THIS WEEK’S ARTICLES
Issue 17 4 Jun 2021
Slack cybersecurity = high litigation risk for lawyers p1
How our new overseas investment regime will work p3
Halifax decision: firstever trans-tasman court hearing p5
LawNews adls.org.nz
CYBERSECURITY/LITIGATION/PRIVACY
Slack cybersecurity poses big risk for law firms By Diana Clement
In the wake of the ongoing Waikato DHB cybersecurity debacle, law firms failing to get their security systems in order face not only reputational damage but also litigation risk.
Photo by Kinga Krzeminska / Getty Images
Cyberattacks are becoming more sophisticated and law firms should consider themselves prime targets, say lawyers who specialise in the technology space. Last month hackers took down the Waikato DHB’s telephone and computer systems and copied confidential patient data, which was then leaked to the media. Law firms handle client monies, information and data, which can be valuable to cyber criminals, says ADLS Technology & Law committee member, James Ting-Edwards. Building trust and maintaining confidentiality is at the core of the work that lawyers do.
Law firms should consider themselves prime targets for hackers
Arguing “we did our best” doesn’t cut it. “Unfortunately, in a crisis the first person to get sued is the lawyer,” Ting-Edwards says. Technology lawyer Rick Shera, of Lowndes Jordan, says not only could law firms face litigation risk but also expensive privacy claims in the event of a hack. “I do think that if a law firm failed to take simple steps and, for example, got caught out in a business email compromise [where] altered trust account details sent to a client from the firm’s hacked email system led to payment of settlement funds to a hacker, it would quite possibly be liable now that there has been so much publicity. “Whether a ransomware attack that causes a client’s transaction to be delayed, for example, would fall into the same category, I don’t know.” Even if clients can’t sue their law firm, the
The weakest link in a law firm’s IT system could be a single staff member who has lax password hygiene or likes to click on email links Human Rights Review Tribunal can award up to $350,000 per claimant in a class action for privacy breaches resulting from a hack. The awards are compensatory, according to actual harm suffered, says Privacy Commissioner John Edwards. The
largest award to date is $168,000. Edwards is not expecting to see multiple clients receive $350,000 each in the event of a breach. “If [however] a like group of clients had been affected by the same leak, they might get an award of $5,000 or $10,000 each.” That could add up across a client database of, say, 60 to 70 files, he says. Since 1 December last year, when the Privacy Act 2020 came into force, law firms have been subject to mandatory reporting of serious privacy breaches to the Privacy Commission. Under the new law, almost any breach of a law firm’s systems would trigger notification obligations, given the confidentiality of the information they hold, Shera says. Continued on page 2