LSB April 2022 LR
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CYBER ATTACKS<br />
and features that are likely to increase<br />
risks (Such as Java, Office Suite Macro<br />
Scripts, etc).<br />
• Restrict Administrative Privileges:<br />
Restrict access to administrative<br />
accounts and operating systems based<br />
on user duties. Re-validate access to<br />
systems regularly.<br />
• Multi-Factor Authentication: Multifactor<br />
authentication (MFA) is a security<br />
measure that requires two or more<br />
proofs of identity to grant you access.<br />
• Maintain Daily Backups: Undertaking<br />
daily backups of your system to ensure<br />
a copy of all of the data is saved in the<br />
event of a data breach.<br />
YOU’VE HAD A CYBER-ATTACK, WHAT DO<br />
YOU NEED TO DO?<br />
If your cyber-attack has potentially led<br />
to sensitive and confidential information<br />
being stolen, destroyed, and/or altered,<br />
it is important the breach is reported<br />
through the appropriate channels.<br />
Remember, even in circumstances<br />
where information may not have been<br />
impacted in some way, practitioners<br />
should report a cyber-attack, Practitioners<br />
should consider whether to report to the<br />
following entities:<br />
• South Australian Police<br />
• Australian Cybercrime Online<br />
Reporting Network<br />
• The South Australian Law Society<br />
• Scam Watch<br />
• Consumer & Business Services<br />
Further, if the cyber-attack has resulted<br />
in a data breach (meaning when personal<br />
information is accessed or disclosed<br />
without authorisation or alternatively<br />
is lost), then under the Notifiable Data<br />
Breaches scheme, an organisation or<br />
agency that must comply with Australian<br />
privacy law has to tell the affected party<br />
if a data breach is likely to cause them<br />
serious harm. 20<br />
An organisation or agency who has<br />
existing obligations under the Privacy Act<br />
must also report any serious data breach to<br />
the Office of the Australian Information<br />
Commissioner.<br />
This includes Australian Government<br />
10<br />
THE BULLETIN <strong>April</strong> <strong>2022</strong><br />
agencies, businesses and not-for profit<br />
organisations that have an annual turnover<br />
of more than AU$3 million, private sector<br />
health service providers, credit reporting<br />
bodies, credit providers, entities that<br />
trade in personal information and tax file<br />
number (TFN) recipients. 21<br />
Generally, an organisation or agency<br />
(which has an obligation under the Privacy<br />
Act to report) has 30 days to assess<br />
whether a data breach is likely to result in<br />
serious harm. 22<br />
When a data breach occurs, an<br />
organisation or agency must endeavour<br />
to reduce the chance that an individual<br />
experiences harm. If they’re successful,<br />
and the data breach is not likely to result<br />
in serious harm, the organisation or agency<br />
is not obligated to advise the individual<br />
about the data breach.<br />
Should we apply this approach<br />
to the concept of maintaining client<br />
confidentiality – i.e., take it a step further<br />
and notify the party whose confidentiality<br />
has been breached as soon as practicable?<br />
Some would say yes, and indeed many law<br />
firms are erring on the side of caution and<br />
creating internal policies dealing with this<br />
very issue.<br />
For example, sending an email to the<br />
wrong recipient is all too easily done. It<br />
may be prudent to set up internal firm<br />
policy (as indicated above) providing some<br />
guidance around how individuals in the<br />
firm should respond to such an error. A<br />
simple step by step process may look like:<br />
• Contact the unintended recipient<br />
immediately and request that they<br />
destroy the email; and<br />
• Contact the affected individual whose<br />
confidentiality has been breached<br />
and explain the situation, including<br />
if applicable confirmation that the<br />
content has been destroyed by the<br />
unintended recipient.<br />
WHAT ARE SOME OTHER BENEFITS FOR<br />
BEING “TECH-SAVVY”?<br />
Being “tech-savvy” is not just important<br />
to avoid the risk of a cyber-attack.<br />
Practitioners ought to frequently turn their<br />
minds to the vast array of technology<br />
available to them and query how they can<br />
utilise it in their everyday practice for the<br />
ultimate benefit of their clients’.<br />
Embracing technology and the law<br />
can result in quicker more cost-effective<br />
communication, security and freedoms to<br />
work outside of the four walls of the office.<br />
For example, we have long embraced<br />
the use of email communications with<br />
clients (and others) as a main type of<br />
communication in practice. Emails enable<br />
effective and fast communications.<br />
Today, the majority of practitioners will<br />
often communicate through email more<br />
than utilise phone calls. Not only are we<br />
communicating through emails, we are<br />
creating a written record at the same time.<br />
Technology surrounding security<br />
measures (such as firewalls and other<br />
protection software) allow businesses<br />
such as law firms to protect and maintain<br />
client confidentiality as well as protect<br />
transactions surrounding trust monies<br />
and associated transactions.<br />
The use of cloud storage and<br />
document management systems (if used<br />
safely), can streamline significant tasks<br />
such as electronic discovery (eDiscovery).<br />
eDiscovery systems will often allow firms<br />
to create ‘shortcuts’ to streamline the review<br />
of documents. For example, eDiscovery<br />
systems provide tools to analyse documents<br />
to reduce the overall volume to be reviewed<br />
and/or discovered. Most systems, amongst<br />
other things, offer duplicate detection to<br />
group textually similar documents together<br />
to help the review process more efficient.<br />
Digital technology also enables us to<br />
practice the law outside of the traditional<br />
office environment which is increasingly<br />
relevant in our post COVID-19 world.<br />
Through virtual meetings and negotiations<br />
to video court appearances, being able to<br />
adopt to these modern practices can only<br />
serve to benefit a practitioner (and their<br />
clients). The flexibility to practice from any<br />
location is priceless, but we must ensure<br />
that appropriate measures are put in place<br />
to maintain cyber security. Having an<br />
understanding of the risks and identifying<br />
how to mitigate those is a good starting<br />
point. B