Speaking recently on The Boutique Lawyer Show, she outlined best practice for small firms in regard to the evolving cyber landscape and urged smaller firms to implement policies now to ensure that they are as prepared as they can be.

In terms of the state of affairs within the cyber market following the recent Optus and Medibank data breaches, Ms Herbert-Lowe said that these data breaches “at scale” come with a number of impacts, which stem, at least in part, to the ability to keep and store records digitally.

There are also a number of proposed amendments to the Privacy Act that the government is looking to implement following these breaches, which Ms Herbert-Lowe said boutique firm owners need to be across.

“What has really come out is that awareness in the community that data breaches can actually cause people serious harm. So, in some of those breaches, we’ve seen, in one case, health information being disclosed, very sensitive information. In the other one, information that can be used to commit identity fraud against people because, of course, you don’t need to necessarily go into a bank now to open a bank account or a credit card; you can do it online.

“So, if you have people’s information in a digital form, you can potentially do that. So, the government has announced reforms to the Privacy Act to really underscore the importance of businesses complying with it. They’ve increased the penalties from just over $2 million to announce that they will go up to as high as $50 million, but they’ve also said they will get rid of the small business exclusions,” she explained.

“Currently, businesses or organisations with less than $3 million annual turnover don’t need to comply with the Privacy Act, but the government has said they intend to get rid of that exemption so that they will. So that will certainly apply to law firms as well. And also, law firms will have to understand it because they’ll probably need to advise their clients about that as well.”

Many organisations will also run a limited liability scheme, which Ms Herbert-Lowe said caps a company’s liability if they are sued in certain circumstances.

VIEW ALL

“Typically, a solo practitioner might have a liability cap of $2 million, say. But what not everyone is aware of is that that cap doesn’t apply to actions for breach of trust or breach of fiduciary duty, and that’s really important in this area because with the funds transfer frauds that we’ve seen impacting the legal profession, quite often their actions for breach of trust, which can be very difficult to defend if you’ve paid money out of trust in error,” she said.

“Now, let’s say you are a property lawyer, a commercial lawyer, and you are in an area of practice where the settlements you’re dealing with might be $10 million, say, and you think you’ve got $2 million worth of insurance, as you’re required to have to practice as a solicitor, and you’ve got this liability cap. But in fact, if you pay money out of trust in error and it’s $10 million, that’s not going to be capped by the limited liability scheme.

“So, you will want to have thought about whether you need to have top-up insurance to cover you in that situation because, unfortunately, it could be your own assets at risk as well. So it’s really important that people understand that, particularly in this area, where we’re talking about that money going out of trust accounts.”

And particularly with the dangers of cyber attacks becoming more and more critical to firms, Ms Herbert-Lowe urged boutiques to “do the urgent thing” in way of preparation for potential threats moving forward.

“A lot of those processes I don’t think are particularly time-consuming. What I would hate to see is people think it’s so complex and hard that they don’t actionise things when really, only a few things, like having that process about always checking instructions received by email using a phone call, implementing multifactor authentication, having a warning on documents that your clients see about email fraud can go a long way to protecting you.

“And I am someone that has dealt with people who’ve been impacted and spoken to people, and it can be quite heartbreaking, and these aren’t really big things to do to prevent potentially really serious loss to either yourself or your clients,” she added.

“I think what’s also really, really important, whether it’s a law firm or any other business, is that people and business owners don’t think this is something that I don’t take responsibility for that someone else does. I think, increasingly, all this stuff around cyber will just be seen as just normal business risk, right? Just something that you have to do when you run a business.”

The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Simone Herbert-Lowe, click below: