It’s time to get our heads out of the sand and into the Cloud

Written by Alexandra Douvartzidis, Associate at HWL Ebsworth Lawyers, Legal Technology Committee (SA), Young Lawyers’ Committee (SA), and Alexandra Harris, Senior Associate at Tindall Gask Bentley Lawyers, Legal Technology Committee (SA), Accident Compensation Committee (SA).

Data breaches and cyber-attacks are occurring on a more frequent basis in Australia. Recently, the South Australian Government was the victim of a ransomware cyber-attack in November 2021. The government first disclosed the extent of the data breach in November, when it said at least 38,000 employees had their records stolen and, in some cases, published on the dark web. It was later revealed that the breach impacted almost 80,000 employees.

The South Australian Government is not the only victim of large cyber-attacks. From other State Governments attacks amassing hundreds of thousands, to CANVA’s breach in 2019 impacting approximately 139 million of its users, cyber-attacks are almost a part of everyday life. Even though the Australian Government is revising its cybersecurity frameworks and policies, businesses, including law firms, cannot exclusively rely on the government for protections against cyber-attacks.

It has become increasingly essential for lawyers and law firms to understand, embrace and implement emerging legal technologies in their individual practice and overarching firm policies, not only to improve efficiencies and work flow generally, but also to protect clients’ and their own sensitive information.

It is somewhat obvious that law firms will competitively benefit from keeping up to date with technology and integrating it into their everyday practice. Every day we are seeing an increasing amount of firms and Courts around Australia move away from traditional paper storage to cloud-based storage and document management systems.

What isn’t as obvious is the concept that being a ‘tech savvy’ lawyer, or at the very least keeping up to date with the latest technological advancements potentially falls under the overarching ethical obligations that lawyers must abide by.

This article considers a common type of cyber-attack in detail, what are the risks and consequences for practitioners, and how practitioners can avoid cyber-attacks. We also consider what steps practitioners should take if an attack occurs, and what are the general benefits of increasing your overall knowledge of technology in everyday practice.

What is a “cyber-attack” and what are the common types?

A cyber-attack is when cybercriminals through the use of a computer launches an attack to disable systems, steal and/or destroy data and information, or use a breached computer system to launch additional attacks. Cybercriminals use different methods to launch a cyber-attack that includes malware, phishing, ransomware, or other methods. Criminally motivated persons launch cyber-attacks in order to generally to seek financial gain through the theft of actual monies and/or data information that they can hold “ransom” and seek payment for the return or destruction of the information held. Occasionally, an attack is launched for the purposes of merely disrupting a company’s system, or for a multitude of other reasons.

From ransomware to malware, the types of cyber-attacks individuals and companies face today are endless. For the purposes of this article, we focus on the key cyber-attack method of ‘phishing’ commonly faced by practitioners.

Phishing is where cybercriminals send fraudulent messages to in attempt to steal confidential information, such as banking logins, credit card details, business login credentials or passwords/passphrases, by sending fraudulent messages. Phishing, unlike hacking, relies on a person voluntarily providing information.

‘Spear phishing’ for example, are when messages sent to target specific individuals and/or organisations. It is not uncommon for more sophisticated messages to contain material that is true (or appears likely to be true) to make them seem more genuine.

Spear phishing often uses a method called ‘social engineering’ for its success. Social engineering is a way to manipulate people into taking an action by fashioning very realistic ‘bait’ or messages. It usually involves a great deal of research by the cybercriminals to target its victims.

The message itself will usually lead the unsuspecting recipient to a fake website full of malware, which is an intrusive software effectively designed to destroy computer systems.

The technique of spear phishing is one of the key factors leading to successful cyber-attacks commonly known as a ‘business email compromise’ (BEC). One example of a BEC is where cybercriminals will, using spear phishing techniques, target companies who use online invoicing methods. The sting involves gaining remote access to a business’ (or customer / client) email and lying in wait for the perfect opportunity to strike.

They will usually ‘keep watch’ for a while (typically with the use of malicious software mentioned above) and get a feel for the type of emails and invoices being sent.

When the opportunity arises, they intercept the invoice, manually change the bank account details and redirect it to the victim for payment.

Common examples involve businesses sending an invoice for payment (that is shortly after intercepted) and there have also been reports of real estate agencies sending trust account details over email which have resulted in significant house deposits being lost to criminals in an instant.

