Kieran is the Head of Cyber, Privacy + Technology. He is often the first person our local and London-based clients turn to following a cyber-attack.
Kieran helps clients respond to complex cyber incidents, including matters that involve highly sensitive breaches and cyber-attacks, some of which have been widely described as “crippling” and the “most significant in Australian corporate history”. His work spans assessing and monitoring incidents, setting up and managing data breach response vendor teams, and managing cyber claims across a wide range of incidents from ransomware attacks to email compromises.
As part of the cyber practice, Kieran advises on federal and state privacy law compliance and compulsory notifications. He also acts as a cyber breach lawyer for first and third party cyber risks, including defending claims against businesses and government agencies resulting from a breach. More broadly, Kieran defends IT managed service providers in professional liability matters, many of which involve cyber incidents.
Kieran also has one of the largest cyber coverage practices in the market, advising insurers on the most important and significant incidents in Australia.
Kieran’s work often involves incidents affecting multiple jurisdictions (including GDPR issues). In this global role, Kieran is an active contributor to thought leadership in Australia and takes part in global panels and seminars.
Cyber, Privacy + Data Security
- Acting for insurers in two cyber-attacks involving a major Australian company, which have been widely described as “crippling” and the “most significant in Australian corporate history.
- Acting for a services business in a highly sensitive ransomware attack, which had the potential to damage the business’ reputation with its professional services clients.
- Acting for an international not-for-profit organisation in a cyber attack that involved the theft and online publication of data.
- Acting for a government agency in multiple business email compromises, involving substantial data breaches requiring notification to individuals and third party organisations.
- Acting for a not-for-profit financial counselling service regarding an Office 365 cyber incident involving the exfiltration of more than 3,000 emails containing 1,000 personal records. The breach included sensitive information serious enough to warrant seeking an exemption from the OAIC for not notifying certain individuals given an increased risk to other clients.
- Advising both insurers and insureds on cover for first party hacker damage claims made by small to medium accountancy firms that have suffered ransomware attacks or business email compromises.
- Advising a major insurer on coverage issues arising from a breach, which resulted in cryptojacking by the hacker over an extended period of time.
Privacy
- Acting for a government agency in a matter involving the theft of data from a zero day exploit, which included notifying the relevant regulator.
- Acting for a not-for-profit organisation that suffered the theft of physical documents containing sensitive personal information, which involved notifying the relevant regulator and individuals.
- Acting as the data breach and privacy lawyer advising an insured school. The matter involved the unintentional disclosure of the personal data collected and maintained on a number of students at the school, including sensitive health information requiring notification to the OAIC and parents.
Education
- W+K were engaged to provide legal advice to a Melbourne private school in relation to a ransomware attack suffered in 2023. We worked closely with the forensic experts engaged to advise the School on its legal obligations in relation to the incident. The School suffered a significant downtime following the incident whilst the systems were restored. An important aspect of our work was to assist drafting communications to the School board, staff, parents and students regarding the incident, with a key focus on risk and reputation management. Fortunately, there was no evidence of unauthorised access to files containing personal information of students or staff. As such, we ultimately determined the incident did not constitute an eligible data breach under the Privacy Act, so formal regulatory notification was not required.
- W+K provided incident response services to an Australian University in relation to an email incident resulting from human error, which involved email recipients being inadvertently cc’d instead of bcc’d. The email was sent to vulnerable individuals who were receiving services from a University research centre. In our role as incident response manager, we provided advice and guidance to the Insured on next steps, including a consideration of the mandatory data breach scheme under the NSW State Privacy Legislation which recently became mandatory in November 2023, which now aligns closely with the Federal notification scheme.
- Cyber + Technology Risks
- Cyber, Privacy + Data Security
- Healthcare + Life Sciences
- Professional Liability
- Technology Liability
- Technology + Cyber
- Financial Institutions + Services
- Professions + Business Services
- Small Medium Enterprises (SMEs)
- Australian Insurance Law Association
- Australian Professional Indemnity Group
- Law Society of NSW
- NSW Claims Discussion Group