Steven Hunwicks has recently appeared in REDD's Business & Technology podcast with Jackson Barnes and Brad Ferris, where they discuss cyber security, technology and intellectual property law in Australia. You can watch the full YouTube video and learn more about cyber security below.
In the podcast, Steven touches on legal and contractual issues and strategies in the IP, Technology and Cyber security space. In this note, he shares some extra context about the key issues in the discussion for listeners and readers to know.
Types of intellectual property rights
"IP Australia has a great summary of the various types of IP rights, including registrable rights such as trade marks, patents and designs, and unregistrable rights such as copyright and trade secrets," says Steven.
"There are different considerations for businesses to think about."
What should businesses consider when sharing confidential information?
If your business shares its proprietary or confidential information to a prospective customer, partner or supplier, Steven says you should consider:
- signing a Confidentiality Agreement (sometimes called a Non-Disclosure Agreement or NDA) to formalise the parties’ confidentiality obligations and the specific purpose for which the confidential information can be used;
- if sharing the confidential information verbally (e.g. in a meeting or presentation), say to the audience that the information you are presenting is confidential; and
- if giving the information in writing such as a document or presentation, mark each page of the materials as “Confidential – Property of [insert your organisation’s name]”.
Responding to a cyber incident
Cyber incidents have increased to record levels, and Australia seems to be a popular target. So, what exactly is a data breach?
"A data breach happens when personal information is accessed or disclosed without authorisation or when it is lost (including by ransomware or physical loss of a storage device)," says Steven. "If your organisation is covered by the Privacy Act 1988, your organisation may need to notify the Office of the Australian Information Commissioner and affected individuals when it suffers a data breach involving personal information, and the disclosure or loss of which is likely to result in serious harm."
Who should be in your cyber leadership team?
When you need to respond to a cyber incident, there are several people who should form your cyber leadership team.
Steven says you may like to think about including:
- a designated leader from the business, such as your managing director or CEO
- a public relations or communications leader (whether from inside or outside the organisation)
- your head of IT (again, whether from inside or outside the organisation)
- specialist IT providers to carry out a forensic review of the incident
- specialist cybersecurity & privacy lawyers
- if your cyber insurance policy may provide for it, also a cyber breach coach.
Case study: How well do you know your cyber insurance?
The Federal Court of Australia recently found that an insurer was not required to pay the insured’s costs of cleaning up and recovering from a ransomware attack, including its costs of IT forensics, incident response and replacement hardware. This was because the insured opted to incur those costs, and they were not incurred directly because of the ransomware incident. Therefore, the insured could not claim and recover those costs under the organisation’s insurance policy.
Key takeout
You should review your existing or proposed cyber insurance policy so that (ahead of needing to make a claim) you can know precisely which types of costs or losses are covered versus excluded.
What costs can arise from a cyber or data incident?
The types of costs may include:
- costs of business interruption, such as lost revenues from downtime, or higher production costs;
- event recovery costs, such as IT forensic services to investigate and remediate the breach and restore your network, servers, or data. Some policies will cover the costs of replacement digital assets (software, data etc.) but may not pay for upgrades or improvements to those assets;
- security monitoring costs, e.g. security operations centre (SOC) or security information and event management (SIEM) services;
- making notifications to affected individuals, under applicable privacy laws;
- costs of making a ransom payment;
- professional fees of a public relations firm fees to assist in protecting the organisation’s reputation or public image; and
- professional fees of specialist cybersecurity & privacy lawyer to advise on legal or contractual compliance responsibilities.
Technology contracting tips
Want a better IT services contract? Try these technology contracting tips. Electronic signatures are valid in Australia for signing contracts and many other legal documents, and a recent change to Australia’s companies law mean that e-signatures are here to stay.
For more information about the topics Steven has spoken with the team at REDD about, or any of his extra insights featured in this article, get in touch with our Intellectual Property, Technology and Cybersecurity team.