Law firms cannot ignore risk of privacy class actions from their own clients
Professional services firms have “been caught out a little bit” when it comes to satisfactory protection of client data and other sensitive materials, argues one senior associate.
Law firms that – big and small – do not enact stringent cyber security measures and increase employee awareness about online dangers may find themselves confronted by a class action comprised of their own clients.
Speaking last week on The Lawyers Weekly Show, Clyde & Co senior associate Reece Corbett-Wilkins mused that, as a society, as individuals and (for some) as business leaders, we simply aren’t satisfactorily aware about the risks of data misuse and harvesting, and what the future implications are.
In the context of retaining confidential client information, protecting the data of those clients is fundamental for all lawyers, from those in big litigation practices to sole practitioners handling family matters, he said.
“We’ve acted for a number of different law firms and advising through these difficult scenarios, and there’s a couple that stand out: the first is obviously law firms that have market-sensitive information. You can understand, in that M&A transactions space, why that information would be a particular target for individuals to take,” he said.
“We’ve [also] had a couple of criminal law firms and family law firms where data has been disclosed online because somebody has been able to get into their systems and take it, and when you actually pull through the details, you realise that that law firms will have details of who have taken out AVOs, or who are defendants of AVOs.”
Another issue for law firms beyond data misuse from a privacy perspective, Mr Corbett-Wilkins continued, is that “as an ancillary part of our function, we either hold monies on trust for our clients”.
“So, we ultimately direct money used to flow between two parties to a transaction, and what we’re seeing at the moment is a huge amount of invoice fraud, where funds are effectively misdirected from the intended recipients to the criminal’s bank account purely because someone’s able to get into the law firm systems and ultimately change those instructions whether it’s an email or an invoice or whatever it might be,” he explained.
It was put to Mr Corbett-Wilkins that, based on such hypotheticals or even real-life scenarios, firms could face class actions from their entire client base if such data breaches were to occur.
“We are seeing at least claims being brought against law firms, particularly for that misdirection of funds, but also for loss of data,” he responded.
“It’s effectively about professional indemnity risk and saying to law firms, ‘You have an obligation to protect confidentiality. You have an obligation to provide services in a professional manner. And frankly, you failed to do so because you didn’t have appropriate systems or processes in place to protect the data’.
“I think the inherent difficulty is that lawyers are obviously all very intelligent and very able to deal with their subject matter expertise in a very good way, but there is a missing link with education around security frameworks that sit around all of the good work that we otherwise do to protect ourselves as a profession.”
This must apply to law firms of all sizes, he added, with so many legal entities delegating technological responsibilities to external IT service provides or hosting in-house teams to deal with such concerns.
“But, unfortunately, where law firms – and frankly other businesses as well – probably let themselves down, is that you might be able to outsource the care, but you can’t outsource the responsibility. And that’s the gap where this goes wrong,” he said.
Professional services firms across Australia, but particularly law firms, “have been caught out a little bit”, Mr Corbett-Wilkins mused.
“As lawyers, we ultimately owe it to ourselves, but also to our clients, to really educate ourselves around this and also educate our clients around this risk. It’s an ever-evolving risk,” he concluded.
“This is a risk that is going to continue to exist throughout our entire lifetimes of doing work, so it’s really something we just need to take a handle on now.”
To listen to the full conversation with Reece Corbett-Wilkins, click below: