Winner - Best Fintech Law Firm 2023 (Australia)
Winner - Best Emerging Fintech Law Firm 2022 (Australia)
AB is a modern law firm with a focus on advising in technically specialised areas. While strong technical expertise forms the foundation of our approach, we distinguish ourselves by combining it with a genuine focus on business objectives and risk, and a nuanced understanding of the emotional factors that underpin legal matters.
AB provides high-end legal expertise delivered with the commerciality and cost sensitivity expected by a start-up - wrapped up with an emotionally intelligent approach. With leading advisors in cyber, technology, privacy, financial services and insurance risk, this positions us as the perfect partner for organisations facing cyber and privacy risks.
AB is an outstanding firm that delivers practical and innovative solutions for our business. Their experienced lawyers take a strategic and proactive approach while always trying to minimise costs - plus they explain scenarios in plain English so we know exactly what the outcomes might be."
Murray Liston
Managing Director, Civic MJD
Meet the Team
Our cyber and privacy services are delivered by our team of highly qualified professionals with decades of experience across all areas of cyber security and law, as well as law enforcement, artificial intelligence, privacy and data protection, risk management, business resilience, disaster recovery, crisis management, insurance and more.
James A. Cole
Partner | Head of Cyber & Privacy
My passion is helping our clients to implement holistic and commercial technology, privacy, and governance strategies that are aligned to their business objectives and risk appetite. I enjoy holistically applying my expertise across technology, business, and law enabling me to get to the heart of the issues and achieve positive, long-term results for clients.
James has spent more than two decades specialising in information security, strategic operations, and Governance, Risk & Compliance helping businesses and government seamlessly integrate privacy, technology, security, and compliance with business objectives.
James’ success as a computer scientist and lawyer has been centred on his core belief that privacy, security, and compliance do not have to be onerous activities that hinder business.
James’ expertise is wide ranging on every axis. He has advised organisations across both private and public sectors, as well as a broad range of industries including financial services, insurance, technology, healthcare, and government.
His advice spans across:
- international commercial expansions and regulatory compliance
- international privacy regimes including GDPR, CCPA, HIPPA, PIPEDA, UK PECR, ePrivacy Directive
- Access to Information / Freedom of Information
- multi-jurisdictional privacy and data protection
- artificial intelligence (AI) and facial recognition technology including ISO 42001
- cyber resiliency and preparation & prevention of cybercrime
- cyber governance, risk and compliance including ISO 27001 & NIST 800-53
- contractual liability in cyber & technology, and privacy & data protection
- misleading and deceptive conduct in financial services including AFSL compliance and breach investigation & reporting
- data breach incident response and remediation
Academic Credentials
- Bachelor of Laws (Honours) - Queensland University of Technology
- Bachelor of Computer Science - University of Calgary
- Bachelor of Arts (English Literature and Philosophy) - Trent University
- Postgraduate Studies (Law) - University of British Columbia
- Diploma in Insurance Law - Law Society of Ireland
- Masters of International Security Studies (Distinction)- Macquarie University
- Masters of Policing, Intelligence & Counter Terrorism (Distinction) - Macquarie University
Certifications
- Certified Information Privacy Professional / Europe (CIPM/E) - International Association of Privacy Professionals (IAPP)
- Certified Information Privacy Manager (CIPM) - International Association of Privacy Professionals (IAPP)
- Certificate in Data Protection Practice - Law Society of Ireland
- Certificate in General Data Protection Regulation (GDPR) - Law Society of Ireland
- Security+, Computer Technology Industry Association (CompTIA)
- Canadian Securities Course (CSC) - Canadian Securities Institute
- Australia - New South Wales - Lawyer
- Australia - High Court of Australia - Solicitor
- New Zealand - Barrister and Solicitor (inactive)
- England & Wales - Registered Foreign Lawyer
- Privacy and Data Protection
- Cyber and Technology
- Insurance
- Artificial intelligence (AI)
- International Private
- Corporate and Commercial
- Administrative and Regulatory
2024
- Member of Law Society of NSW Taskforce on AI & other tools and trends shaping the legal profession
2023
- UNSW Edge Seminar - Cyber Security & Data Breaches: the new governance frontier
- Gartner Security & Risk Summit - CISO Masterclass on the Ins & Outs of Cyber Insurance
- AISA CyberCon Canberra - Ask an Expert - Ask a cyber insurance breach coach about prevention and incident response planning
2022
- Tenable on Tour - Managing data risks and the role of legal teams
- Law Society of NSW Annual Conference The value of data, what you can do with it and what you can't (Moderator)
- Young Lawyers Criminal Law Sub-Committee, Law Society of NSW - The challenges of responding to cybercrime
- Albrecht Burrows & Law Squared webinar - Privacy: a whole of enterprise risk
- Law Society of NSW CPD webinar - Risk management as a strategic business tool: why legal is so much more than a dustpan and brush
2021
- Pemba Capital Partners Lunch and Learn - Cybersecurity in financial services
Mark Anderson
Legal Consultant, Lawyer (NZ)
Managing risk with both technical precision and pragmatism is critical in the modern environment. Properly understanding your business needs and then delivering that advice together with integrity, trust and loyalty are fundamental to ensuring your most optimal outcomes.
Mark is a highly awarded legal risk adviser and barrister to New Zealand and international business, governmental entities and public bodies. He has more than 20 years experience advising on risk including cyber risks and breach responses, technology contract liability, security and governance, health and safety, environmental, competition and other regulatory investigations.
He has provided incident response advice globally to clients in need, including those in Europe, Australia, New Zealand and across APAC, after developing global incident response panels drawing together legal, IT, Forensic and PR professions to manage cyber crises. He has managed some of the highest profile cyber breaches in Australasia.
Mark is a trusted leader with a high level of integrity, professionalism, and discretion. An exceptional strategist committed to minimising current and perceived risks while providing innovative, future focused and pragmatic legal strategies to achieve your objectives.
Recognised by peers for tenacity and a proven ability to direct technology and cyber risk/data breach incident responses, regulatory notifications, and insurance operations during business interruptions following a cyber incident. Mark has been ranked as a leading lawyer in the Legal 500 (2020&2021) and top lawyer privacy by Best Lawyers (2017-2023).
LLB (Otago University)
BA (Hons - International Relations & Politics)
- New Zealand - Barrister and Solicitor. Currently registered Barrister
Technology
Cyber Incident Response
Privacy
Insurance
Litigation
Board Risk and Governance Advisory
Administrative and Regulatory
Regulatory Investigation Response
Aviation and Marine Risks
Health and Safety
Environmental / Climate Change Risk
Data subject rights: The real risk of privacy and security for business 2022
Ransomware - the mechanics of ransom payments - Seminar Insurance industry 2021
The Globalisation of Privacy Breach Law – European developments and impact on Australasia - New Zealand Insurance Law Assocation – March 2020.
Cyber, conflict and cover: time for a re-think? 2018 Seminar and publication
Connected and Autonomous Vehicles: The future? Oral and written evidence 2016
Our Data Breach Response Service
When cyber security incidents and data breaches happen, you need a fast, comprehensive solution to get you running smoothly again and address your legal obligations and risks. AB's Incident Response Service is designed to provide compassionate incident response services at affordable rates that keep the needs of your business in mind. Our expert team, working closely with specialist forensics providers, will guide you through the challenges of responding to a breach, whether it's ransomware, email compromises, digital frauds, accidental data mishandling or any other data emergency.
Our Incident Response Service covers everything you need in the event of a data breach. In an emergency, we are here to help from start to finish and through the post-breach recovery. Data breaches can involve a lot of complex legal issues from legal obligations under privacy laws, to contract management, regulatory investigations, third-party liability claims, insurance coverage, and crisis communications and reputation protection. Whatever the situation requires, our experienced technical lawyers are ready to help you get back on track.
