.webp)
Legal leaders discuss data risk at Relativity Fest Sydney
At Relativity Fest Sydney, three prominent legal and technology experts took to the stage to discuss how organisations can stay ahead in an era of increasingly complex data protection laws and escalating cyber risk.
The panel included Jason Symons, Partner at Mills Oakley; Simone Herbert-Lowe, Founder of Law & Cyber Pty Ltd; and James Odell, Co-Founder and Managing Director for Australia & APAC at Elevate.
The discussion was moderated by Matt Preyss, Product Marketing Manager at Relativity.
Together, the panellists unpacked what today's risk landscape looks like, what organisations are getting wrong, and how AI and purpose-built tools like Relativity aiR for Review are shifting the way breaches are managed.
Sweeping reform, real consequences
Symons, who has acted in more than 300 data breaches, said Australia has finally reached a turning point on regulatory reform.
"We finally saw the first signs of our Privacy Act, even though it's dated 1988, actually join the current world," he said.
He noted that organisations now face a tiered system of penalties if they fail to notify breaches, and that the Privacy Commissioner has stronger enforcement powers. "It's the start of legislative reform we've been waiting on for a while," he added.
The new Cyber Security Act also sends a clear message that the government expects more from organisations when it comes to managing cyber threats. "The community's kind of had enough of being victims of data breaches that impact them financially and in other ways," said Symons.
Herbert-Lowe highlighted that it's not just the laws that are changing, but also the regulators' appetite for action.
"We've gone from no fines to huge ones," she said, referencing the Australian Privacy Commissioner's civil penalty claim against Medibank. "She's claiming $2 million for every single breach for every single person - so the cumulative fine, in theory, is $3 trillion."
She also flagged new digital ID legislation as a potentially transformative development. "If people don't have to collect data, then you don't have a breach," she explained.
Common mistakes and costly delays
James Odell, whose company Elevate manages around 300 data breaches at any given time in Australia and New Zealand, stressed that timing is everything. "If you start thinking about a data breach when it happens, you have no chance of complying," he said.
The biggest mistake? Not having a breach response solution or supplier already in place. "Decision time is over - it's pure execution time. It's a drill," Odell said. "Being prepared helps with compliance. Know who you're going to use. Have your contracts ready."
Herbert-Lowe pointed to the value of tabletop exercises to uncover hidden issues. "In one of my cases, the CEO said, 'Are you telling me we still have resumes for people we didn't hire 20 years ago?'" she said. "People just don't know where their information is."
That type of shadow data – forgotten, ungoverned, and often still stored - is a growing contributor to breach complexity, according to the panel.
The AI shift and human impact
Artificial intelligence was another major focus during the panel session.
With organisations like Shopify reportedly requiring teams to justify any new hire unless AI cannot do the role, panellists were asked how the rise of automation is reshaping legal work and cyber response.
Symons cautioned against reducing people to their potential to outperform machines. "It's disappointing to hear a human being compared to technology," he said.
"I prefer that the technology be offered to the human, and then ask: what can you bring to the table if we provide this tech?"
He also noted how AI is already shifting the workload within legal teams. "Five years ago, doing a data breach review was very human-heavy," he explained. "Now, her [a team member's] role doesn't start until we're two or three stages into what used to be stage one."
Odell, originally trained as an aeronautical engineer, has helped lead Elevate's evolution from manual review to machine-led efficiency. "Our average call rate for a data breach is about 93% digital," he said. "The human element has already been squeezed to about 7%."
But rather than replacing people, Odell said AI is enabling teams to do more with less. "It's not about making people redundant – it's empowering the people that we have to achieve far more," he said.
Herbert-Lowe also warned of real risks where lawyers misuse generative AI tools without proper understanding.
"There are disciplinary cases before solicitors at the moment for not understanding that it's not always accurate," she said. "And certainly that's happened in the US as well."
A proactive approach to a reactive world
Preyss reminded the audience that when a breach hits, scale doesn't change the clock. "Whether it's 1,000 people or 15 million, those timelines don't change," he said.
From regulatory pressure to the operational demands of breach response, the panel made one thing clear: there's no room left for complacency.
As Odell put it, "You do not want to be making any decisions when you get breached."
