Special Advisor Steven Hunwick recently appeared on REDD’s Business & Technology podcast with Jackson Barnes and Brad Ferris, where they discuss cybersecurity, technology and intellectual property law in Australia. You can watch the full YouTube video and learn more about cybersecurity below.
In the podcast, Steven discusses legal and contractual issues and strategies in the area of intellectual property, technology and cybersecurity. In this note, he shares additional context on the key questions from the discussion that listeners and readers need to know.
Types of intellectual property rights
“IP Australia has a great summary of the different types of intellectual property rightsincluding registrable rights such as trademarks, patents and designs, and non-registrable rights such as copyrights and trade secrets,” explains Steven.
“Companies need to think about different considerations.”
What should companies consider when sharing confidential information?
If your company shares its proprietary or confidential information with a potential customer, partner or supplier, Steven says you should consider:
- sign a confidentiality agreement (sometimes called Non-Disclosure Agreement or NDA) to formalize the confidentiality obligations of the parties and the specific purpose for which the confidential information may be used;
- if you share confidential information verbally (for example in a meeting or presentation), tell the public that the information you present is confidential; and
- If you are providing the information in writing, such as a document or presentation, mark each page of the material as “Confidential – Property of [insert your organisation’s name]”.
Respond to a cyber incident
“A data breach occurs when personal information is accessed or disclosed without authorization or when it is lost (including through ransomware or the physical loss of a storage device),” says Steven. “If your organization is covered by the Privacy Act 1988, your organization may need to inform the Australian Information Commissioner’s Office and data subjects when it experiences a data breach involving personal information, the disclosure or loss of which is likely to cause serious harm.”
Who should be on your cyber leadership team?
When you need to respond to a cyber incident, multiple people should form your cyber leadership team.
Steven says you might like to consider including:
- a designated company officer, such as your managing director or CEO
- a public relations or communications officer (whether internal or external to the organization)
- your IT manager (again, whether inside or outside the organization)
- specialist IT providers to perform a forensic review of the incident
- cybersecurity and privacy lawyers
- if your cyber insurance policy can provide for it, also a cyber breach coach.
Case Study: How Well Do You Know Your Cyber Insurance?
The Federal Court of Australia recently ruled that an insurer is not liable to pay the costs of cleaning up and recovering the insured from a ransomware attack, including its costs for computer investigation, incident response and hardware replacement. In effect, the insured elected to bear these costs, and they were not incurred directly as a result of the ransomware incident. Consequently, the insured could not claim and recover these costs under the organization’s insurance policy.
Take away key
You should review your existing or proposed cyber insurance policy so that (before you have to make a claim) you can know precisely what types of costs or losses are covered versus excluded.
What costs can arise from a cyber incident or a data incident?
Types of costs can include:
- business interruption costs, such as lost revenue due to downtime or higher production costs;
- event recovery costs, such as computer forensic services to investigate and remediate the breach and restore your network, servers or data. Some policies will cover the costs of replacing digital assets (software, data, etc.), but may not pay for upgrades or enhancements to those assets;
- security monitoring costs, for example security operations center (SOC) or security information and event management (SIEM) services;
- send notices to data subjects, in accordance with applicable privacy laws;
- ransom payment fees;
- professional fees from an honorary public relations agency to help protect the organization’s reputation or public image; and
- the professional fees of a cybersecurity and privacy lawyer to advise you on legal or contractual compliance responsibilities.
Advice for technology contracts
Want a better IT services contract? Try these advice on technology procurement. Electronic signatures are valid in Australia to sign contracts and many other legal documents, and a recent change in Australian company law means that electronic signatures are here to stay.