Cyber security is a complex and ever-evolving field. While most in-house legal teams may not be cybersecurity experts, they play a crucial role in both preparing for and responding to cyber attacks and privacy breaches. Cybersecurity is not just a technical issue; it is a business issue that requires legal input and strategic planning.
This guide outlines the legal framework surrounding cyber incidents, the potential legal risks involved, and practical steps that in-house legal teams can take to protect their organisations.
The legal framework
Key legislation
- Privacy Act 2020: If a cyber incident affects personal information it may also be a privacy breach. A privacy breach is unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information; or an action that prevents the organisation from accessing the information on either a temporary or permanent basis.
- Crimes Act 1961: Defines cybercrime offences, which should be reported to the New Zealand Police as criminal acts.
- Companies Act 1993: Directors must manage cyber risk in the best interests of the company by exercising the care, diligence, and skill that a reasonable director would exercise.
- Russia Sanctions Act 2022 and the United Nations Act 1946: Paying a ransom to a group from a sanctioned state may violate this legislation, carrying criminal penalties.
Key authorities
- Where a breach has caused or is likely to cause serious harm, the organisation must notify the Office of the Privacy Commissioner within 72 hours.
- The Government Communications Security Bureau (GCSB) provides assistance and protective security services to public authorities. The National Cyber Security Centre (NCSC) is part of the GCSB and responds to high-impact cyber threats/incidents at a national level. CERT NZ supports businesses, organisations and individuals who are affected by cyber incidents.
- The Reserve Bank of New Zealand (RBNZ): RBNZ-regulated entities must report material cyber incidents to RBNZ within 72 hours.
- The Financial Markets Authority (FMA): Applicable market licence holders suffering a cyber incident that materially affects services must notify the FMA within 72 hours. For entities that must report material incidents to both the RBNZ and the FMA, there is overlap between the information required by each authority.
- NZX: NZX listing rules require listed companies to promptly disclose information that could materially affect their securities' price or value, unless safe harbour provisions apply.
Legal risks
The risks arising from cyber attack are significant and can include:
- Litigation risk: Affected parties may seek compensation through civil litigation for any harm they have suffered. This can include breach of contract claims related to data security and privacy.
- Regulator risk: The requirement to notify various regulators about a cyber incident exposes the organisation to regulatory scrutiny. The Privacy Commissioner has the power to issue compliance notices requiring remedial actions.
- Reputation risk: Cyber attacks can damage an organisation's reputation, especially if it is perceived that insufficient preventative measures were taken. This loss of trust can be particularly damaging in competitive markets.
- Operational risk: Cyber attacks can disrupt business operations, leading to downtime and lost productivity. Resources and personnel may need to be reallocated to handle the breach, impacting other business activities. Cyber attacks may disrupt supply chains or involve release of third party data, leading to breach of contract claims.
- Financial risk: A major cyber attack can have a significant impact on operating costs and profits, including the cost of handling the breach.
Steps in-house legal teams can take
Given the broad legal impacts of a cyber incident, in-house legal teams have an important role to play in proactively managing and mitigating cyber risk, including:
- Preventative measures: Review and ensure cybersecurity incident policies comply with New Zealand law and international standards. Promote employee training on cybersecurity risks, legal obligations, and response strategies.
- Contractual safeguards: Ensure that contracts with third parties include robust data protection clauses, clearly defining cybersecurity responsibilities and incident reporting procedures. Include audit clauses in agreements with service providers so that you can test compliance with cybersecurity standards, if needed.
- Cyber insurance: Cyber attacks can result in significant financial losses, including IT costs, business interruption, PR and communication costs, customer reimbursements, potential fines, and litigation. Legal teams should understand and evaluate cyber insurance coverage options, limitations, and exclusions to ensure adequate coverage.
- Breach readiness: Define, implement, and test the breach response plan, including breach reporting obligations and timeframes. Participate in table-top testing and provide guidance on maintaining legal professional privilege. Support the organisation to understand its position in relation to ransom payments.
- Incident response: One of the most important roles for legal teams is during the heat of a cyber incident response. Understanding the legal impact of the breach is a critically important part of the response strategy and key to informing decisions during the response phase. Legal teams may also be supporting their organisation’s Privacy Officer in relation to their interactions with the Office of the Privacy Commissioner, and liaising with insurers, regulatory bodies and impacted individuals. Actions are often time critical, and so being prepared is essential.
- Post-breach support: Assist in remediation activities, dealing with insurers, clients, regulators, and responding to compliance notices.
If you’d like support from PwC in relation to any of the steps outlined above, get in touch with our integrated team of lawyers and cyber security specialists.
Contact us
Follow us
