Debunking cyber fears: How to minimise cyber vulnerability in the practice of law
The pace of development in modern legal practices is a reflection of societal norms, as well as the particular style of the practice owners. In law, many of us fear “the cloud” or other modern technologies that replace traditional and reliable paper files, books, and methods, writes Wise Law’s EJ Wise.
While most practitioners are busy with the myriad elements in running or participating in a modern legal practice, it is easy for fundamental data obligations to remain unchecked.
This is certainly evidenced by the new reporting being collated by the Office of the Australian Information Commissioner since the changes to the Commonwealth Privacy Act 1988 in 2018 which showed that the legal industry ranked third (out of the top five industry sectors that reported privacy breaches) in the quarter from 1 July–30 September 2018.
Technologies and their coincidental obligations have brought legal practices under the spotlight as places of business holding distinctly private, personal, proprietary, strategic and privileged information or data.
Legal clients and society reasonably expect that you as a practitioner are fulfilling the continuing professional development requirements of your state or territory (i.e., so you are not considered negligent in your area of practice).
Legal clients and society expect you and your firm to maintain physical filing, storage, cyber and computing infrastructure in a way that exceeds or, at minimum, complies with industry standard and government laws and standards (i.e., so you are not negligent in your obligations in collection and holding of personal data).
What is my ‘industry’ [law firm] standard for cyber security?
In February of 2018, the Office of the Australian Information Commissioner released ‘A Guide to Managing Data Breaches in Accordance with the Commonwealth Privacy Act 1988’. This guide provides easy to read information on how:
• the Privacy Act applies to law practices;
• the 2018 changes to the Privacy Act affect legal practices;
• to identify examples of breaches;
• to find information related to:
‣ getting a greater understanding of the Privacy Act [Parts 1 and 4 of the guide];
‣ preparing a data breach response strategy [Parts 2 and 3 of the guide];
‣ how to respond to a data breach [Part 4 of the guide
– specifically the mandatory data breach reporting and assessment requirements of the National Data Breaches (NDB) scheme].
Legal practices that have successfully remained largely paper-based have the same duty of care as those who have embraced information technology and data back-ups to hardware or ‘the cloud’ (hardware you don’t see). For paper-based legal practices, there are different measures required. Having an offsite storage facility is not a definitive answer unless that facility has its own adequate security. Having on-site storage of paper files, without any duplicates or scanned copies held safely offsite, may not be sufficient to meet the duty of care – what if there is fire or flood? Does the practice insurance policy cover liability for loss of personal data or cyber theft above and beyond the standard policy cover for bricks and mortar/ fixtures and fittings?
Much of meeting the demands of legal practice, complicated as it is by the need for internet safety, proper data/information practices, and respect for the requirements of privacy laws, will be satisfied by your due diligence. For the busy practitioner, this involves ensuring you have at least an awareness of your obligations, are performing risk management (or having it performed for you) and are determining what your minimum effort / best approach for your practice is.
A pragmatic legal practitioner might ask ‘well, what can I get away with?’ The area of cyber law and litigation remains relatively untested in Australian courts; however the principles of privacy, client rights, duty of care and due diligence are well-established. A court would balance what a practice did (positive actions to respect privacy laws, guidelines and so forth), failed to do (actions which a client or member of the public would reasonably expect to be done on their behalf), or were negligent in failing to do.
A court would look at what information was easily and practically available for the practice (see reference list below, a large amount of which is free). A court would most likely consider whether the practice had:
‣ performed its own risk assessment and managed accordingly;
‣ appointed person(s) to be responsible for managing data/information/privacy/ technology within the practice;
‣ conformed with the relevant practice guidelines on cyber from bodies such as the Law Council of Australia, the Victorian Legal Services Board + Commissioner, the Law Society of NSW, the Law Society Northern Territory, the ACT Law Society, the Law Society of Tasmania, the Queensland Law Society, the Law Institute of Victoria, the (Victorian) Legal Practioners’ Liability Committee, the Australian Cyber Security Centre’s ‘Stay Smart Online’, the Australian government Department of Industry, Innovation & Science’s business, and the Office of the Australian Information Commissioner; and
‣ adequately discharged their basic duty of care.
In the context of all the freely available information, it would be challenging to argue that it was too hard, too costly or too time-consuming to have one’s legal practice compliant with laws, policies and guidelines.
It is parallel to the practice’s own interests (economic, social, ethical) to know about, and implement, these fundamental cyber safety precautions because even with adequate cyber insurance (again not a well-tested area in Australia), the insurer may deny a claim where there was clearly a failure to implement proper cyber safety and, indeed, insurance policies, as this area matures, will likely require proof of basic risk assessment and/or practice policies.
Furthermore, larger clients will require some level of coverage for cyber perils (thus triggering due diligence to determine premium costs).
I am resource and time poor
Even the briefest risk assessment will reveal that this is not window dressing. If one weighs the relatively low investment of time and money into decent cyber safety against the high loss/high risk outcome of having inadequate cyber safety, the practice investment into cyber safety is elementary.
Cyber safety is a fundamental component of modern legal practice – it is a business function akin to accounting and human resources.
What kind of penalties or litigation could I, or my firm, be exposed to if I opt to do nothing?
In Australia there has so far been less litigation than presently occurs in the USA and in the UK. In these overseas jurisdictions data breach/cyber theft has led to breach of contract, negligence, and class actions. This is not to say that class actions and private law suits are not possible in Australia, and as discussed above, the only answer to litigation will be the diligent application of readily available basic cyber safety.
Aside from potentially devastating reputational loss, every, and any, breach of personal data/information has the potential to result in litigation above and beyond any Commonwealth and state/territory law penalties. There is some case law jurisprudence in Australia for breach of confidence litigation, plain ‘negligence’ litigation and although Australia has not yet recognised a tort of privacy, Australia has previously adopted jurisprudence and case law from foreign jurisdictions as guidance.
My advice: do not be the legal practice ‘cyber fail’ test case for Australia. After the breach is not the time to test just how far your relationship with your partners/law firm extends in terms of shared liability, contributory negligence and vicarious and/or fiduciary liability.
1. Establish a base line for your legal practice – a stock take – of your software, data/information & technology practices;
2. Perform a risk management analysis of your cyber security (see free Australian government Risk Assessment Tool below, Ref. 3);
3. Ensure the data/information (including trust account/banking) you collect from your clients conforms with the Commonwealth Privacy Act 1988 and relevant state/territory legislation;
4. Ensure that your law firm insurance policy includes adequate cyber insurance specific to the data you collect and hold, this may require more than the mandatory professional indemnity insurance required by your state/territory law society or board;
5. Ensure that your practice complies with the National Data Breaches Scheme, relevant recommendations of the Law Council of Australia any further applicable state/territory statutory obligations;
6. Refer to the Law Council of Australia and additional websites (cited below) to ensure you have properly minimised your firm’s and your own vulnerability to avoidable cyber pitfalls.
7. Understand that actively managing cyber risk means regularly reviewing your contracts and the practices of all the third and nth party vendors used by you and those who provide services to your practice and/or its clients.
EJ Wise is the principal of Wise Law in Melbourne, and provides cyber law advice to law firms and legal professionals.