23 April 2020
The business disruption caused by COVID-19 has created a number of new cyber security risks for companies to manage.
In addition to a significant increase in opportunities for malicious actors to engage in cyber-crime, temporary measures and work-arounds put in place by business to deal with the disruption can expose companies to legal and regulatory risk.
As a result of COVID-19, many companies have needed to:
Staff are also highly likely to introduce ‘Shadow-IT’ (unauthorised programs and devices) into their home working environments, to enable them to operate. This can be as simple as e-mailing or transferring company documents to their home devices via e-mail or USB, for printing on home printers. Another common example of Shadow-IT is the creation of team groups communicating on platforms such as Facebook and WhatsApp.
There is evidence of a strong up-tick in cyber-crime activity exploiting the COVID-19 crisis, particularly social engineering and phishing attacks. Such attacks exploit people’s need for information by impersonating government authorities, major corporations or business leaders to encourage users to enter credentials or open attachment files to access ‘important information’. Some attacks are specific enough to appear to be a communication from business leaders to staff, for example a ‘Working from Home Statement’ purporting to be from a company’s CEO to its staff and customers.
The legal risks that arise from these actions require active management. COVID-19 will not be an excuse for actions that reduce security for personal or confidential business information, nor those that amend contractual or regulatory privacy and confidentiality obligations.
Further, COVID-19 does not reduce the obligation under Australian Privacy Principle 11 to ensure that reasonable steps are taken to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. It also does not operate to extend the notification period for data breaches or other compliance obligations.
There is need for particular vigilance in relation to cyber security during COVID-19 and we recommend that General Counsel be in regular contact with their CIO and CISO about:
The OAIC has recommended that companies undertake a Privacy Impact Assessment to ensure that personal information is handled in a way that is necessary, reasonable and proportionate.
Guidance issued by government authorities provides a reasonable basis for assessing risks and taking steps to ensure that the company meets its legal obligations. In particular, it is worth drawing attention to the Australian Cyber Security Centre’s (ACSC) recommendations in relation to the use of video-conference software:
“Prior to agreeing to a service provider’s terms and conditions, organisations should seek privacy, security and legal advice. Notably, the terms and conditions should include specific clauses that address organisations’ legal, privacy and security requirements. Without privacy and security requirements being specified, organisations may not be able to verify a service provider’s security claims or whether their information is being appropriately used or not. In particular, attention should be paid to whether a service provider claims ownership of any recorded conversations and content, metadata, or files that are created or shared when using their web conferencing solution. Finally, when seeking legal advice, organisations are less likely to inadvertently accept terms and conditions that breach financial or liability rules.”
Businesses should also consider if their internal IT policies are fit for purpose in the current environment or whether they need amendment or a temporary update to give their employees clear guidance on what they can and cannot do.
Some of the matters that should be expressly addressed or re-enforced in IT policies include:
Keeping employees updated about known phishing and social engineering attacks will help them avoid inadvertently becoming victims of cyber security fraud. This could be as simple as passing on the ACSC’s warnings in updates to staff.
We recommend that General Counsel keep the following five things under constant review during COVID-19.
The rapid evolution of working practices under COVID-19 has added further complexity to the cyber security landscape for companies, and General Counsel have a significant role to play in ensuring that companies manage their data security and privacy obligations through the COVID-19 crisis. Those companies that pay attention to these issues will reduce the risk that their broader recovery is complicated by cyber-security threats and fraud.
Corrs Cyber is a unique, coordinated legal, forensic and cyber offering. Our multidisciplinary team includes our market-leading technology, media and telecommunications (TMT) and disputes lawyers, working closely with some of Australia’s leading forensic technology practitioners, a Certified Ethical Hacker and IT security specialists.
To learn more about Corrs Cyber please click here or contact a member of our team.
We invite you to register your interest for a virtual event in the form of a panel discussion on the key cyber risks General Counsel need to be aware of during the COVID-19 crisis. We can consider recent matters we have acted on to ensure you are better armed to think about how these scenarios could play out in your own organisation.
To register your interest for this event, click here.
This publication is part of our insight series COVID-19: Navigating the implications for business in Australia and beyond. To get notified by email when new COVID-19 insights are released, please subscribe for updates here.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.