In the 2021-22 financial year, over 76,000 cybercrime reports were made to the Australian Cyber Security Centre. According to the 2021-2022 Annual Cyber Threat Report (Cyber Threat Report), that equates to one report every seven minutes.
In its third year of publication the Cyber Threat Report revealed, among other things, that cybercrimes directed at individuals, such as online banking and shopping compromise, remained among the most common types of cybercrime in Australia. The Cyber Threat Report also revealed that Business Email Compromise (commonly known as phishing) – where organisations are targeted through their employees by criminals pretending to be legitimate business operators, who try to scam them out of money or goods – trended towards targeting high value transactions like property settlements. In the 2021-22 financial year, financial losses attributed to Business Email Compromise were over $98 million, an average loss of $64,000 per report.
The numbers are sobering, and with the impact of the Optus and Medibank Private breaches fresh in everyone’s minds, suffice to say that it pays to know what and who you are up against when it comes to data and cyber security. This is all the more true for law practices, who on a daily basis act as conduits for large sums of money.
In a world where data is ubiquitous and has superseded cash as king, legal practitioners and law practices need to understand how to protect their clients and businesses from the potential damage of a cyberattack and data breach.
Data and cyber security 101
Audit your systems and processes
If you haven’t already done so, now would be a good time to undertake an audit of your data storage and security systems. When thinking about the strength of your law practice’s data security infrastructure, start by mapping out the lifecycle of the data you collect and hold and understanding, from collection to destruction, where there are vulnerabilities to cyberattacks and inadvertent disclosure and loss. This includes understanding the nature of the data breaches your law practice is at risk of, the functionality of any IT protection systems you have in place, as well as the level of awareness among you and your staff about how to prevent and mitigate damage due to a cyberattack or accidental loss of data.
Law practices are also encouraged to refer to the Law Society’s and Lawcover’s Cyber Management Checklist on how to prevent cyber fraud.
Train your staff and stay informed
When it comes to cyber security threats, how well do you know your ransomware from your phishing attacks? While having the assistance of IT experts is helpful to understand and keep up to date on the emerging technologies used to compromise data, it is an essential part of today’s legal practice that all employees of a law practice (whether legal practitioners or lay associates) understand the basics of cyber security and data protection.
The ACSC website provides information on the basics of cyber security to individuals, small and medium businesses, as well large and critical infrastructure organisations.
You can keep your finger on the pulse of cyber risks by subscribing to the ACSC Alert Service. This is a free service, which provides information on recent online threats and how they can be managed. Subscribers are informed about the latest threats and vulnerabilities within an Australian context, and how to address risks to their devices or computer networks.
Know how to respond to a breach
Knowing how to prevent a breach from occurring is only one half of the picture. It is equally important that law practices have a policy and procedure in place so that employees know what action to take when a breach has occurred. Timing is often crucial when it comes to mitigating the potential damage caused by a data breach, and the larger the law practice, the more important it is to have a plan in place to coordinate the different actors and actions that need to be taken to respond to the breach.
For law practices that have obligations under the Privacy Act 1988 (Cth) (Privacy Act), your response plan should incorporate the obligations of the law practice to notify the Office of the Australian Information Commissioner in the event the data breach is an ‘eligible data breach’ (as defined in the Privacy Act).
The Law Society and Lawcover’s guide on data and cybersecurity for law practices provides guidance to law practices on managing cyber risk, including actions to be taken when a data breach occurs.
Get insurance
Lawcover purchases a group cyber risk insurance policy for the benefit of its insured law practices. The Lawcover Group Cyber risk policy provides crisis assistance and protection from losses to a limit of $50,000. This policy has been tailored specifically for law practices and sits adjacent to the Lawcover professional indemnity insurance policy.
This policy is available for all insured law practices.
Additional resources
Lawcover has a library of Cyber Resources to assist practitioners and law practices manage and secure their data.
Anyone with questions or wanting support and guidance in relation the issues raised in this article is welcome to contact the Law Society’s Professional Support Unit on (02) 9926 0115 or at [email protected].
The Law Society’s Professional Support Unit provides free and confidential information and guidance to the legal profession on costs, ethics and regulatory compliance to help practitioners comply with their obligations under the legal profession legislation.
