Risk of privacy class actions heightened in wake of COVID-19
Australian law firms and businesses currently have a “grace period” for data mishaps, but anything less than proactive cyber security and privacy measures will not be forgiven post-pandemic.
In the wake of the global coronavirus pandemic, organisations were “forced to rapidly change” the way they did business, including but not limited to employees working from home without the benefit of face-to-face contact with their colleagues or clients, remotely accessing corporate systems using personal devices on home Wi-Fi networks, and using new and unfamiliar communications and file-sharing platforms to do business.
All of these changes, Clyde & Co senior associate Reece Corbett-Wilkins said, represent increased cyber security and privacy risk.
“In taking ‘reasonable steps’ to protect data, law firms (and Australian businesses) may well be ‘excused’ for any immaterial data privacy mishaps that occur as a result of this rapid disruption to traditional business models,” he warned.
“However, this ‘grace period’ will not extend forever, and organisations need to ensure that they are proactively addressing cyber and privacy risk while operating in the current fractured business environment.
“This is particularly so as Australia embarks upon a ‘return-to-work’ transition over the next couple of months, with some employees continuing to work remotely either by choice or as a result of future coronavirus outbreaks.”
Scope for privacy class actions post-pandemic
In October of last year, Mr Corbett-Wilkins spoke on The Lawyers Weekly Show about professional services firms having “been caught out a little bit” when it comes to satisfactory protection of client data and other sensitive materials.
Australian firms and businesses that do not enact stringent cyber security measures and increase employee awareness about online dangers may find themselves confronted by a class action comprised of their own clients, he submitted.
These risks, he posited, have not simply gone away.
“Just last week, we saw a high-profile US law firm attacked by a well-known cybercriminal group behind the sophisticated ransomware strain called ‘REvil’. This strain of malware traditionally encrypts systems and data so the threat actor group can extort money in return for decryption keys. However, this ‘threat actor’ group also takes it one step further by threatening to release data taken from targeted systems if the ransom demand is not paid. These ransom sums are significant, often in the hundreds of thousands if not millions of dollars – in this case US$21 million. The law firm did not pay, and the ‘threat actor’ group disclosed 2.4GB of data relating to a number of famous celebrities on the dark web,” he outlined.
“Many will think that this type of high-profile event does not impact ordinary Australian businesses. Sadly, that is not the case, with at least three Australian organisations dealing with this exact scenario right now.
“We expect this trend of 'big game cyber hunting' to be a reoccurring theme for 2020. For law firms, where a cyberattack involves threatened or actual data disclosure (as is increasingly the case with ransomware attacks), in addition to business interruption and financial risk, the event represents significant privacy, confidentiality and reputational concerns. Depending on the circumstances, it may even amount to professional conduct risk.”
Necessary steps to safeguard the firm or business
There has been a “sharp increase”, he continued, in COVID-19-related phishing and malware scams, business email compromise and invoice fraud attacks, and ransomware events traceable back to COVID-19 business environment factors.
“In respect of law firms specifically, we have recently seen a rise of ‘person in the web browser’ malware attacks over the past three weeks. This malware gives the threat actors access to a law firm’s online banking where payment information is manipulated, resulting in trust account fraud being committed. If firms identify anomalies in trust bank statements, they should contact their bank immediately to lock down the account, deploy threat monitoring tools to detect and block the malware, and conduct a wider investigation,” Mr Corbett-Wilkins detailed.
“Generally speaking, all businesses should educate their employees about how to spot a phishing email and to remain hypervigilant to anything relating to COVID-19. In reducing the risk of payment fraud, all employees should call (or video call) the sender of any electronic communication and confirm the bank account details provided are correct. This extends to anything from creditor and debtor invoices, to less obvious examples such as the bank account details included in settlement deeds and financial transactions.
“From a systems perspective, organisations should be ensuring that any online system that their employees or clients use to access, share or store data should be secured by multifactor authentication and strong passwords. Employees should also not use ‘personal’ online accounts (such as personal email, or cloud storage accounts) to store work-related documents. Organisations should clean up this ‘data leakage’ as part of the return-to-work process to ensure that all confidential client documents are safely resecured within the corporate network environment.”
Over the last six months, there has “been a flurry of activity which will test Australia’s privacy and class action laws and appetite of plaintiff law firms and litigation funders to pursue such actions”, Mr Corbett-Wilkins proclaimed.
While actions such as the NSW Ambulance privacy proceedings and actions brought against Australian telcos will continue to test the bounds of privacy law, he mused, “at the same time, we are seeing increased pressure around regulating the litigation and class action industry which will likely have an impact on the appetite for pursuing privacy class actions”.
“There is currently a parliamentary inquiry on foot addressing these issues, with the report due [on] 7 December 2020. Last week, the Treasurer announced that it will be introducing new regulations to require litigation funders to hold an Australian Financial Services Licence and comply with the managed investment scheme regime,” Mr Corbett-Wilkins said.
“Further, in December 2019, we saw a number of key High Court decisions strike down the use of common fund orders which may [impact whether] actions are deemed uneconomical and worth pursuing if there is not sufficient sign-up from class members.
“This is an interesting space to be working in, with the legal and risk landscape constantly changing. When we speak again in six months, it will be interesting to see how it all plays out.”