Cybersecurity risk management – safeguarding your licence to operate
At a time when the public and regulatory bodies are insisting on stronger measures to protect privacy and data, law firms have an obligation to proactively invest in cybersecurity risk management, writes Demetrio Zema.
In today’s digital age, safeguarding client trust and privacy is paramount. Following the high-profile Latitude, Medibank and Optus data breaches, Australian businesses are operating in a context where public demand for privacy often surpasses the regulatory frameworks in place.
Most Australians place a considerably high level of importance on their privacy when choosing a product or service, with an Office of the Australian Information Commissioner (OAIC) survey revealing that 70 per cent of Australians believe it is ‘extremely’ or ‘very’ important, and more than one quarter rate it as ‘quite important’ to them.
The survey also shows that 74 per cent of Australians consider that data breaches are one of the biggest privacy risks they face today, up 13 per cent from three years ago. Law firms should, therefore, anticipate that their clients, whether individuals or businesses, share these concerns.
Reputations on the line
Like any other business entity, law firms need to proactively invest in cybersecurity risk management. This requirement was emphasised in the recent announcement by the Australian Securities and Investments Commission (ASIC) warning of regulatory action against businesses and directors whose risk-management frameworks do not adequately address cybersecurity risk. Furthermore, ASIC's edict comes after the Privacy Act 1988 (Cth) (Privacy Act) was reformed to give OAIC stronger investigative powers and signals that significant financial penalties will be applied against non-compliant entities, including law firms.
Privacy and cybersecurity take on added significance for law firms due to the inherently sensitive nature of the information they handle. Law firms are entrusted with a wealth of confidential client data, including personal, financial and legal information. As a result, breaches of client confidentiality not only have legal and financial ramifications, but can irreparably damage the firm’s reputation and client trust.
Law firms are also subject to a unique set of professional and legal obligations, including the duty of client confidentiality. As such, cybersecurity breaches are also a potential violation of professional ethics. Law firms must, therefore, be vigilant in safeguarding cybersecurity to protect their clients' interests, uphold the integrity of the legal profession, and to ensure their own long-term viability.
Managing a host of legal obligations
To protect the data and privacy of clients, law firms must navigate a complex web of legal obligations arising from the following legislative sources:
1. Privacy Act 1988 (Cth): Under Australian Privacy Principle 11.1, law firms are obliged to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification, or disclosure.
2. Corporations Act 2001 (Cth): Directors and officers of law firms are subject to a duty to exercise their powers and discharge their duties with the care and diligence of a reasonable person under section 180(1) of this Act. This duty extends to ensuring the security of sensitive data.
3. Professional duties: Rule 9 of the Australian Solicitors’ Conduct Rules and Australian Barristers’ Conduct Rules establishes a professional duty of confidentiality, which encompasses safeguarding client data from unauthorised access.
Steps to shield law firms from cyber threats
Malicious or criminal attacks are the primary cause of data breaches reported to the OAIC, with one in five data breaches in the first half of 2023 caused by social engineering or impersonation. These perils are likely to intensify as bad-threat actors embrace emerging technologies, such as generative AI, to create more convincing phishing communications and malicious code.
To safeguard against these and other cyber threats, law firms should take the following actions:
- Seek expert guidance – Collaborate with cybersecurity and legal experts who can assess and enhance your cybersecurity framework regularly. Privacy and cybersecurity require specialised knowledge, and they are not adequately handled by generalists.
- Conduct a data inventory – Understand what data you collect, process and store, and where this information is located within your systems.
- Factor in third-party providers – Establish robust contracts and security assessments for third-party service providers who handle your data. Your clients' privacy is ultimately your responsibility.
- Tailor cybersecurity measures – Implement cybersecurity measures commensurate with the sensitivity and volume of the data your firm manages.
- Leverage Law Society guidance – Explore any cybersecurity recommendations provided by relevant law societies, and adopt them to strengthen your defences.
- Engage in continuous training: Provide mandatory staff training on cybersecurity and privacy, along with recognition of social engineering tactics. Frequent, brief training sessions are typically more effective than infrequent, lengthy ones.
- Practise shared responsibility – Embed a culture of shared responsibility across all levels of the firm. Every staff member should understand their role in reducing cyber risks, while boards and firm management must be actively involved in day-to-day risk management.
- Develop a data-breach response plan – Maintain an accessible data-breach response plan with which all law firm staff are familiar. Ensure a hardcopy is available for reference.
- Focus on business continuity – Develop a robust business continuity plan and effective backup practices to ensure your firm can quickly recover from a cyber incident.
Given the heightened risk context in which law firms operate, including the inherently sensitive nature of the information they hold and their professional ethical responsibilities, cybersecurity and privacy risks should be viewed not merely as emerging legal obligations, but as a modern law firm’s licence to operate.
Demetrio Zema is the founder and director of Law Squared, a specialised commercial law and litigation firm focused on working with high-growth businesses and ASX-listed companies.