Your 2024 corporate guide to cyber security and data breaches | Wolters Kluwer

Wolters Kluwer is a global provider of professional information, software solutions, and services for clinicians, nurses, accountants, lawyers, and tax, finance, audit, risk, compliance, and regulatory sectors.

Trusted clinical technology and evidence-based solutions that drive effective decision-making and outcomes across healthcare. Specialized in clinical effectiveness, learning, research and safety.

Enabling tax and accounting professionals and businesses of all sizes drive productivity, navigate change, and deliver better outcomes. With workflows optimized by technology and guided by deep domain expertise, we help organizations grow, manage, and protect their businesses and their client’s businesses.

Offering comprehensive tools and expert guidance to companies to help meet regulatory requirements to support sustainability efforts and manage ESG risks efficiently.

Our solutions for regulated financial departments and institutions help customers meet their obligations to external regulators. We specialize in unifying and optimizing processes to deliver a real-time and accurate view of your financial position.

Enabling organizations to ensure adherence with ever-changing regulatory obligations, manage risk, increase efficiency, and produce better business outcomes.

Serving legal professionals in law firms, General Counsel offices and corporate legal departments with data-driven decision-making tools. We streamline legal and regulatory research, analysis, and workflows to drive value to organizations, ensuring more transparent, just and safe societies.

There is little doubt that the protection of personal client data is of utmost importance to any corporation. The data breaches at Optus, Medibank, Latitude and several other high profile organisations, only serve as a stark reminder of the devastating consequences which can occur when data falls into the wrong hands.

The impact on a company’s profits and revenue is one aspect. However, it is invariably the damage to a corporation’s brand and reputation in the marketplace which is of a far greater severity. Clients can lose confidence in an organisation almost overnight, and a reputation which has taken years to foster can be destroyed by one cyber incident — particularly where that incident reaches international headlines. Companies, and the directors behind those organisations, need to ensure that they have appropriate processes and plans in place to deal with all probable scenarios when it comes to the protection of client data — particularly data of a sensitive, confidential or personal nature.

Perhaps one positive aspect to emerge from recent data breaches at high profile players, including Telstra, Telsa and the corporate regulator themselves, is that the reporting of cyberattacks has now increased, ie if anything companies and individuals are now becoming more technically savvy and responsive, which can only be a good thing.

The ACSC, OAIC, ASD and ASIC provide a wealth of information to assist you in understanding your obligations when it comes to data security and privacy.

Refer also to CCH iKnowConnect, our online legal research platform for more information. We have a whole practice area dedicated to Privacy Law. Our content in Company Law and Compliance & Business Law is also highly relevant. We also provide regular news stories on topics such as the Optus data breach and ASIC’s approach to regulating AI which you can access on our legal research platform.

Welcome to our newly updated 2024 guide to corporate cyber security and data breaches.

We have restructured our guide and are excited to present the following 3 new chapters:

There is little doubt that a lot has happened in the cyber security space over the past 2 years. The data breaches at both Optus and Medibank Private (Medibank) in the latter half of 2022, and Latitude Financial (Latitude) in March 2023, demonstrated that both the scale and sophistication of cyber-attacks and data breaches are increasing, not just in Australia, but at an international level. Increased connectivity brings great benefits, but also great risk. As of December 2023, the estimated cost of cyber-attacks on the global economy was expected to top $10.5 trillion. Such sophisticated cyber-attacks are also becoming increasingly harder to detect.

Robert Mueller, former director of the FBI from 2001 to 2013, famously quoted:

“There are only two types of companies: those that have been hacked, and those that will be”.

A data breach at a large organisation can have widespread reverberations not just within Australia, but also on the global stage. For Optus and Medibank, the data breaches in 2022 resulted in the security systems and procedures of 2 of Australia’s largest corporations suddenly and without warning been thrown under the spotlight for all to see. In particular, the leak of personal health information as a result of the Medibank data breach placed thousands of vulnerable Australians at risk, when it comes to everyday “transactions” such as applying for a job, applying for credit or seeking a reference. Latitude suffered a similar fate in March 2023 with millions of private client financial records stolen. The data breach affected over 14 million Latitude customers in both Australia and New Zealand after hackers gained access to Latitude employee login credentials which were then used to pilfer personal data from other, third-party, service providers.

It appears that it is only a matter of time before most organisations fall victim in some form. This is evident from the list of other notable data breaches over the last 2 years, including:

The list simply goes on and on. The secondary impacts of such data breaches can be even more significant and may take time to fully materialise. These impacts may include risks to the financial standing and mental health & wellbeing of those individuals who have been targeted as well as reputational damage to the brand of those corporations at fault.

Large organisations in particular, such as Optus, Medibank, Telstra, Tesla and Latitude, also face the very real prospect of class actions against them from clients aggrieved by the breach of their data. This is particularly so, where such breach has led to personal financial loss for the “victims”. It is little wonder that the demand for cyber security products and services is growing. Indeed, Australian’s spent $5.6 billion on cyber security in 2020, with that figure expected to grow to $7.6 billion in 2024. Chapter 12 discusses the latest developments in potential proceedings against Optus, Medibank and Latitude.

Whilst the Optus, Medibank and Latitude breaches were significant, the truth is that companies lose data all the time, as is evident from the list above, with such big players as Tesla, PWC, Telstra and even the corporate regulator themselves, the Australian Securities and Investments Commission (ASIC), falling victim.

Hence, there is little doubt that Australia is now, more than ever, heavily invested in cyber security. The government is investing $100 million in a digital skills package, via the Digital Economy Strategy 2030, which includes an expansion of the Cyber Security Skills Partnership Innovation Fund. This is coupled with an unprecedented investment of $9.9 billion over 10 years in Australia’s national intelligence and cyber capabilities.

The following guide takes you through the topic of cyber security and data breaches, and the importance of vigilance when it comes to protecting privacy and securing client data, in particular personal, confidential or highly-sensitive data. Our guide contains a new Chapter 4 which explains the duties on directors to protect against cyber threats, Chapter 5 which explains the link between cyber security and the emerging field of AI and Chapter 10 which focuses on building a cyber resilient organisation. We provide some key practical steps for corporations and company directors to implement, in order to ensure compliance when it comes to cyber security and outline how Wolters Kluwer as a global organisation approaches these challenges. Finally we focus on developments (particularly in relation to the ongoing fallout from the more recent high-profile data breaches at Optus, Medibank and Latitude) and what to look out for in 2024 and beyond.

© 2024 Wolters Kluwer N.V. and/or its subsidiaries. All rights reserved.