Spying case raises questions of liability
Allegations that Australia spied on a US law firm have cast a spotlight on the extent to which a firm is liable for a security breach.
Former NSW legal services commissioner Steve Mark (pictured), who now runs a professional services consultancy, told Lawyers Weekly that firms are almost always legally bound to protect client information from security breaches, including third party surveillance.
His comments follow reports that the Australian Signals Directorate listened in on the communications of an unnamed American law firm while it was representing Indonesia in a trade dispute with the US, according to a document obtained by the New York Times.
Chicago-based global firm Mayer Brown, which The New York Times reported was advising Indonesia at the time, said there was no sign that the firm was the target of the alleged surveillance.
While a case like this is rare, Mark maintained that the threat of surveillance was a reality for law firms.
“Most of the attacks on law firms – and they are happening – are for commercial information,” he warned.
The ethics rules of the American Bar Association require lawyers to “make reasonable efforts” to protect confidential information from unauthorised disclosure to outsiders.
While there is no such explicit rule in Australia, the fiduciary lawyer-client relationship creates legal duties under general law, said Mark.
“The problem that lawyers have is that they get so used to referring to rules.
“Common sense must prevail ... lawyers have a definite duty to maintain the confidentiality of client information and there are only extreme circumstances where that can be overridden.”
An example of an “extreme circumstance” is if a client discloses to their lawyer the intent to commit a crime.
Mark urged firms to devote more resources to shielding client information from prying eyes and other security breaches. The disposal of computers is just one area where firms are not taking adequate precautions, he added.
“You can go to a tip and find out as much as Assange knows because the only way to destroy what’s on a computer is degassing it, demagnetising it or melting it.
“Most firms simply wipe [a computer] and give it away, but there’s still information on it.”