Incident Response
Providing comprehensive, compassionate response to the challenges of data breaches
from day one through recovery and beyond
Our Data Breach Response Service
When cyber security incidents and data breaches happen, you need a fast, comprehensive solution to get you running smoothly again and address your legal obligations and risks. AB's Incident Response Service is designed to provide compassionate incident response services at affordable rates that keep the needs of your business in mind. Our expert team, working closely with specialist forensics providers, will guide you through the challenges of responding to a breach, whether it's ransomware, email compromises, digital frauds, accidental data mishandling or any other data emergency.
Our Incident Response Service covers everything you need in the event of a data breach. In an emergency, we are here to help from start to finish and through the post-breach recovery. Data breaches can involve a lot of complex legal issues from legal obligations under privacy laws, to contract management, regulatory investigations, third-party liability claims, insurance coverage, and crisis communications and reputation protection. Whatever the situation requires, our experienced technical lawyers are ready to help you get back on track.
Some of the key incident response services we provide include:
The first hours of a data breach are critical to effectively managing the impacts and reducing overall response costs. Having experienced assistance in managing an incident considerably mitigates the consequences of a breach. Our incident response services are based on team know-how, experience, advanced credentials, best practice strategies, and a risk-neutral approach that truly understands your business.
We work on:
- immediate actions to establish containment of the breach;
- risk mitigation measures to minimise dissemination of material;
- engagement with expert IT forensics;
- understanding the technical aspects of the breach through threat intelligence;
- alignment with authorities and stakeholder expectations;
- crisis communications support to minimise reputational harm; and
- implementation of protective measures against fines or private claims.
Besides being privacy experts, our incident response specialists have a deep technical knowledge of the law and technology. This is vital as the legal framework on data breaches varies substantially worldwide.
We also provide trusted relationships with the respective data protection authorities, which is a key asset in successful data incident management.
Data breach notification requirements vary substantially around the globe, not only on deadlines for reporting of the incident, but also on the required content and language of the notification. Data breaches often trigger the extraterritorial application of foreign privacy laws even if you're business doesn't ordinarily do business in that country. We will help you determine:
- what notification obligations apply to the incident;
- which authorities in what countries have to be notified and when; and
- which local notification procedures apply and whether the information needs to be extended to affected individuals.
Our team members will draft and file necessary notifications, working with partner law firms in other countries as required, ensuring you comply with your legal obligations while aiming to minimise potential liability claims.
A cyber or data incident might also trigger contractual obligations. It is becoming standard practice for commercial customers, suppliers, and other business partners to incorporate data breach response clauses into standard contracts. Additionally, if you do business with a commercial entity that is subject to a foreign data protection law, such as the EU's General Data Protection Regulation (GDPR), you may have contracts that incorporate a Data Processing Agreement based on that country's Standard Contractual Clauses (SCC). Most country's SCCs include substantial breach notification obligations.
We can support your evaluation of affected contractual relationships and the obligations you might have, in particular time-sensitive breach reporting obligations. Where necessary, we can coordinate with partner law firms overseas to assist with foreign language and notification duties.
Once a breach is over, there is still a lot of work to be done.
Post-breach remediation support is an important part of our Incident Response services. This can include:
- Assisting with possible litigation and dispute mediation;
- uplift of your standard contracts to incorporate common cybersecurity and breach clauses;
- responding to subsequent communications with authorities, investigations, or challenging fines;
- establishing a roadmap for cybersecurity readiness improvement and improving technical and organisational Governance, Risk and Compliance programs across cybersecurity and privacy;
- obtaining cyber insurance; and
- responding to customer privacy requests such as Data Subject Access Requests.
Get a no obligation consultation
At Albrecht Burrows, we understand the complexity and urgency of cyber and privacy risks facing businesses today. Get a no obligation consultation with our experts to better understand how your business can increase your resilience to cyber and privacy threats and regulatory risks. Our team of experienced multidisciplinary professionals will work closely with you to create personalised risk management solutions tailored to your business' unique needs needs and budget. Don't wait until it's too late – schedule your no-obligation consultation today and take proactive steps towards protecting your business from cyber threats and privacy breaches.
Case Studies
1. Financial Institution Compliance: Our hybrid computer science – legal team members helped the client successfully map their current cyber maturity level and legal obligations, establish a maturity uplift roadmap in coordination with their IT provider, and worked with their insurance broker to complete accurate proposal form responses resulting in the successfully obtaining cyber insurance coverage for an affordable premium. 2. SaaS Company AI & Facial Recognition Compliance: We helped an Australian SaaS web app maker successfully navigate the complexities of international data protection laws as they apply to biometric information in retail virtual try-on technology minimising their overall privacy and data protection risks and helping the company implement a sound multinational expansion strategy aligned to the client's risk tolerance. 3. Transport Logistics Incident Response: Working with a prominent logistics company, we provided timely and compassionate advice and assistance in responding to a devastating ransomware attack from day 1 through to full recovery and post-recovery risk mitigation successfully returning the client to normal operations in less than one week with no regulatory actions or adverse media.
Meet Our Team
James A. Cole
Partner | Head of Cyber & Privacy
James is a lawyer, computer scientist, and criminologist practicing in cyber and technology, data protection and privacy, data breach response, and cyber insurance. With over 25 years of experience in information security and a multidisciplinary background, James combines technical and legal expertise to help clients navigate the complex and evolving cyber and privacy landscape.
James has handled hundreds of cyber and privacy breaches and is passionate about helping businesses build resilience to cyber and privacy risks.
Mark Anderson
Legal Consultant, Lawyer (NZ)
Mark is a highly awarded legal risk adviser and barrister. He is a leading expert in a variety of legal risk areas, including cyber, privacy and technology law.
Mark has provided incident response advice globally to clients in need, including those in Europe, Australia, New Zealand and across APAC, after developing global incident response panels drawing together legal, IT, Forensic and PR professions to manage cyber crises. He has managed some of the highest profile cyber breaches in Australasia.
Testimonials
What sets AB apart is their flexible and pragmatic approach - they share our values, our DNA, and they think outside the box. The team are highly skilled commercial lawyers who possess unparalleled expertise in regulatory areas, a deep understanding of business, and exceptional negotiation skills."
Regan Carey
Head of Legal and Compliance
Craigs Investment Partners
AB offers exceptional legal advice delivered by highly skilled and brilliant lawyers who are fantastic to deal with; personable, easy to talk to and compassionate. The commerciality of their advice is matched only by their commitment to simplifying the law and finding practical, creative solutions!
Tas Demos
Managing Partner
BDH Leaders
Data breach emergencies
If you have experienced a data breach, whether unintential employee errors, employee data theft, or you’ve been the victim of a cyber-attack, the first 48 hours is crucial. So don’t waste any time, just get in touch.
Reach out, day or night.
If you don’t reach us straight away, we will get in touch ASAP!
Email us on [email protected]
Breach emergency Line: 02 8318 5980
Breach Prevention and Response
Privacy breaches can enliven a wide range of regulatory notification obligations. A lack of preparedness can also drive up the response costs. During a privacy breach, it is important to be able to quickly assess what personal information is impacted and who it relates to in order to conduct risk of serious harm assessments and comply with regulatory notification obligations.
With proper preparedness and planning, you can ensure your response is timely, efficient, and aligned to your legal obligations. This helps to minimise potential harms to impacted individuals and reduce the potential reputational harm to your organisation. Additionally, the more prepared you are, the lower the response costs. eDiscovery, the process to determine what personal information is impacted and to whom it relates, is one of the most expensive components of incident response activities. Access to a quality, up-to-date, and accurate data map allows you to rapidly exclude irrelevant data sources from eDiscovery activities increasing efficiency and reducing cost.
If you don't know what personal information is on a particular system, you may have to waste a lot of time and money ingesting that data source into eDiscovery just to find it wasn't relevant.
Efficiency in breach response is even more critical as the notification time requirements in data breach notification regulations are getting narrowed to as low as 72 hours. Preparation helps you avoid a late notification penalty.
Terms and Conditions
We are required by the Legal Profession Uniform Law (NSW) (Uniform Law) to set out the following terms of our engagement for your acceptance or further negotiation.
In these Terms, references to Albrecht Burrows, "we", "us", "our" refer to Alliance Legal Pty Ltd (ABN ) trading as Albrecht Burrows of Level 12, 111 Elizabeth Street, Sydney NSW 2000.
This document, together with our General Terms of Business, sets out the terms of our offer to provide legal services to you and constitutes our costs agreement and disclosure pursuant to the Uniform Law. The Terms and the Accepted Options in this Proposal form the entire agreement between You and Us during our engagement and any references to the "Proposal" in this document refers to both the Terms and the Accepted Option.
By accepting this Proposal as set out herein and below in the Terms, you agree that this Proposal serves as a binding Costs Agreement and Disclosure under Schedule 1 of the Legal Profession Uniform Law (NSW) between Albrecht Burrows and You for the provision of legal services and may be enforced in the same way as any other contract.
The prices quoted in the attached proposal are indicative prices only unless specified as fixed price.
Some services are on a recurring basis and will be charged on an ongoing basis in accordance with the selected billing frequency until cancelled in writing with one month notice. By selecting a recurring service you agree to be charged for the selected service amount, plus GST, until cancelled.
