Published on the 23/04/2025 | Written by Heather Wright
Interim injunctions, class actions and ransomware payments…
Urgent interim injunctions, class actions and director exposures – welcome to the legal world of cyber risk, where managing legal risks arising from cyber-incidents is a key part of a cyber strategy and ransom payments are now ‘a reality’ despite advice against paying.
Simpson Grierson’s inaugural Cyber Risks report outlines current and emerging areas of legal exposure in what it calls an ‘inevitable’ for companies.
“Interim injunctions are the first line of legal defence and are becoming increasingly common.”
Cyber Risks – Be Prepared says court orders in the form of an interim injunction, are the first line of legal defence and are becoming increasingly common in New Zealand.
Managed service provider Mercury IT, which stored data for organisations including the Ministry of Justice and Health NZ and suffered a ransomware attack in December 2022, is among those to call on urgent court orders to prevent ‘unknown’ defendants from accessing or using the stolen data.
While the orders prohibiting use and disclosure of stolen data are unlikely to deter the cyber criminals themselves, they can deter use and publication of the data by others, with the Office of the Privacy Commissioner describing them as a ‘valuable tool in the data breach toolkit’.
The report also warns that class actions – something yet to be seen in New Zealand in relation to cyber attacks or data breaches – are likely on their way. Australia has already seen such action underway or being considered for attacks including against Optus, Latitude Financial and Medibank.
The report says common features of the Australian actions which it expects to see replicated in New Zealand include claims that defendents failed to take appropriate steps to protect data, including because of inadequate cyber-security measures.
Legal ground for the claims, which often run alongside regulatory investigations and prosecutions, ‘include breach of contract, breach of consumer law, breach of confidence, breach of duty of care, breach of privacy legislation and, in the case of shareholder claims, breach of continuous disclosure obligations’.
Proving loss, however, could prove a stumbling block for many class actions. In June 2024, the Federal Court struck out a claim by an individual affected by the Latitude breach, saying he had failed to establish loss or damage, with the judge saying the applicant’s case ‘rises no higher’ than the allegation the personal data was made available to third parties who could engage in fraud or ID theft.
On the knotty issue of ransomware payments, the report notes that while paying a ransom will be illegal if it breaches sanctions regimes (and comes with heavy penalties of up to seven years in jail for individuals and fines of up to $1 million for organisations) and is advised against by the government, payment is still common. A CloudFlare report found 44 percent of Kiwi businesses that experienced a ransomware attack in the last two years paid the ransom – despite 89 percent having publicly pledged not to pay ransoms.
The report highlights three key factors which highlight the legitimisation of ransomware payments, including published guidance from the Australian Institute of Directors to help boards decide whether to pay.
In Australia, companies with annual turnover exceeding AU$3 million will be also required to report ransomware payments to the Department of Home Affairs once the Cyber Security Act comes into force, which is expected to happen in next month.
On both sides of the Tasman, insurers are increasingly offering ransomware cover which includes payment of the ransom alongside costs such as forensic experts.
‘Professional ransomware negotiators’ are available to handle comms with hackers, the report notes.
The report also cautions against being too quick with notifications of any breaches, warning that going too soon risks presenting regulators and affected parties with ‘a confused or panicked account of events and an unclear mitigation strategy’.
That can lead to increased distress for those impacted, reputational damage and unnecessary legal exposure, Simpson Grierson warns (while also being clear that the right agencies do have to be notified).
Companies caught in cyber attacks are warned not to play the ‘blame game’ and to manage their comms around attacks carefully with those comms – ‘including unhelpful ones’ – potentially needing to be handed to plaintiffs or the regulator further down the track.
“For this reason, it is important that in the immediate aftermath of a cyber breach, careful communication protocols should be put in place. Circulation lists should be kept tight and documents, including emails, test messages an meeting minutes should avoid jumping to conclusions, speculating about the cause of the incident or casually apportioning blame.”
That carefulness continues further down the track with careful consideration required in areas including the documents created as part of any formal investigation into what went wrong.
Simpson Grierson warns cyber is also reaching its tentacles into the director and board spheres.
In Australia, ASIC has warned directors to step up their cyber involvement to ensure their organisation’s risk management framework adequately addresses cyber security risk and that controls are implemented, warning that the watchdog will bring charges against directors who fail to adequately prepare for breaches.
While New Zealand directors are yet to face legal action relating from cyber incidents, Simpson Grierson says overseas developments highlight that personal liability is a real and emerging risk for boards. The report notes potential exposure for breach of statutory duties – from failure to take adequate steps to prevent a breach, for example through a lack of appropriate cyber security policies or ignoring known risks or deficiencies, to mishandling the response to an attack, including failing to take adequate measures to contain or mitigate effects of the breach.
Directors may also be personally liable under the Fair Trading Act for misleading representations about the security of systems or how their organisation manages and stores sensitive information – particularly in small companies where the director is the company’s ‘alter ego’ or where the director has taken personal responsibility for the accuracy of representations.
Directors could also be liable for breaches of continuous disclosure obligations, the report notes.
While there is no one size fits all approach to managing cyber risk at a board level, Simpson Grierson says international case law and regulatory guidance contain common themes, including having a risk management framework with risks and risk management measures regularly reviewed, having adequate cyber security measures in place (consider using external audits) and acting swiftly to address deficiencies and weaknesses
Having cybersecurity as a regular agenda item for the board and looking at the supply chain are also among the recommendations, along with having emergency response plans, having a pre-established stance on whether to pay ransoms and running regular table top cyber breach simulations.
“Organisations should prepare for the worst and have in place a cyber-breach response plan to mitigate damage and preserve business continuity,” the report says.
