before most organisations fall victim in some form. This is evident from the list of other notable data breaches over the last 2 years, including:

• Telstra — internal data breach blamed on “database misalignment”, exposing thousands of client records — December 2022,
• Service NSW — “technical issue” exposed the data of over 3,000 clients — April 2023,
• PWC — hackers breached a system used by the organisation to transfer sensitive files — June 2023,
• Tesla — 2 ex-employees were the cause of a data breach costing $75K — August 2023,
• HWL Ebsworth — 2.5 million client files compromised — September 2023,
• ASIC — 4 error-caused data breaches over 2 years — reported on in December 2023, and
• The Iconic — funds seized via “credential stuffing”, impacting thousands of customers — January 2024.

The list simply goes on and on. The secondary impacts of such data breaches can be even more significant and may take time to fully materialise. These impacts may include risks to the financial standing and mental health & wellbeing of those individuals who have been targeted as well as reputational damage to the brand of those corporations at fault.

Large organisations in particular, such as Optus, Medibank, Telstra, Tesla and Latitude, also face the very real prospect of class actions against them from clients aggrieved by the breach of their data. This is particularly so, where such breach has led to personal financial loss for the “victims”. It is little wonder that the demand for cyber security products and services is growing. Indeed, Australian’s spent $5.6 billion on cyber security in 2020, with that figure expected to grow to $7.6 billion in 2024. Chapter 12 discusses the latest developments in potential proceedings against Optus, Medibank and Latitude.

Whilst the Optus, Medibank and Latitude breaches were significant, the truth is that companies lose data all the time, as is evident from the list above, with such big players as Tesla, PWC, Telstra and even the corporate regulator themselves, the Australian Securities and Investments Commission (ASIC), falling victim.

Hence, there is little doubt that Australia is now, more than ever, heavily invested in cyber security. The government is investing $100 million in a digital skills package, via the Digital Economy Strategy 2030, which includes an expansion of the Cyber Security Skills Partnership Innovation Fund. This is coupled with an unprecedented investment of $9.9 billion over 10 years in Australia’s national intelligence and cyber capabilities.

The following guide takes you through the topic of cyber security and data breaches, and the importance of vigilance when it comes to protecting privacy and securing client data, in particular personal, confidential or highly-sensitive data. Our guide contains a new Chapter 4 which explains the duties on directors to protect against cyber threats, Chapter 5 which explains the link between cyber security and the emerging field of AI and Chapter 10 which focuses on building a cyber resilient organisation. We provide some key practical steps for corporations and company directors to implement, in order to ensure compliance when it comes to cyber security and outline how Wolters Kluwer as a global organisation approaches these challenges. Finally we focus on developments (particularly in relation to the ongoing fallout from the more recent high-profile data breaches at Optus, Medibank and Latitude) and what to look out for in 2024 and beyond.