Protecting client confidentiality in the digital era

This is a revised version of an article first published on 28 May 2019 in the LSJ Online and in June 2019 in the Law Society of NSW Journal.

Protecting client confidentiality in the digital era

Data is now regarded by many as the world’s most valuable resource, and community concerns around privacy and data protection are reflected in increased regulation including in Australia. Lawyers have always been custodians of confidential information, so keeping secrets or securing documents might seem like second nature. But while keeping information confidential was relatively easy in the days when locking the office door or the records room was all that was required, have our standards of professional practice kept up with technological change? How well do the profession’s security practices reflect risks associated with transmitting data via email, cloud storage and ransomware that threatens to either encrypt or expose information unless a cyber extortion payment is made? And is it reasonable to expect that the same security standards will apply to a small firm without internal IT support as a large firm with a well-resourced IT department?

Data held by law firms about clients and others

Data held by legal practices can include corporate secrets, details of pending transactions in which large sums will be transferred, and information that could be used to commit identity fraud, such as tax file numbers, bank account details and other financial records or sensitive information. While much of this information will have been provided by clients it can also relate to others, such as an opposing party in litigation, information about third parties produced pursuant to discovery and the practice’s employees.

Hackers target law firms for a range of reasons, including an expectation they may not have high levels of data security when compared to other organisations holding information of equivalent value and quality. Sometimes there could be an intent to target specific information, for example documents in high profile litigation or transactions, or involving prominent clients or politically sensitive issues, as was the case with the publication of the Panama Papers and Paradise Papers, which involved the disclosure of millions of records held by two prominent international law firms specialising in offshore tax advice.

However, less targeted information such as credit card details, email addresses and breached passwords can also be collected by hackers using phishing techniques and then sold on the dark web, a part of the internet hidden from search engines and which hosts marketplaces for illegal transactions of all kinds. In some cases, firms may have concerns about a possible hacking episode but may be reassured by the apparent absence of any damage or fraud. Unfortunately, the reality could be that sensitive data was collected and made available for sale or potentially used for an illegal purpose. Cyber criminals who target a practice for a specific purpose may take the opportunity to mine other data for sale on the dark web, where data enabling identity fraud and health information is particularly valuable.

Disclosure obligations: legal requirements and professional rules

Many organisations that have been impacted by a cyber event are unaware it has occurred and those that are aware are understandably reluctant to share that information. However, as trusted fiduciaries, or as an officer of the court who has received access to confidential information, are lawyers permitted to withhold information about a known breach from clients or other impacted parties?

Lawyers’ duties to maintain confidentiality arise in a variety of ways including under the law of contract (the duty may be an express or implied term of the retainer agreement), and in equity as a result of the fiduciary relationship between lawyer and client.

Another important source and a pointer to possible disclosure requirements in the event of a breach are current professional rules. The Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 state that a solicitor must act in the best interests of a client in any matter in which the solicitor represents the client (rule 4.1.1), deliver legal services competently and diligently (rule 4.1.3), avoid any compromise to their integrity and professional independence (rule 4.1.4) and provide clear and timely advice to assist a client to understand relevant legal issues and make informed choices about action to take during the course of a matter (rule 7). The rules also provide that a solicitor’s paramount duty is to the court and the administration of justice (rule 3), and that a solicitor must not disclose any information confidential to a client and acquired by the solicitor during the client’s engagement to any person outside the law practice unless for the purposes of providing legal services to the client (rule 9, but see also rule 9.2 for limited exceptions).

A more recent disclosure requirement is contained in the Privacy Act 1988 (Cth), which regulates the handling of personal information by Australian government agencies, private sector and not-for-profit entities with a turnover greater than $3 million, private health service providers and credit reporting agencies. The Office of the Australian Information Commissioner (OAIC) also has powers and responsibilities conferred under other legislation including laws relating to tax file numbers (TFNs).

