Johnson Zhuang

Full Profile

Johnson advises a variety of clients on cyber incident response, data protection liability and cyber coverage issues.  Qualified in New Zealand, he not only has experience advising on GDPR liability and dealing with the ICO in the UK, but also has experience providing advice on the New Zealand Privacy Act and dealing with the Office of the Privacy Commissioner in New Zealand.

Johnson’s experience includes acting as breach coach following major cyber incidents, and notable instructions include acting for a global retailer following a business email compromise resulting in USD850,000 in misdirected funds, acting for insurers and insureds following large scale cyber incidents such as the Kaseya VSA and MoveIT breaches, and acting for insurers and providing coverage advice for the largest ransomware incident in New Zealand. Beyond advising and dealing with regulatory engagement, Johnson also has experience advising on law enforcement engagement and dealing with post-incident claims for damages.

Johnson has also completed a long-term secondment with a major global insurer in New Zealand, giving him valuable insight into what insurers require to ensure efficient claims handling and client service.

Johnson is admitted as a Barrister and Solicitor to the High Court of New Zealand.
 

Experience

• Cyber – providing regular advice to organisations based outside of the UK/EU regarding the extraterritorial scope of the GDPR (Article 3).
• Cyber – providing regular advice to organisations on the mandatory reporting obligations pursuant to the GDPR (Articles 33 and 34).
• Cyber – regularly acting as breach coach for companies following any cyber incidents and personal data breaches, including notifications to and engagement with regulators including the Information Commissioner’s Office, Financial Conduct Authority, and the Solicitors Regulatory Authority. 
• Cyber – Acting as breach coach following a ransomware incident on security and access card company, including engagement with regulators and law enforcement, dealing with arising claims, and engagement with data controllers.
• Cyber – Acting as coverage counsel following a ransomware event on a major healthcare provider in New Zealand, being one of the largest ransomware events in New Zealand to date.
• Cyber – acting for a US multinational non-profit following the disclosure of its donor list (including GDPR Special Category Data), including providing Article 3 GDPR advice, and coordinating the subsequent notification to the ICO and 16 separate EU regulators.