LSB April 2022 LR

CYBER ATTACKS
and features that are likely to increase
risks (Such as Java, Office Suite Macro
Scripts, etc).
• Restrict Administrative Privileges:
Restrict access to administrative
accounts and operating systems based
on user duties. Re-validate access to
systems regularly.
• Multi-Factor Authentication: Multifactor
authentication (MFA) is a security
measure that requires two or more
proofs of identity to grant you access.
• Maintain Daily Backups: Undertaking
daily backups of your system to ensure
a copy of all of the data is saved in the
event of a data breach.
YOU’VE HAD A CYBER-ATTACK, WHAT DO
YOU NEED TO DO?
If your cyber-attack has potentially led
to sensitive and confidential information
being stolen, destroyed, and/or altered,
it is important the breach is reported
through the appropriate channels.
Remember, even in circumstances
where information may not have been
impacted in some way, practitioners
should report a cyber-attack, Practitioners
should consider whether to report to the
following entities:
• South Australian Police
• Australian Cybercrime Online
Reporting Network
• The South Australian Law Society
• Scam Watch
• Consumer & Business Services
Further, if the cyber-attack has resulted
in a data breach (meaning when personal
information is accessed or disclosed
without authorisation or alternatively
is lost), then under the Notifiable Data
Breaches scheme, an organisation or
agency that must comply with Australian
privacy law has to tell the affected party
if a data breach is likely to cause them
serious harm. 20
An organisation or agency who has
existing obligations under the Privacy Act
must also report any serious data breach to
the Office of the Australian Information
Commissioner.
This includes Australian Government
10
THE BULLETIN April 2022
agencies, businesses and not-for profit
organisations that have an annual turnover
of more than AU$3 million, private sector
health service providers, credit reporting
bodies, credit providers, entities that
trade in personal information and tax file
number (TFN) recipients. 21
Generally, an organisation or agency
(which has an obligation under the Privacy
Act to report) has 30 days to assess
whether a data breach is likely to result in
serious harm. 22
When a data breach occurs, an
organisation or agency must endeavour
to reduce the chance that an individual
experiences harm. If they’re successful,
and the data breach is not likely to result
in serious harm, the organisation or agency
is not obligated to advise the individual
about the data breach.
Should we apply this approach
to the concept of maintaining client
confidentiality – i.e., take it a step further
and notify the party whose confidentiality
has been breached as soon as practicable?
Some would say yes, and indeed many law
firms are erring on the side of caution and
creating internal policies dealing with this
very issue.
For example, sending an email to the
wrong recipient is all too easily done. It
may be prudent to set up internal firm
policy (as indicated above) providing some
guidance around how individuals in the
firm should respond to such an error. A
simple step by step process may look like:
• Contact the unintended recipient
immediately and request that they
destroy the email; and
• Contact the affected individual whose
confidentiality has been breached
and explain the situation, including
if applicable confirmation that the
content has been destroyed by the
unintended recipient.
WHAT ARE SOME OTHER BENEFITS FOR
BEING “TECH-SAVVY”?
Being “tech-savvy” is not just important
to avoid the risk of a cyber-attack.
Practitioners ought to frequently turn their
minds to the vast array of technology
available to them and query how they can
utilise it in their everyday practice for the
ultimate benefit of their clients’.
Embracing technology and the law
can result in quicker more cost-effective
communication, security and freedoms to
work outside of the four walls of the office.
For example, we have long embraced
the use of email communications with
clients (and others) as a main type of
communication in practice. Emails enable
effective and fast communications.
Today, the majority of practitioners will
often communicate through email more
than utilise phone calls. Not only are we
communicating through emails, we are
creating a written record at the same time.
Technology surrounding security
measures (such as firewalls and other
protection software) allow businesses
such as law firms to protect and maintain
client confidentiality as well as protect
transactions surrounding trust monies
and associated transactions.
The use of cloud storage and
document management systems (if used
safely), can streamline significant tasks
such as electronic discovery (eDiscovery).
eDiscovery systems will often allow firms
to create ‘shortcuts’ to streamline the review
of documents. For example, eDiscovery
systems provide tools to analyse documents
to reduce the overall volume to be reviewed
and/or discovered. Most systems, amongst
other things, offer duplicate detection to
group textually similar documents together
to help the review process more efficient.
Digital technology also enables us to
practice the law outside of the traditional
office environment which is increasingly
relevant in our post COVID-19 world.
Through virtual meetings and negotiations
to video court appearances, being able to
adopt to these modern practices can only
serve to benefit a practitioner (and their
clients). The flexibility to practice from any
location is priceless, but we must ensure
that appropriate measures are put in place
to maintain cyber security. Having an
understanding of the risks and identifying
how to mitigate those is a good starting
point. B