With almost all lawyers around the country forced to work from home and rely more heavily on domestic and individual systems, cyber security concerns will – or should – have been front of mind for practitioners.

However, when asked how SMEs will have managed their cyber security during this time, WiseLaw principal EJ Wise said, “they won’t have”.

“Emergency planning rarely includes non-life-threatening secondary considerations such as cyber security. Frankly, most were happy if they were able to make the transition to virtual and I echo that sentiment,” she reflected.

Looking more broadly across the profession, Sophie Bradshaw – a senior privacy and digital lawyer – said that firms and legal departments will have looked to manage cyber security issues amid the pandemic as an extension to existing arrangements.

That said, there has been a “broad spectrum in terms of preparedness and management of privacy and data security issues” in this time, she said, given the need to rapidly move to remote working.

“For some, this has been relatively easy and the issues have been more around providing staff with hardware and training to support working from home,” she explained.

“Whereas for other firms or teams that have not generally worked remotely, it’s been more challenging to quickly implement the systems, security and policies needed to support their remote teams.”

VIEW ALL

Reflecting on cyber security measures during the pandemic

Looking back on the actions that had to be taken as the profession was forced to up-end physical working environments, Ms Wise noted that “we all needed to react”.

“For some law firms and businesses that were already what I refer to as ‘distributed’ (or remote) then it wasn’t much of a ramp-up as they already had all the systems in place for distributed working. For others, it was a serious and urgent task of acquiring tools, deploying them to staff, and making it work as best as possible,” she recounted.

“The mid to longer-term [issue] arising from quick asset acquisition and no security is vulnerability plus lack of redundancy (you can be hacked more easily; you haven’t got the tools in place for good back-ups/contingency planning).”

For lawyers and businesses across the board, it is “now time to do a cyber asset inventory and from there assess your priorities – know your data ‘Crown Jewels’ and then amass security in accordance with your priorities”, Ms Wise advised.

It must be remembered, Ms Bradshaw posited, that there is no relief from privacy compliance during the pandemic, nor will there be “as we return to the ‘new normal’”.

“For law firms and organisations covered by the Privacy Act, the Australia Privacy Principles and the Notifiable Data Breach scheme will continue to apply to remote working arrangements. This includes taking reasonable steps to protect the personal information they hold from unauthorised access, modification or disclosure, and from misuse, interference and loss. These steps are not limited to technology system security; physical data security is also important. They must also continue to assess any data breach and notify affected individuals and the OAIC, where required under the Notifiable Data Breach scheme,” she outlined.

“The consequences of a data breach are the same now as they always are, whether in a pandemic or not. Privacy regulators globally have been clear on this and that they will continue with enforcement, albeit with some regulators accepting a longer time frame for notification of data breaches or responding to regulator requests. In addition to a potential regulatory enforcement action, a data breach (whether during this pandemic or not) has the potential to significantly erode trust in a firm’s privacy practices and damage a firm’s reputation.”

Whilst the potential privacy risks and risk of data breach remain the same whether you have staff working in the office or from home, Ms Bradshaw continued, a “suddenly expanded remote workforce does present a particular privacy risk that needs to be considered and managed”.

“In the first couple of weeks of remote working, we saw many concerns around handling the privacy risks associated with working remotely. In particular, the increased demand on remote access to networks and systems, as well as use of online meetings or other platforms to connect teams, and the use of personal devices, all of which may not have been tested or undergone security assessment prior to the COVID-19 arrangements,” she said.

“We know that phishing attacks and other scams are also prevalent during COVID-19 and organisations should assess whether they have security controls and technology solutions in place to block or mitigate these risks.”

Looking towards the future, Ms Bradshaw explained that when thinking about remote system access and other arrangements for remote working, it will be important to consider “how these arrangements affect how the organisation handles personal information and to identify any potential privacy risks, particularly any risks to the security of personal information you hold”.

“This should be an ongoing assessment as things change in response to the COVID-19 restrictions and working arrangements,” she advocated.

Addressing underlying issues as we pivot to life post-pandemic

When asked what lawyers and legal businesses will need to do in order to address cyber security and regulatory compliance issues once we emerge from the pandemic, Ms Bradshaw said that even in the “new normal”, “all indications are that COVID-19 restrictions in some form will continue for some time”.

“We will also need to be able to quickly implement high-level restrictions in the event of a further outbreak. I assume this means some proportion of law firms and in-house legal teams will continue to work remotely, whether on a roster or other part-time basis,” she hypothesised. 

“If remote working arrangements or other organisational changes in response to COVID-19 [mean] that you are collecting new or different categories of personal information, for example, health information, or you’re implementing system or people changes, then consider whether you need to conduct a privacy impact assessment (PIA) or review any older PIAs to ensure they are kept up to date as we navigate through the changes to our working arrangements.”

There are also, Ms Bradshaw continued, questions around whether or not staff will have to undergo health screening tests or related measures in returning to the office.

“Law firms and other organisations must ensure they meet their obligations under the Privacy Act when collecting and handling this information, even if an exemption may apply to certain aspects of the data handling,” she mused.

“For in-house lawyers and some law firms, they may be looking more closely at the systems and other legal technology used by the team and examining more closely both data security and accessibility for those team members working remotely. No doubt there will also be questions from the business as to privacy compliance and risks associated with continued increased levels of remote working, particularly for those businesses that are consumer-facing.”

Ms Wise advocated a practical approach: “Know what you own (hardware and associated), know what it is running (software), know who is holding it and how (safely or not?), have everyone understand basic cyber hygiene. Have an incident response plan – all businesses and particularly small ones are being targeted by the cybercriminals in what I’m calling the coronavirus-inspired ‘cyber feeding frenzy’.” 

“For lawyers: you know your duties to the court and to your client. If you don’t know your cyber security position for all of your client’s data you probably are falling short of both ‘competence’ and ‘confidentiality’ not to mention the Notifiable Data Breach scheme,” she said.

Lessons to be learned

For Ms Wise, the obvious starting point moving forward is having a base understanding of what your business is up to on the cyber security front.

“Can you answer your client’s questions about how safe their data is? Do you know what system your firm uses for data storage and access? Do you personally use multi-factor or two-factor authentications? Do you reuse passwords (do not pass go, do not collect $200 change them all now)? Do your passwords contain at least 12 characters of nonsensical words, upper/lower case/numerics/special character? These are your duties and they cannot be delegated even if you ‘have IT people’,” she advised.

“If a password is ‘easy’ for you to remember it probably is for the cybercriminal who spends all day using their beautiful minds looking for ways to relieve you of your trust or account money.”

Ms Bradshaw noted that any looming changes to working arrangements, systems and practices once the “new normal” arrives should not come at the expense of privacy.

“We can both look after our staff and the personal information that we hold,” she submitted.

“We just need to remember to go back to privacy best practice when implementing or extending these arrangements – data minimisation, privacy by design, maintaining a strong privacy culture and ensuring privacy risks are included in relevant risk registers and business continuity plans during this time and keeping privacy impact assessments up to date.”

To share how COVID-19 has impacted you and your business, please complete this anonymous, two-minute survey here. For more information, please contact This email address is being protected from spambots. You need JavaScript enabled to view it.