Cybersecurity and legal regulation: why it’s crucial to stay on top of cyber risk
BY ELISSA BAXTER AND ALEX HASLAM – SEP 06, 2024 8:30 AM AEST
Snapshot
- Cyber security is an essential part of legal practice management.
- In a 2022 Federal Court case, the court made it clear that regulators consider inadequate cyber security as a regulatory issue.
- Earlier this year, the Legal Services Board and Commissioner of Victoria published Minimum Cybersecurity Expectations for Victorian legal practitioners. Some unacceptable cybersecurity practices could constitute unsatisfactory professional conduct or professional misconduct.
- Lawcover and the Law Society of NSW have also provided guidance on identifying and preventing cyber fraud with online resources.
Law firms regularly handle substantial funds and sensitive information. This makes them attractive targets for cyber criminals who engage in social engineering, ‘man- in-the-middle’ cybercrimes or seek ransoms to prevent the release of confidential information. Major firms DLA Piper, Allen & Overy and HWL Ebsworth have all been the subject of well publicised cyber attacks targeting operations and data.
However, smaller firms are not immune to cyber attacks and are particularly at risk of impersonation fraud and business email compromise. In the case of small firms, the target is usually funds transfers, but compromises can also lead to breaches of the Privacy Act 1988 (Cth) and loss of confidential data. The prevalence of these types of attacks makes cyber security an essential part of legal practice management.
Australian Securities and Investments Commission v RI Advice Group Pty Ltd
As the case of Australian Securities and Investments Commission v RI Advice Groun Pty Ltd [2022] FCA 496 makes clear, regulators consider inadequate cyber security as a regulatory issue. This was a case involving a financial services provider that experienced a number of cyber security incidents between 2014 and 2020. These included hacking, ransomware, phishing emails and, most significantly, unauthorised access to its server. Gat last attack resulted in the personal information of thousands of clients being used maliciously and without authority. The Court found the financial services provider had breached its licence obligations by failing to take appropriate steps to ensure adequate cyber security risk management systems and cyber resilience were in place.
In handing down her decision, Rofe J noted:
‘Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level’ [at 58].
Minimum Cybersecurity Expectations
Earlier this year, the Legal Services Board and Commissioner of Victoria (‘I.SBCV’) published its Minimum Cybersecurity Expectations for legal practitioners in Victoria, specifically bringing cyber security within the scope of legal regulation for the first time.
These guidelines aim to help law practices protect client data and meet their legal and ethical obligations. The LSBCV also outlined examples of unacceptable cybersecurity practices that could constitute unsatisfactory professional conduct or professional misconduct.
Key expectations for legal practitioners in Victoria include:
- Regular risk assessments: conducting regular risk assessments to identify potential cybersecurity threats and Understanding their risk profile allows lawyers to prioritize cybersecurity investments and implement appropriate risk mitigation strategies.
- Utilising secure communication channels: transmitting sensitive information to clients and colleagues via secure communication channels, such as encrypted email services and secure client portals. Encrypting communications helps prevent interception and unauthorized access to confidential data.
- Implementing data protection measures: applying measures to protect sensitive client information from unauthorized access or These include encrypting data, both in transit and at rest, to ensure client data remains secure even in the event of a data breach.
- Implementing access controls and authentication: making sure access controls and authentication mechanisms that restrict unauthorized access to sensitive systems and information are in place. This may include strong passwords, multi-factor authentication and role-based access controls to ensure only authorised individuals have access to confidential data.
- Establishing robust response plans: implementing solid incident response and business continuity plans to effectively respond to cybersecurity incidents and minimize any impact they may have on legal These include procedures for incident detection, containment and recovery, as well as regular testing and refinement of response plans.
Compliance with the Minimum Cybersecurity Expectations is now a regulatory requirement for legal practitioners in Victoria. Failure to adhere to these guidelines may result in findings of unsatisfactory professional conduct or professional misconduct in that State.
Other guidance
While the Law Society of NSW has not taken that approach, the Minimum Cybersecurity Expectations nevertheless outline a good standard for all solicitors to follow. Lawcover and the Law Society of NSW also provide guidance on identifying and preventing cyber fraud, with the Law Society’s cyber security resources and Lawcover’s cyber resources.
If prevention is not possible, then it is essential that practitioners know what to do in the event of an attack. Lawcover and the Law Society have produced a cyber incident procedure which includes the contact details needed in the event of a cyber breach.
By adopting a proactive approach to cyber security, legal practitioners in NSW can mitigate the risk of cyber incidents, protect client confidentiality and protect themselves from future cyber and fraud claims.
In the event of a cyber incident, all Lawcover-insured law practices have coverage via our Group Cyber Policy. Call 1800 4 BREACH for crisis assistance.
This article originally appeared on lsj.com.au