In February 2018 the Notifiable Data Breaches (NDB) regime under the Privacy Act introduced mandatory data breach notification requirements for all organisations subject to the Act. Where an entity has reasonable grounds to suspect that an “eligible data breach” (see s 26WA) has occurred, it must notify the OAIC and affected individuals. Even though small professional practices with turnover of less than $3million are not, on the whole, required to comply with the Act, entities holding TFNs are subject to the NDB regime for the purposes of those records. Many law firms hold TFNs for individuals via taxation or income records (for example in matters relating to investments, and in personal injury or insurance claims) and should be aware of their obligations under the NDB regime.

Other legislation or legal requirements impacting disclosure obligations may also apply depending on individual circumstances.

Confidentiality and the cloud

Cloud-based computer services in which data and software are kept on servers owned and maintained by third party providers are popular because they can be less costly, and provide greater efficiencies and flexibility, particularly for the sharing of information and working remotely. However, maintaining the confidentiality of data has always been a concern, where this is transmitted and stored by a third party. For that reason, professional bodies have emphasised that the use of cloud-based technology should be accompanied by reasonable steps to prevent data from getting into the wrong hands. So, while it ethical to use the technology there is an expectation that its use will be accompanied by appropriate levels of awareness, understanding of the technology, competence in information management, due diligence and risk prevention.

While not binding, the Cloud Computing Practice Note published by the Office of the Legal Services Commissioner in 2013 and revised in 2015 provides guidance on issues that should be considered, including an expectation that lawyers who use the cloud have an appropriate understanding of the technology, and appreciation and appropriate management of risks that might arise. The practice note provides details of relevant due diligence issues including contractual arrangements.

The Law Council of Australia’s Cyber Precedent website refers to the American Bar Association’s Model Rules of Professional Conduct which include a competency component in relation to technology, and requirements in Florida for mandatory legal education concerning technology. The Cyber Precedent website states that as ‘legal practices place more reliance on technology, especially the internet, it is likely this this type of competency will be implemented in other jurisdictions.’ Key messages under a ‘duty of competency’ are: (a) to be a competent lawyer, a practitioner should understand the value of the information s/he is dealing with; (b) failure to properly protect a client’s information could cast doubt on the ability to properly manage a practice; and (c) as legal practices increasingly operate in the digital realm, issues of cyber security will play a more prominent role, so it is important to keep updated about current risks and available security measures.

What this means for law practices’ cyber security

In addition to requirements about managing risks associated with technology, there is now increased awareness of the role of human factors in responding to cyber risk. The dangers of low user awareness have become increasingly apparent, with the majority of cyber attacks beginning with an email which tricks a recipient into inadvertently giving away log-in credentials or installing malware by clicking on a malicious link.  In May 2019 the OAIC reported that in the first 12 months of the regime, 35% of 964 data breaches were attributed to human error such as unintended disclosure of personal information or the loss of a data storage device.

With predictions that revenue from cyber crime will soon exceed the value of the international illegal drugs trade, cyber security has become a necessary expenditure. Media reports suggest that financial services firms such as banks are now spending an average of $2300 per employee on cyber security, and organisations including large law firms are investing heavily in training employees, having proper policies and procedures in place, and in simulated phishing attacks to check staff awareness. These steps are presumably being taken not only out of concern for legal requirements but also to meet client expectations and avoid the financial costs and reputational damage that a data breach or successful cyber attack can entail.

While smaller firms may not have the luxury of internal IT departments, there are nevertheless measures that can be taken to significantly improve every firm’s risk profile. On the technology side these include having business grade email systems and seeking specialist advice on appropriate settings, configuring your email and domain to minimise the risk of cyber criminals impersonating your email address, introducing two-factor authentication, installing quality anti-phishing software and keeping regular and accessible backups.

Key steps to reducing human factors associated with cyber risk include training staff to recognise the signs of scam emails and educating clients via your costs agreement, email footer and website. Restricting access to data to those staff members with a ‘need to know’ and policies requiring verification of funds payment requests received electronically will also prevent accidental errors.

Cyber risk may be a modern phenomenon, but the old adage about an ounce of prevention being better than a pound of cure still applies.

© 2019 Law & Cyber Pty Ltd

This article is subject to copyright. Except as permitted under the Copyright Act, 1968, no part of it may be reproduced, published, adapted or communicated to the public without the written consent of Law & Cyber Pty Ltd.