You will be proportionately charged for work involving shorter periods less than an hour. Our charges are structured in 6 minute units. For example, the time charged for an attendance of up to 6 minutes will be 1 unit and the time charged for an attendance between 6 and 12 minutes will be 2 units.
The agreed scope of work may include a fixed price. Where a fixed price is agreed, the following standard hourly rates charged by our professional staff will only apply to out of scope work. Where we have quoted a discounted hourly rate in the scope of work, the lesser of the quoted hourly rate or the following rates will apply:
(a) $650 plus GST for a Director, or Principal;
(b) $580 plus GST for a Partner, or Special Counsel;
(c) $450 plus GST for a Senior Associate;
(d) $380 plus GST for an Associate;
(e) $350 plus GST for a Solicitor; and
(f) $150 plus GST for a Paralegal.
Our rates are reviewed on a regular basis and may change during the course of a matter. In relation to lengthy matters this may impact upon our cost estimates (which may be revised accordingly). You will be given 30 days' notice in writing of any changes to our charge out rates.
Where you have been referred by a third-party such as your insurance broker, IT provider, or accountant, we may pay them referral fee. This fee is paid by us and is not an additional cost to you.
2.1 We may incur disbursements (being money which we pay or are liable to pay to others on your behalf). Disbursements may include search fees, court filing fees, process server fees, expert fees, witness expenses, travel expenses, transcript expenses and barrister's fees.
2.2 Where you instruct us to brief a barrister or other expert and they provide a disclosure and costs agreement we will provide this to you.
Our usual policy is to issue a tax invoice on a monthly basis or upon completion of a specific task or tasks. All tax invoices are due and payable 14 days from the date of the tax invoice. You consent to us sending our tax invoices to you electronically at your usual email address or mobile phone number as specified by you.
You may accept the Costs Disclosure and Costs Agreement by:
(a) signing and returning this document to us; or
(b) continuing to instruct us.
Upon acceptance you agree to pay for our services on these terms.
Interest at the maximum rate prescribed in Rule 75 of the Legal Profession Uniform General Rules 2015 (Uniform General Rules) (being the Cash Rate Target set by the Reserve Bank of Australia plus 2%) will be charged on any amounts unpaid after the expiry of 30 days after a tax invoice is given to you. Our tax invoices will specify the interest rate to be charged.
The Legal Profession Uniform Law (NSW) (the Uniform Law) provides that we cannot take action for recovery of legal costs until 30 days after a tax invoice (which complies with the Uniform Law) has been given to you.
It is your right to:
(a) negotiate a costs agreement with us;
(b) negotiate the method of billing (e.g. task based or time based);
(c) request and receive an itemised bill within 30 days after a lump sum bill or partially itemised bill is payable;
(d) seek the assistance of the designated local regulatory authority (the NSW Commissioner) in the event of a dispute about legal costs;
(e) be notified as soon as is reasonably practicable of any significant change to any matter affecting costs;
(f) accept or reject any offer we make for an interstate costs law to apply to your matter; and
(g) notify us that you require an interstate costs law to apply to your matter.
If you request an itemised bill and the total amount of the legal costs specified in it exceeds the amount previously specified in the lump sum bill for the same matter, the additional costs may be recovered by us only if:
(a) when the lump sum bill is given, we inform you in writing that the total amount of the legal costs specified in any itemised bill may be higher than the amount specified in the lump sum bill, and
(b) the costs are determined to be payable after a costs assessment or after a binding determination under section 292 of the Uniform Law.
Nothing in these terms affects your rights under the Australian Consumer Law.
If you have a dispute in relation to any aspect of our legal costs you have the following avenues of redress:
(a) in the first instance we encourage you to discuss your concerns with us so that any issue can be identified and we can have the opportunity of resolving the matter promptly and without it adversely impacting on our business relationship; and
(b) you may apply to the Manager, Costs Assessment located at the Supreme Court of NSW for an assessment of our costs. An application for assessment must be made within 12 months after the final bill in this matter was provided or request for payment made or after the costs were paid.
It is our policy that, when acting for new clients, we do one or more of the following:
(a) ask the client to pay monies into our trust account;
(b) ask the client for their credit card details.
Unless otherwise agreed with you, we may determine not to incur fees or expenses in excess of the amount that we hold in trust on your behalf.
You authorise us to receive directly into our trust account any judgment or settlement amount, or money received from any source in furtherance of your work, and to pay our professional fees, internal expenses and disbursements in accordance with the provisions of Rule 42 of the Uniform General Rules. A trust statement will be forwarded to you upon completion of the matter.
On completion of your work, or following termination (by either party) of our services, we will retain your documents for 7 years. Your agreement to these terms constitutes your authority for us to destroy the file after those 7 years. The authority does not relate to any documents which are deposited in safe custody which will, subject to agreement, be retained on your behalf indefinitely. We are entitled to retain your documents while there is money owing to us for our costs.
You will be liable for the cost of storing and retrieving documents in storage and our professional fees in connection with this.
We may cease to act for you or refuse to perform further work, including:
(a) while any of our tax invoices remain unpaid;
(b) if you do not within 7 days comply with any request to pay an amount in respect of disbursements or future costs;
(c) if you fail to provide us with clear and timely instructions to enable us to advance your matter, for example, compromising our ability to comply with Court directions, orders or practice notes;
(d) if you refuse to accept our advice;
(e) if you indicate to us or we form the view that you have lost confidence in us;
(f) if there are any ethical grounds which we consider require us to cease acting for you, for example a conflict of interest;
(g) for any other reason outside our control which has the effect of compromising our ability to perform the work required within the required timeframe;
(h) if in our sole discretion we consider it is no longer appropriate to act for you; or
(i) for just cause.
We will give you reasonable written notice of termination of our services. You will be required to pay our costs incurred up to the date of termination.
You may terminate our services by written notice at any time. However, if you do so you will be required to pay our costs incurred up to the date of termination (including if the matter is litigious, any cancellation fees or other fees such as hearing allocation fees for which we remain responsible).
Without affecting any lien to which we are otherwise entitled at law over funds, papers and other property of yours:
(a) we shall be entitled to retain by way of lien any funds, property or papers of yours, which are from time to time in our possession or control, until all costs, disbursements, interest and other moneys due to the firm have been paid; and
(b) our lien will continue notwithstanding that we cease to act for you.
We may in any manner we regard appropriate disclose the fact that we act or have acted for you, and the type of work but in doing so we will not disclose other confidential information.
Also, we may place an advertisement in an appropriate financial journal or industry journal at our cost after completion of the work, but only after obtaining your prior approval that you must not unreasonably withhold.
However, if you request it now, we will make sure we do not disclose details of the work or your name to anyone except as necessary in the course of doing the work.
We share office space with BDH Leaders Pty Limited, a financial consultancy. Where We are providing legal services to you concurrently to you receiving services from BDHL Leaders Pty Limited, services provided by BDH Leaders Pty Limited are not provided by Us and should not be relied upon as such. Our services are not, and should not be relied upon, as being provided by BDH Leaders Pty Limited. Our services are distinct and separate despite the use of shared office space. We take all reasonable steps to ensure the confidentiality of your information and legal matter.
You agree that we may use your logo on our website in the “Trusted by” section (or equivalent), and that we may refer to our engagement with you when speaking with external parties including potential clients. In addition, you agree that any testimonial(s) you give us can be used on our website and reproduced for other marketing and business development purposes including social media platforms and award applications.
These authorisations can be withdrawn by you in writing at any time.
We will collect personal information from you in the course of providing our legal services. We may also obtain personal information from third party searches, other investigations and, sometimes, from adverse parties.
We are required to collect the full name and address of our clients by Rule 93 of the Uniform General Rules. Accurate name and address information must also be collected in order to comply with the trust account record keeping requirements of Rule 47 of the Uniform General Rules and to comply with our duty to the courts.
Your personal information will only be used for the purposes for which it is collected or in accordance with the Privacy Act 1988 (Cth). For example, we may use your personal information to provide advice and recommendations that take into account your personal circumstances.
If you do not provide us with the full name and address information required by law we cannot act for you. If you do not provide us with the other personal information that we request our advice may be wrong for you or misleading.
Depending on the nature of your matter the types of bodies to whom we may disclose your personal information include the courts, the other party or parties to litigation, experts and barristers, the Office of State Revenue, PEXA Limited, the Land and Property Information Division of the Department of Lands, the Registrar General and third parties involved in the completion or processing of a transaction.
We do not disclose your information overseas unless your instructions involve dealing with parties located overseas. If your matter involves parties overseas we may disclose select personal information to overseas recipients associated with that matter in order to carry out your instructions.
We manage and protect your personal information in accordance with our privacy policy (which can be found on our firm website or a copy of which we shall provide at your request). Our privacy policy contains information about how you can access and correct the personal information we hold about you and how you can raise any concerns about our personal information handling practices. For more information, please contact us in writing.
We are able to send and receive documents electronically. However, as such transmission is not secure and it may be copied, recorded, read or interfered with by third parties while in transit. If you ask us to transmit any document electronically, you release us from any claim you may have as a result of any unauthorised copying, recording, reading or interference with that document, for any delay or non-delivery of any document and for any damage caused to your system or any files.
Where applicable, GST is payable on our professional fees and expenses and will be clearly shown on our tax invoices.
By accepting these terms you agree to pay us an amount equivalent to the GST imposed on these charges.
The law of New South Wales governs these terms and legal costs in relation to any matter upon which we are instructed to act.
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD