The first 48 hours of cyber attack fallout, with Clyde & Co's Simone Herbert-Lowe

So how does a business navigate the difficult recovery process following a cyber attack? Cyber Daily sat down with Clyde & Co Partner and cyber risk strategist Simone Herbert-Lowe to discuss the importance of third-party assistance and legal counsel in incident response.

Thanks for joining us Simone. So for those of us who aren’t legal savvy, can you explain what legal professional privilege is in simple terms?

Legal professional privilege protects confidential communications when their dominant purpose is to obtain legal advice or to prepare for litigation. If privilege applies, those communications and reports generally cannot be forced into the open in court or by regulators. This protection lets clients speak frankly with their lawyers and seek appropriate advice.

There are three practical points for non-lawyers to understand. Firstly, a “privileged” label on a document is not enough, the real purpose and context must support the claim of privilege. Second, if a document serves mixed purposes, such as legal, operational and public relations, privilege can fail. Third, courts look to substance, not form, so keep legal workstreams separate, engage counsel early, and route sensitive investigative work via your lawyers.

Recent Australian cases, including Optus and Medibank, show how privilege can be lost when investigations and public messaging point to non-legal purposes behind the creation of sensitive documents.

So we know urgency is key following a cyber attack. Following a cyber incident, at what stage should legal counsel be brought in? Why is early involvement so important?

VIEW ALL

Legal counsel should be involved as soon as an incident is detected. Early engagement helps set the strategy, preserve legal professional privilege, and ensure the first technical steps and communications align with legal and regulatory obligations.

For example, in Robertson v Singtel Optus Pty Ltd, the Federal Court rejected Optus’ claim of privilege over a Deloitte report because the report was found to have served multiple non-legal purposes. Early and careful legal structuring of forensic work, engagement letters, and public statements makes it more likely that legal professional privilege can be maintained over sensitive documents.

After a cyber attack, organisations often face a maze of regulatory requirements. How does legal counsel help work out what needs to be reported, who needs to be notified, and when?

Legal counsel consider the relevant individual facts, including the potential implications of the breach against the terms of Privacy Act and the Notifiable Data Breaches scheme, and sector-specific legislation such as the Security of Critical Infrastructure Act. A key consideration is whether personal information was accessed or exfiltrated and whether serious harm to individuals is likely. Lawyers then assist by advising who must be notified, by which time, and the content of notifications to regulators and public statements.

One of the benefits of working with a global firm like Clyde & Co is the ability to coordinate multi-jurisdictional notifications seamlessly. This approach ensures consistency across borders and spares clients the complexity and pressure of engaging multiple firms in different countries.

Once the immediate incident is under control, how does a cyber lawyer support incident response teams, the people working in IT, forensics and executive leadership?

Lawyers act as strategic coordinators as well as legal advisors. We align IT and forensic work with legal priorities such as evidence preservation and protecting legal professional privilege, and help the executive and board make risk-based decisions on containment, ransom considerations, law enforcement engagement, and stakeholder communications. We also ensure vendors are engaged on terms that support privilege and confidentiality.

For example, in the Optus litigation, public announcements by the company referring to an “independent external review” undermined the privilege claim because they pointed to non-legal purposes. Legal oversight of messaging and vendor scopes reduces the chance of privilege being challenged later.

Simone, when an organisation is dealing with a live cyber incident, how does legal counsel help preserve legal privilege and manage sensitive communications?

Lawyers structure the engagement so that investigative work is commissioned by the law firm. Scopes and protocols for third-party vendors are set, and sensitive communications managed. We guide what should and should not be written, mark and store materials appropriately, and ensure reports are prepared for the dominant purpose of legal advice or litigation.

So moving to post incident and containment, once the dust settles after a cyber attack, how does legal involvement help limit the legal fallout and protect an organisation’s finances and reputation?

Legal assistance reduces risk by ensuring compliance with reporting obligations, protecting privilege, preserving evidence, shaping internal and external communications, and optimising insurance recovery. It also supports negotiations with third parties and customers, prepares the organisation for potential claims, and helps avoid penalties or enforceable undertakings. For example, there can be increased disclosure and litigation risk where a claim for privilege fails.

So what happens next? How does a cyber lawyer support post-incident activities, such as regulatory investigations, litigation, and improvements to incident response plans?

After containment and recovery, lawyers will prepare regulatory notifications on behalf of clients and manage regulatory inquiries, handle class actions and any third-party claims, and make claims for privilege. We run lessons-learned sessions, assist in updating the incident response plan, including stakeholder engagement, strengthen contracts and vendor arrangements, and help the board oversee improvements to governance and resilience.