It is devastating, and all too easily avoided with the right knowledge and use of technology.

Bank details should never be exchanged via email, as doing so leaves the sender vulnerable to a third party intercepting the email and editing the bank details so that monies are transferred to a third party account. Once this happens, it is very difficult and near impossible to retrieve the lost money.

It is not uncommon to receive a scam email that is tailored to your firm. For example, you may receive an email from a prospective client. They may include a link which requires you to click to access their ‘documents’ (for example, they may include a link which appears to be Dropbox or a similar application). They may also appear to be a co-worker, such as a senior practitioner delegating tasks, using your co-workers name and the firms signature template to appear more realistic.

Equally concerning, and often less easy to identify, is when a scammer sends an email or message which appears to be from your own firm’s IT department (or another department). They may send a message appearing to be from your own company’s IT helpdesk asking you to click on a link and change your password because of a ‘new policy’.

According to Scamwatch, BEC scams caused the highest losses across all scam types in 2019 costing businesses $132 million, according to the ACCC’s Targeting Scams report. Scamwatch alone received almost 6,000 reports from businesses in 2019 with $5.3 million in reported losses. False billing was the most commonly reported type of scam which includes BEC scams.

What are the risks and consequences for lawyers if a cyber-attack occurs?

 Practitioners must realise the integral role played by technology in the legal profession and the consequences for practitioners when a cyber-attack occurs.

Practitioners store and use personal and commercially sensitive information about their clients. If a law firm is the victim of a cyber-attack the consequences can be overwhelming for both the clients and the practice itself. Overall, failing to be cautious of the risks and incorporating the use of technology into everyday practice could ultimately result in a breach of conduct and/or a practitioners’ obligations.

For example, a cyber-attack may amount to breach of the South Australian Legal Practitioners Conduct Rules (the Rules), which sets out, amongst other things, that one of the fundamental duties of legal practitioners is to deliver legal services competently, diligently and as promptly as reasonably possible, and to ensure they avoid any compromise to their integrity and professional independence. The Rules also require practitioners to ensure that they do not disclose any information which is confidential to a client and is acquired during the client’s engagement.

The bottom line: as a practitioner, you are responsible for keeping your client’s information safe.

Even if sensitive information isn’t impacted during a cyber-attack, the consequences of an attack could affect the ongoing operations of the firm. For example, a major law firm was attacked by through a malware system, which compromised its operations for days. The firm had limited to no access to its computers or emails. It was recorded that the firm had to spend approximately 15,000 hours in overtime for its IT employees to address the issues.

So, how can you avoid a cyber-attack?

Practitioners should always be vigilant with their communications and use of technology, including computers and mobiles. Here are some tips prepared by the Australian Cyber Security Centre and the South Australian Law Society on how to reduce the risk of a cyber-attack:

• Do not open any attachments or click on any links arising from emails where the sender is unknown. These links may redirect to a file or a malicious login page which can control your computer or capture your login details.
• Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or web page without directly clicking on the suspicious link.
• Even if the sender appears to be / or is known, it is prudent to check with the sender confirming the email is genuine. Targeted attacks by professional computer hackers can easily masquerade and camouflage their emails to appear genuine. Emailed directions with respect to money and trust transactions should always be confirmed verbally.
• If you’re not sure, talk through the suspicious message with a co-worker , or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the official company website).
• Install anti-virus software on all devices and set it to automatically apply updates and conduct regular scans.
• Account details for payment should always be provided verbally, or via a written document such as a bill or retainer letter, and should not be included in the body of an email. Such details can be easily modified through cyber-attack techniques. If the bill or retainer letter containing the bank details is sent via email, it should be done so using the proper encryption software to ensure that third parties cannot gain access.
• Educate your clients about cyber-attacks and advise them to contact you immediately if they receive any in-genuine, weird or fake emails. Such email may take the form of the request to pay money, receive details, or upload/downloading files. If you become aware of such activity, you should advise the client to refrain from opening any further emails.
• Have sufficient cyber-crime insurance schemes in place.
• Implement a cyber-attack procedure and plan for typical and worst-case scenarios.

The Australian Cyber Security Centre has also developed the ‘essential eight’ mitigation strategies to help avoid cyber security incidents. In summary, the mitigation strategies suggest:

• Application Whitelisting: The practice of specifying a list of approved software applications or executable files that are permitted to be present and active on a computer system.
• Patch Applications: Application patch management is the process of testing, acquiring, and installing patches (code changes) on computer systems to avoid vulnerabilities.
• User Application Hardening: Disable any unneeded applications and features that are likely to increase risks (Such as Java, Office Suite Macro Scripts, etc).
• Restrict Administrative Privileges: Restrict access to administrative accounts and operating systems based on user duties. Re-validate access to systems regularly.
• Multi-Factor Authentication: Multi-factor authentication (MFA) is a security measure that requires two or more proofs of identity to grant you access.
• Maintain Daily Backups: Undertaking daily backups of your system to ensure a copy of all of the data is saved in the event of a data breach.

You’ve had a cyber-attack, what do you need to do?

If your cyber-attack has potentially lead to sensitive and confidential information being stolen, destroyed, and/or altered, it is important the breach is reported through the appropriate channels.

Remember, even in circumstances where information may not have been impacted in some way, practitioners should report a cyber-attack, Practitioners should consider whether to report to the following entities:

• South Australian Police
• Australian Cybercrime Online Reporting Network
• The South Australian Law Society
• Scam Watch
• Consumer & Business Services

Further, if the cyber-attack has resulted in a date breach (meaning when personal information is accessed or disclosed without authorisation or alternatively is lost), then under the Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell the affected party if a data breach is likely to cause them serious harm.

An organisation or agency who has existing obligations under the Privacy Act must also report any serious data breach to the Office of the Australian Information Commissioner.

This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.

Generally, an organisation or agency (which has an obligation under the Privacy Act to report) has 30 days to assess whether a data breach is likely to result in serious harm.

When a data breach occurs, an organisation or agency must endeavour to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency is not obligated to advise the individual about the data breach.

Should we apply this approach to the concept of maintaining client confidentiality – i.e., take it a step further and notify the party whose confidentiality has been breached as soon as practicable? Some would say yes, and indeed many law firms are erring on the side of caution and creating internal policies dealing with this very issue.

For example, sending an email to the wrong recipient is all too easily done. It may be prudent to set up internal firm policy (as indicated above) providing some guidance around how individuals in the firm should respond to such an error. A simple step by step process may look like:

• Contact the unintended recipient immediately and request that they destroy the email; and
• Contact the affected individual whose confidentiality has been breached and explain the situation, including if applicable confirmation that the content has been destroyed by the unintended recipient.

What are some other benefits for being “tech-savvy”?

Being “tech-savvy” is not just important to avoid the risk of a cyber-attack. Practitioners ought to frequently turn their minds to the vast array of technology available to them and query how they can utilise it in their everyday practice for the ultimate benefit of their clients’.

 Embracing technology and the law can result in quicker more cost effective communication, security and freedoms to work outside of the four walls of the office.

For example, we have long embraced the use of email communications with clients’ (and others) as a main type of communication in practice. Emails enable effective and fast communications. Today, majority of practitioners will often communicate through email more than utilise phone calls. Not only are we communicating through emails, we are creating a written record at the same time.

Technology surrounding security measures (such as firewalls and other protection software) allow businesses such as law firms to protect and maintain client confidentiality as well as protect transactions surrounding trust monies and associated transactions.

The use of cloud storage and document management systems (if used safely), can streamline significant tasks such as electronic discovery (eDiscovery). eDiscovery systems will often allow firms to create ‘shortcuts’ to streamline the review of documents. For example, eDiscovery systems provide tools to analyse documents to reduce the overall volume to be reviewed and/or discovered. Most systems, amongst other things, offer duplicate detection to group textually similar documents together to help the review process more efficient.

Digital technology also enables us to practice the law outside of the traditional office environment which is increasingly relevant in our post COVID-19 world. Through virtual meetings and negotiations to video court appearances, being able to adopt to these modern practices can only serve to benefit a practitioner (and their clients). The flexibility to practice from any location is priceless, but we must ensure that appropriate measures are put in place to maintain cyber security. Having an understanding of the risks and identifying how to mitigate those is a good starting point.

Originally published April 2022 in The Bulletin. https://www.lawsocietysa.asn.au/Public/Publications/The_Bulletin.aspx