Some of the key incident response services we provide include:
The first hours of a data breach are critical to effectively managing the impacts and reducing overall response costs. Having experienced assistance in managing an incident considerably mitigates the consequences of a breach. Our incident response services are based on team know-how, experience, advanced credentials, best practice strategies, and a risk-neutral approach that truly understands your business.
We work on:
- immediate actions to establish containment of the breach;
- risk mitigation measures to minimise dissemination of material;
- engagement with expert IT forensics;
- understanding the technical aspects of the breach through threat intelligence;
- alignment with authorities and stakeholder expectations;
- crisis communications support to minimise reputational harm; and
- implementation of protective measures against fines or private claims.
Besides being privacy experts, our incident response specialists have a deep technical knowledge of the law and technology. This is vital as the legal framework on data breaches varies substantially worldwide.
We also provide trusted relationships with the respective data protection authorities, which is a key asset in successful data incident management.
Data breach notification requirements vary substantially around the globe, not only on deadlines for reporting of the incident, but also on the required content and language of the notification. Data breaches often trigger the extraterritorial application of foreign privacy laws even if you're business doesn't ordinarily do business in that country. We will help you determine:
- what notification obligations apply to the incident;
- which authorities in what countries have to be notified and when; and
- which local notification procedures apply and whether the information needs to be extended to affected individuals.
Our team members will draft and file necessary notifications, working with partner law firms in other countries as required, ensuring you comply with your legal obligations while aiming to minimise potential liability claims.
A cyber or data incident might also trigger contractual obligations. It is becoming standard practice for commercial customers, suppliers, and other business partners to incorporate data breach response clauses into standard contracts. Additionally, if you do business with a commercial entity that is subject to a foreign data protection law, such as the EU's General Data Protection Regulation (GDPR), you may have contracts that incorporate a Data Processing Agreement based on that country's Standard Contractual Clauses (SCC). Most country's SCCs include substantial breach notification obligations.
We can support your evaluation of affected contractual relationships and the obligations you might have, in particular time-sensitive breach reporting obligations. Where necessary, we can coordinate with partner law firms overseas to assist with foreign language and notification duties.
Once a breach is over, there is still a lot of work to be done.
Post-breach remediation support is an important part of our Incident Response services. This can include:
- Assisting with possible litigation and dispute mediation;
- uplift of your standard contracts to incorporate common cybersecurity and breach clauses;
- responding to subsequent communications with authorities, investigations, or challenging fines;
- establishing a roadmap for cybersecurity readiness improvement and improving technical and organisational Governance, Risk and Compliance programs across cybersecurity and privacy;
- obtaining cyber insurance; and
- responding to customer privacy requests such as Data Subject Access Requests.
Case Studies
Case Study:
Responding to large scale ransomware
A publicly traded company that manufacturers equipment for emergency and public services sought advice and assistance to respond to a ransomware attack involving the loss of personal data and commercially sensitive information.
The company suffered a ransomware incident resulting in 100% business interruption and the loss of 1.3 TB of personal and commercially sensitive information. The business interruption was resulting in a financial loss of up to $200,000 per day.
Ransomware incidents can be challenging to respond to and result in significant emotional stress for businesses. We understand what businesses are going through and provide our services with compassion and understanding with the aim of restoring business as usual and building cyber resiliency to help protect the business in the future.
To achieve this goal, we helped the company by:
• Providing advice and guidance on the legality of paying ransomware demands and the legal obligations that arise under Australian’s notifiable data breach laws while working to identify opportunities for implementing future cyber risk mitigation strategies;
• Providing advice on crisis communications strategies relating to the breach and future re-assurance to customers of the company’s commitment to cyber security and privacy;
• Coordination and management of external cyber forensics experts to investigate the root cause of the intrusion and provide assurance that the incident has been contained.
• Drafting and executing a copyright infringement notice action on a third- party data centre located in Europe that was used by the threat actor to exfiltrate the client’s data resulting in the criminal losing access to the exfiltrated data before they were able to copy it to additional locations.
• Recovery of critical data from the third-party data hosting provider in less than 48 hours from the start of the incident allowing the business to restore data not included in the most recent backups;
• Assessment of regulatory notification obligations under Australian and international privacy laws, drafting tailored notifications to sensitive commercial partners and the Office of the Australian Information Commissioner (OAIC) and regulators in the USA and Singapore;
• Drafting customer notifications including coordination of customer notifications with third-party white label resellers in the United States; and
• Providing advice on post-recovery remediation strategies and actions to help protect against future breaches and mitigate cyber risks enabling the client to successfully obtain cyber insurance only a few months after the conclusion of the incident.
- Advising the Managing Director on impacts of the breach and related disclosures to third party company proceeding through an acquisition of our client's company.
We provided high quality, timely and compassionate advice and assistance to the client in responding to the breach from day 1 through to full recovery and post-recovery risk mitigation.
Our partner forensics vendor, following legal instructions, identified the root cause of the ransomware breach and assisted the client to restore normal business operations. Our team assisted the client with breach notifications that resulted in all regulators closing their files without any penalties or investigations.
There were no adverse enquiries or actions by clients and white-label resellers.
The client was able to return to normal operations in less than one week and close the breach in 5 weeks following confirmations from regulators. The client successfully closed the Merger & Acquisition without impact to the sale price.
Cyber Incident Response
Post-Breach Cyber Readiness Assessment
Privacy Compliance Advising
Corporate and Commercial legal advising
Case Study:
Compassionate incident response
A not-for-profit community organisation needed help responding to a business email compromise that involved highly sensitive personal information relating to children after a staff member’s mailbox was compromised as a result of a phishing email.
The client needed help responding to a business email compromise that involved highly sensitive personal information relating to children after a staff member’s mailbox was compromised as a result of a phishing email. The contents of the approximately 32GB mailbox were copied by the cyber criminals and the contacts used to send thousands of spam / phishing emails.
Type of Cyber Incident: Business Email Compromise
Size of Mailbox: 32 GB
Nature of Data Breach: Sensitive information relating to children
- We provided compassionate advice and guided the client through every step of the breach response, conscious of their standing in the community, translating what can be a complex legal process into an understandable step-by-step action plan;
- We gave easy to understand advice on the Australian notifiable data breach scheme and conducted a risk of serious harm assessment;
- Coordinated, and led, a targeted eDiscovery project to identify the people affected by the breach and the nature of the exposed data;
- Drafted notifications to the OAIC and the affected persons, coordinating with the OAIC for special notification processes and exemptions for vulnerable persons likely to suffer increased serious harm as a result of the notification;
- Coordinated notification to overseas regulators and affected persons in New Zealand, Germany, France, Sweden, Finland, UK, Canada, and the USA;
- Assisted with drafting of responses to OAIC and UK Information Commissioner’s Office (ICO) enquiries; and
- Provided advice on risk mitigation strategies for improved management of cyber and privacy risks post-recovery.
We provided high quality, timely and compassionate advice and assistance to the client in responding to the breach from day 1 through to full recovery and post-recovery risk mitigation. All regulators closed their files without any penalties or investigations.
The CEO subsequently sent a thank you note and compliments, copying their broker, citing the outstanding incident response experience they received during a difficult and stressful time.
Cyber Incident Response
Post-Breach Cyber Readiness Assessment
Privacy Compliance Advising
Data breach emergencies
If you have experienced a data breach, whether unintential employee errors, employee data theft, or you’ve been the victim of a cyber-attack, the first 48 hours is crucial. So don’t waste any time, just get in touch.
Reach out, day or night.
If you don’t reach us straight away, we will get in touch ASAP!
Email us on [email protected]
Breach emergency Line: 02 8318 5980
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD