28/02/2025
It’s the worst nightmare of every business: you get a call from your IT provider: there’s been suspicious activity on your network. It appears that hundreds or thousands of client records were accessible to a third party for several hours. They are still trying to work out what was accessed, and if anything was exfiltrated. You are on tenterhooks, waiting to see if anything turns up on the dark web in the coming days.
Most businesses know that at this point they are dealing with a cybersecurity incident which is also a data breach, potentially a notifiable one. In the hours and days after your IT provider gives you the bad news, you will be managing multiple processes with multiple regulators working to various timeframes, while trying to protect your data. And if anything does end up on the dark web – as just happened to fertility provider Genea – your responsibilities, reporting lines and potential liabilities will increase exponentially.
1.How will you resource the surge?
Suddenly many of your staff are caught up in trying to ensure the relevant systems are locked down, the incident is investigated, affected individuals are notified, all the regulators are informed and kept up to date, and in dealing with the phones ringing off the hook as people call to ask questions about how at risk their personal data might be.
Your cyber incident response plan and data breach response plan probably deal with these issues.
But what happens to your other, time critical BAU tasks? How will you keep servicing your existing obligations? Where will you get the staff and the expertise?
One recent incident is a case in point. Genea Fertility has, all things considered, moved quickly to respond to a cyber incident which occurred on Valentines’ Day.
However, Genea provides a costly and time-critical service to patients, and it appears the incident may have critically affected its ability to continue to deliver. ABC News recently reported that patients trying to arrange required blood tests with Genea in the days after the breach were unable to get through on the telephone, meaning appointments had to be delayed to the following cycle. At $12,000 per cycle, the consequences for patients’ lives and bank balances of postponing missed steps are enormous.
It depends on the resourcing and skill profile of your business, but it may make sense to consider managing a cyber-incident surge with contracted labour. If your core business can be outsourced to others with the same skills, make sure you are ready to hit go on that arrangement. If your core business can’t be outsourced, consider contracting out at least part of your incident response instead. Reflect your preferred position in your Business Continuity Plan.
2.What are your obligations under your contracts?
You may have other legal obligations to manage too. For example, are you a supplier to government? Does some of the potentially compromised data belong to government agencies? What are your obligations under your government contracts when an incident occurs? How much control are you obliged to cede to the agency in managing and investigating the incident? Will you need to provide input into ministerial briefs, or help prepare for tricky Estimates questions? Do you have a clear communications channel and joint incident management process set up? It is best to get clear on these points well before Day Zero.
3.Do you have a communications plan?
Are you ready to protect your brand through a challenging cyber incident? Who will you turn to for comms and media support, and do they work evenings and weekends? Can you prepare some of the comms products in advance? Consider setting up a dedicated email inbox and phone line to manage incoming media inquiries and client complaints. In addition, if you are dealing with government data, be clear about who is managing the media and complaints component – your business, or the agency, or both?
4. What do your industry specific regulators want from you?
You already know you will have to be talking to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. But what do your sector regulators expect? Will you lose accreditation or attract sanctions if you fail to comply? Ensure any sector specific notification / engagement requirements are covered off in your incident response plans.
5. Are you sure your insurer will cover you?
Dig out that certificate of currency and have a good hard look at it. Are cyber incidents or data breaches covered at all? If so, what is the coverage for exactly? Immediate incident response costs? Surge resourcing costs as discussed above? Practical support (such as the cost of IDCARE’s services) and counselling for affected clients / customers? Downstream complaints and lawsuits? Consider practical elements too: Does the insurer’s hotline operate on weekends and after hours? What documentation will they require from you? Update your coverage if needed, or consider dedicated cyber incident insurance.
In conclusion: Day Zero of a cyber incident may indeed be your worst nightmare. However, with a little planning, it may be possible to avoid even more stressful surprises in the following days and weeks.
Griffin Legal is experienced at supporting clients through cyber incident responses. Please get in touch with our team to discuss how to plan for and manage a breach at your agency or business.
Sources
OAIC: Data breach preparation and response
Australian Cyber Security Centre: Report and recover
24 February 2025: Genea Cyber Incident – Update, Support Resources & Data Breach Notification
Genea patients frustrated by lack of communication amid data breach – ABC News, 20 Feb 2025