According to the latest Office of the Australian Information Commissioner report, the Australian legal sector is the second-most breached sector, after the healthcare industry. Moreover, 33 per cent of all reported breaches were a result of human error.
Since the Notifiable Data Breaches (NDB) scheme came into effect last February, the legal sector has consistently remained in the top three breached sectors in all quarterly reports, noted Mimecast COO Ed Jennings.
“Due to the value and sensitivity of client data, it continues to be highly sought-after by cyber criminals. As every legal firm knows, the privileged information they hold on behalf of clients, and exchange in correspondence, is particularly sensitive and it is imperative that legal professionals and clients can securely share and store this information,” he said.
“Client data management is integral to the continuity of any legal practice and, if breached, can destroy reputation and trust.”
The report from AOIC also raises real questions for the legal sector as to why they feature so prominently compared to other industries, he posited.
“From our analysis and other research that we see, it’s because these organisations manage trusted, high-value information on behalf of their clients. Naturally, this is of interest to criminals looking to gain client information as well as commercial and trade advantage through theft.”
When asked about what more lawyers and firms need to do to decrease risk, Mr Jennings said that, for the most part, legal professionals understand their obligations under the Notifiable Data Breach scheme and the European Union’s General Data Protection Regulation.
In a world where cyber attacks have become the norm, he mused, law firms “must remain vigilant and adopt crucial security practices” as part of their fundamental business practices.
“When it comes to managing mass amounts of sensitive client data and adhering to global data regulations, law firms need to think beyond traditional, defence-only security and implement a holistic plan,” he explained.
“The plan must embody advanced security, continuity and data protection and every legal organisation should be able to demonstrate that they have proper controls over the processing and security of personal data, including how it is stored, kept up-to-date, accessed, transferred and deleted.”
“We are seeing an increasing number of legal practices investing in cyber security awareness training and embedding it into the culture of the organisation. While the consequences are known, the stakes are higher for law firms whose businesses rely on the trust and privileged information they hold.”