TLS’s very own Tom Balmer from our Sydney office jumped on a Zoom call with Ed Osbourne from Sparke Helmore. They discussed global privacy, technology and moustaches over virtual coffee. Ed started his career in Sydney before working in London and then New York. He has developed a deep global subject-matter expertise on privacy, data protection, cybersecurity risks and cyber insurance.
 

Tom: Tell us a bit about your career thus far and how you ended up in the US, UK and eventually back in Aus?

Ed: I’ve been lucky enough to work in a few different places. In the UK, I was in the technology, media and telecommunications space. That was pre-GDPR, but there were nonetheless lively discussions about data protection reform, which ultimately led to where we are now.

More recently, I was in New York, first working as a senior cybersecurity and privacy consultant at a Big Four firm and then as Privacy Director and Senior Counsel for a multinational Fortune 500 fashion company, responsible for driving its global privacy programme.

I’m now back in Australia at Sparke Helmore helping clients with privacy compliance and cyber risk.

Tom: Why the focus on privacy and cybersecurity?

Ed: I can’t remember what first drew me to it, but it is a really interesting space to be in. Data drives business these days, and technology gives organisations the ability to capture, analyse and model it on a massive scale. The proliferation of laws regulating the ways organisations deal with data, particularly personal data, is partly a response to this.

For me, one of the big draws is that this field requires you to collaborate with stakeholders organisation-wide. Lawyers and IT professionals do not have exclusivity when it comes to privacy and cybersecurity. There is a real need for cross-functional input, which is something I really enjoy participating in. No disrespect to my legal colleagues, but it is nice to occasionally team up with non-lawyers!

Tom: How do Australian data privacy regulations compare to the GDPR? And the US?

Ed: At their highest, data privacy regulations typically share at least one common goal: offering individuals a level of privacy and data security protection.

There is a general shift, (a) towards imposing heightened accountability on organisations with respect to the way they use, disclose and secure data; and (b) away from the notion that organisations are “data owners” and instead “data custodians”.

Data privacy “hype” in different jurisdictions typically revolves around a common thread, “data breaches”:

• In Europe, “72 hours to report a data breach under the GDPR”
• In Australia, “the Notifiable Data Breach (NDB) scheme”
• In the US, “data breach class actions under the California Consumer Privacy Act”.

Having a response plan and understanding the risks of data breaches is critical. However, if an organisation’s primary focus is just response, they are viewing privacy and cybersecurity through the wrong lens.

My opinion is that privacy and cybersecurity need to be embedded into the design of technologies and business practices in order to mitigate risk and act ethically and consistently with societal expectations, which is a roundabout way of endorsing “privacy and cybersecurity by design”. At its most basic, this means adopting a proactive – rather than reactive – approach.

Tom: Since returning, have you seen a change in the Australian market, especially since the OAIC implemented the NDB scheme?

Ed: Privacy and cybersecurity are not new concepts in Australia. The NDB scheme has definitely elevated them, even if only as a consequence of greater visibility around when things go wrong. Some Australian companies are still in the early stages of their security/privacy maturation, and some are more advanced than their overseas counterparts. Ultimately, the importance of robust privacy and cybersecurity programmes is only going to grow, getting pushed along by regulatory change and societal demand.

In terms of Australia’s cyber insurance market, I’d say it’s still relatively young and less developed than the US, Europe and UK markets. Regardless, cyber insurance is indispensable. I’ve seen how costly data breach response and remediation can be, and it’s not just dollars and cents. Data breach response and remediation can also be an enormous drain on internal resources. Having cyber insurance and the dedicated panel of expert providers that often come with it is hugely beneficial. However, it’s important that cyber insurance is never perceived solely as an organisation’s cybersecurity risk-management programme – it should complement it.  

Tom: What do you see as the biggest challenge to your clients in the next five years?

Ed: This question is an interview in itself.

At a macro level, one of the biggest challenges is shifting away from a reactive posture towards a proactive one. Implementing privacy and cybersecurity may sound easy, but it requires buy-in from all departments and levels of an organisation, which can be tricky.

Third-party provider risk is a pressing issue. Outsourcing to third parties is a given for most organisations, but those parties often have their own third-party providers, and on the chain goes. This web of dependencies makes evaluating, let alone mitigating, supply-chain risk incredibly difficult. Without strong supply-chain monitoring and controls, organisations leave themselves exposed to business interruption, reputational damage, litigation and regulator intervention.

It is hard to ignore the disruptiveness of ransomware as attacks are increasing exponentially and so is the creativity of threat actors. The US Securities and Exchange Commission saw more than 1,000 documents filed in the last 12 months that mentioned ransomware as a risk – substantially more than previous years. Social engineering, where victims are tricked into providing confidential information, clicking a malicious link or doing some other act that allows a threat actor to gain access to systems and data, is unfortunately also very common and successful – and not likely to go away anytime soon.

Finally, in Australia, my expectation is that we will continue to see regulatory developments and more expansive rights of access and deletion of personal data. I expect tougher penalties and enforcement of privacy-related breaches and a heightened interest in the pursuit of claims against organisations that misuse or fail to adequately protect personal data. On the contracting front, in the last couple of years, I have noticed an increased focus on privacy and information security clauses and the negotiation of (data breach-related) liability and indemnity provisions. I also anticipate that, as the costs of privacy and cybersecurity incidents become more keenly felt by organisations, those organisations will increasingly look to at-fault third parties to try to recoup some of those costs.

Tom: How do you expect technological advances to impact legal services or the legal industry in the next five years?

Ed: There is no doubt that technology in the legal industry can be both transformative and disruptive. I think it is an opportunity, not a threat. Lawyers who explore technological advances to improve their services and apply a considered approach to leveraging those advances will fare better than those who don’t.

Lawyers are notoriously (but not always) old school – educating them on the benefits of embracing technology as a tool to improve client experience and efficiencies is a good starting point.

I have seen, both in-house and in private practice, technology deployments lead to tangible operating and efficiency improvements. I have also seen the opposite: no real benefit achieved, an extra layer of complexity added and an unnecessary increase in risk.

To paraphrase what a very sensible Chief Information Security Officer once said to me: “Start with the big picture. Understand the organisation’s strategic direction and align your technology deployments with it. The alternative piecemeal approach can prove far more costly and leads to unsatisfactory outcomes.”

Tom: Finally, on a lighter, non-cybersecurity note: If you weren’t doing this, what would you be doing?

Ed: I’d love to say I would be a professional sports person, but I don’t have an athletic bone in my body so probably something that has me sat behind a desk.

Tom: What’s your favourite hobby or activity outside of law?

Ed: Despite my answer to the previous question, anything that gets me outdoors.

Tom: How do you grow such an amazing moustache?

Ed: Years and years of shaving neglect and several weeks of COVID-19 work-from-home confinement.

For more information on TLS’s solutions and technologies for cybersecurity and data privacy, please visit our website here.