Protecting your clients from cyber attack
This article is part of the sixth annual special Technology & Law edition of LawNews, put together by ADLS’ Technology & Law committee.
Are we really still banging on about cybersecurity? Well, yes – but hear us out.
Edwin Lim & Lisa Paz
In a world where data is more valuable than oil, and cybercrime supposedly generates more revenue than the entire global drug trade, it’s unsurprising that cyberattacks are occurring on an unprecedented scale.
New Zealand is not immune. CERT NZ (the Computer Emergency Response Team) was set up by the government in 2017 as a one-stop-shop to receive cyber incident reports, track cyber incidents and provide advice on how to respond to an attack.
Between January and March 2019, CERT NZ received 992 cybersecurity incident reports, including the highest number of ‘unauthorised access’ incidents ever received. These incidents caused $1.7 million in direct financial loss to the individuals and businesses impacted.
Why should you care?
As lawyers, our duty to protect data is greater than that of most other businesses.
Firstly, we hold highly-sensitive and valuable commercial information about our clients, making us prime targets for hackers and scammers.
Secondly, our duties as members of the profession and as fiduciaries to our clients extend to implementing appropriate cybersecurity measures.
In today’s climate, our strict confidentiality obligations and duty to take reasonable steps to prevent crime or fraud being perpetrated through our practice naturally extend to taking reasonable steps to ensure the security of our electronic systems, client and employee data.
Clients are increasingly aware of the importance of cybersecurity and want assurances that all appropriate measures are in place.
It is common for both new and existing clients to require law firms to complete cybersecurity questionnaires to clarify how sensitive client information is protected, with the answers forming part of the overall assessment of whether to engage or to continue to engage a firm.
As service providers to our clients, firms need to be able to articulate:
- what cybersecurity measures are in place to proactively protect information within its control;
- what IT functions are being outsourced and to whom;
- whether information security deficiencies are identified, reported, and tracked to resolution;
- how frequently security patches are applied;
- what user access management practices are employed and how – for example, is access granted only where required for the job function? Is access approved by the system owner? How often is employee access reviewed?
- what relevant training its staff receive;
- whether data is encrypted. If so, how?
- how the firm is continuously improving its cyber-security; and
- how the firm would detect and respond to a cyber attack.
Some clients may also require legal advisors to sign service provider agreements that contain significant obligations around data security.
The concern is understandable. Law firms are a hacker’s paradise; an internet search for the phrase “law firm hacked” returns an alarming number of results (and what’s just as bad is the number of law firms that don’t even know they have been hacked).
Not only are hackers rewarded with access to information about multiple businesses at once, but they also get the juiciest information about those businesses - including information on top secret, and potentially market-influencing, deals, new IP, legal advice and information about disputes and settlements.
Unsurprisingly, law firms overseas are increasingly being targeted. The most famous example is the hack of offshore law firm Mossack Fonseca’s poorlyprotected email server which resulted in 11.5 million confidential documents being leaked in what became known as the Panama Papers.
But even a smaller-scale cyber-attack or scam could be devastating to your business, with enormous potential for financial, business and reputational damage.
Obligations around cybersecurity also rest on company directors. The Institute of Directors has confirmed the board’s fiduciary duty of care to protect the company’s assets includes protecting information and other digital assets.
We, as in-house or external legal counsel, need to ensure company directors are aware of this obligation. It’s not good enough for directors to simply say they did not know about cybersecurity.
The writing is now clearly on the wall. Cybersecurity is no longer just an IT issue. It’s a business issue.
Once a “nice to have”, law firms can no longer ignore having advanced cyber security in place (actually, having anything in place is a good start!).
As guardians of valuable client information, we are required to take cyber security seriously. If your policies and procedures haven’t been revised in a while, now is the time to dust them off and put appropriate measures in place to protect your clients and your business. It’s as simple as that.
Edwin Lim is a partner at Hudson Gavin Martin, a commercial and corporate law firm specialising in technology, media and IP. Lisa Paz is a senior solicitor at Hudson Gavin Martin.