THIS WEEK’S ARTICLES
Issue 32 18 Sep 2020
Cyber-security: a wake-up call for lawyers p1
Obituary: Colin Pidgeon QC, QSM pages 4 & 5
Borrowdale appeals, hires Jim Farmer QC p12
LawNews adls.org.nz
TECHNOLOGY AND THE LAW
Hackers fire a warning shot at law firms By Diana Clement
The recent spate of cyberattacks on several large New Zealand businesses – including NZX and Westpac–is a wake-up call for lawyers.
© Peerapong Boriboon | Dreamstime.com
Consultant Lloyd Gallagher of Gallagher & Co says there is a dangerous level of complacency about cyber-security among Kiwi law firms – something he has warned about for years, to little avail. Law firms might not realise how sophisticated these attacks are becoming and should take additional advice to double-check their security systems, says Gallagher, the convenor of ADLS’ Technology & Law committee. ”Your IT firm will get you 90% of the way. Then you need to take that 10% check to see they haven’t missed something. It’s not a reflection on it being a bad IT firm. But there is so much complexity around this for the potential to miss something.” “Not doing that independent review and doublecheck is not a reasonable step,” Gallagher says. “So liability is likely to fall directly with no excuse.” Michael Wallmannsberger, a cyber-security consultant and an ADLS council member, agrees. All too often law firms think security is an antivirus product and firewall or a small team in the basement. “This is not an IT problem,” he says. “It’s a business problem. You can’t have security in the abstract.” The fate of NZX after the “distributed denial of service” (DDoS) attacks earlier this month and the international ransomware attacks on law firms such as DLA Piper have fired a warning shot that no-one can ignore. DDoS attacks aim to make a website and/or the organisation’s intranets and computers unusable by flooding or crashing the website with too much traffic. A ransom, often in untraceable bitcoin, is
The cyberattack on NZX was one of the biggest in history
All too often law firms think security is an antivirus product and firewall or a small team in the basement. This is not an IT problem. It’s a business problem. You can’t have security in the abstract
Wallmannsberger says the NZX attack, one of the biggest in history, shows that even large organisations employing professional services firms such as Spark to provide network services, are still at risk. Law firms are by no means immune.
demanded to stop the attack. Other large organisations have been targeted in recent weeks including Westpac, the MetService, Stuff and Radio NZ. The attacks are widely believed to come from a Russian cyber-espionage group, Fancy Bear.
Client payments While a DDoS attack can take down a law firm’s website and possibly its intranet, a bigger fear is
The risks for a law firm are more than just their website/intranet/computers being out of action, the costs of fixing the problem and ransom payments. There is also a significant PR and reputational risk, Gallagher says. If the NZX attacks have a message for law firms, it’s that international criminal gangs are looking for soft targets. It’s inevitable, Gallagher says, that sooner or later a New Zealand law firm will hit the headlines, having fallen victim to a cyberattack.
Continued on page 2