Cyber security – “it’s overrated”, “not my problem”, and “so 2016”…?
Great. I have your attention.
Many lawyers think that cyber security is a distant IT issue with no relevance to their daily legal practice.
Unfortunately, this could not be further from the truth.
If you didn’t catch on to the cyber security buzz in 2016, it is not too late to catch up.
Cyber security is an important part of every business around the world, and vital in our profession.
We hold sensitive and confidential information that makes us prime targets for hackers who want to steal client information and corporate intelligence.
If you think this only happens in the movies, look no further than the Panama Papers – 11.5 million confidential documents were leaked from Mossack Fonseca, one of the largest offshore law firms, through a hack of the firm’s email server and poor information security.
Cyber security’s importance is growing more critical by the day, as we continue to witness new attacks on an unprecedented scale, both across the globe and within New Zealand. This includes New Zealand law firms, large and small.
The “easier” targets are often small- to mediumsized law firms that may lack the resources to prioritise cyber security, or simply ignore it as an IT issue that does not affect them. However, cyber security is a business issue and it affects us all.
Cyber security involves developing, implementing and maintaining robust staff training, policies, procedures and measures (technical, practical and organisational) to proactively protect all information within your control against a cyberattack.
Data is the new oil and is quickly becoming more valuable than money itself. And when I say “data”, that includes information within your control – client emails and documents, staff details and business information.
Clients are becoming increasingly aware of the importance of cyber security and will want to know that you have put all appropriate measures in place.
It is becoming increasingly common for law firms to be required to complete cyber security questionnaires at the request of their existing clients, so that clients understand how we protect their information.
In addition, law firms that are given the opportunity to pitch for legal work from new clients are often required to describe what cyber security measures they put in place, and the answers to this become part of the overall assessment.
It is no longer good enough to sit back and wait for a cyber attack to happen before you do anything about it. It is even worse if you think that a cyber attack will not happen to you.
We all have a positive duty as lawyers, whether in private practice or in-house, to prevent it from occurring in our businesses.
As lawyers, our duty to protect data will almost always be over and above that of most other businesses. Our duties as members of the profession and as fiduciaries to our clients extend to appropriate cyber security measures.
Obligations in relation to cyber security also rest on company directors, as recently confirmed by the Institute of Directors, so we should, as in-house or external legal counsel, be ensuring that company directors know what their obligations are.
The consequences of a cyber-attack to you and your business are boundless. The possibilities of financial, business and reputational damage are enormous, and the possible routes of legal liability are continuing to increase.
It is certainly no longer an excuse to say you do not know what cyber security is.
Whether you are a tech guru or a person who does not really know much about cybersecurity, it is important to keep updated on your legal obligations relating to the implementation and application of cyber security measures within your business.
Don’t be the next Mossack Fonseca.
Edwin Lim is a partner at Hudson Gavin Martin, a commercial and corporate law firm specialising in technology, media and IP. He is also a member of the ADLS Technology Law Committee.
Edwin Lim and other members of the Committee – Dr David Harvey, Lloyd Gallagher and Arran Hunt – are presenting a practical “Cyber Security for Lawyers” workshop on Saturday 11 November 2017 in Auckland, from 10am to 1.30pm. For more information or to register for this event, click here.