Data breaches will cost firms more than money
In a world of emerging technology and growing cyber crime, data is now “the world’s most valuable resource”, with law firms a key target for cyber criminals – and the consequences are dire should they suffer a breach.
Cyber crime has surged in recent years in Australia, with five major data breaches – each one seemingly larger and more serious than the last – occurring in the last year alone.
In Australia, the 2020 Australia Digital Trust report noted that a four-week disruption to “critical digital infrastructures” caused by a cyber attack would cost the Australian economy $30 billion and more than 163,000 jobs.
What’s more, the legal sector is one of the most targeted when it comes to cyber attacks. And while a data breach can cause significant harm to consumers, a breach could cost firms millions of dollars, not to mention their business reputation and clients.
This, Quantum Law Group partner Justine Zhou said, only confirms that data – and data breaches – should be treated as a significant risk for firms, particularly as technology continues to evolve.
“It is well-settled that in today’s economy, the world’s most valuable resource is no longer oil, but data. Accordingly, data should be treated with the seriousness that it deserves. It is imperative that businesses and the Privacy Act 1988 (Cth) rise to this occasion to meet the new data economy,” she said.
“To avoid hefty fines and potential lawsuits, it is vital for organisations and law firms to implement robust data protection measures, including security safeguards, breach response plans, and privacy policies to minimise the risk of data breaches and comply with legal obligations. It is also vital for law firms to remember that cyber threats are constantly evolving. Some threats have employed advanced techniques such as artificial intelligence, automation, and machine learning to leverage highly targeted and evasive attacks.”
These concerns were echoed in the 2023 State of Cyber Maturity for Australian Law Firms report from DotSec, released in April this year. The report stated that the trust of lawyers could be under scrutiny as the threat of cyber attacks grows.
The survey, produced in collaboration with Momentum Intelligence and Lawyers Weekly, asked hundreds of legal professionals to share their approaches, motivations, decision making, and management towards cyber security.
One in four respondents said they were aware of a cyber security breach in the last two years – but only 48 per cent of legal professionals were confident their firm was able to detect and respond to security breaches.
Further, the majority of respondents were unsure of what security frameworks their organisation was compliant with – and most law firms lack an understanding of how cyber security can be a competitive advantage. This is particularly concerning given that legal firms are the third-most targeted sectors, according to OAIC’s Notifiable Data Breaches Report, with 51 data breaches recorded in 2021. Fifty-five per cent of breaches were due to malicious or criminal attacks.
Cyber risk should be a key focus for all businesses, including law firms, Hall & Wilcox partner and head of cyber Eden Winokur told Lawyers Weekly.
“Law firms are businesses and should be taking appropriate steps based on their size and the type of information they collect,” he said.
“The very nature of legal practice generally means we hold confidential and other sensitive information, so I think law firms should be focused on cyber risk mitigation.”
Moreover, when commenting on the report’s findings in April, DotSec owner Tim Redhead said legal firms with a culture of investing in cyber security at all levels are able to better articulate their unique propositions to clients.
“In a rapidly evolving threat landscape, there are clear benefits for investing in the protection of your information. However, with a small shift of focus and a clear articulation, alongside accreditation with compliance frameworks, legal firms can position themselves as a leader,” he said.
“To move effectively on this journey, legal firms need to educate their staff in the importance of cyber security for the threat, compliance and opportunity of the investments.”
Breaches and consequences
On 13 October 2022, Medibank confirmed to the market that it had detected “unusual activity” on its network, before disclosing that customer data had been accessed and stolen, affecting as many as 9.7 million current and former Medibank, ahm, and international student customers. The attack was launched by the Russian REvil hacking group, which demanded $15.6 million in ransom for the release of the data.
In June this year, the Australian Prudential Regulation Authority (APRA) announced that as punishment for the breach, Medibank’s requirement to hold capital would increase by $250 million starting from July as part of the Private Health Insurance (PHI) Capital Framework.
The Medibank breach followed “potentially the most serious privacy breach in Australian history” (at the time); whereby millions of Optus customers had their names, dates of birth, phone numbers and email addresses stolen by cyber criminals, as well as license and passport numbers in some cases.
Both data breaches prompted numerous class actions, which you can read about here and here – and raised serious regulatory concerns.
“The recent severe events of data breach raise years of inadequacies surrounding not only the Privacy Act 1988 (Cth) but also the lack of recognition of the role that data plays in our digital age,” Ms Zhou said.
“There are both legal and business implications from data breaches, both in SMEs and in big enterprise. Firstly, Australia has regulations and legislation, such as the Privacy Act 1988 (Cth), in force to deal with cyber security and privacy. However, recent events show that there is a lack of strict adherence and implementation for these breaches.”
Then, in May this year, HWL Ebsworth – which has nine offices across the country and the biggest partnership of any law firm in Australia – confirmed that a Russian-backed ALPHV ransomware group, also known as BlackCat, hacked into an employee’s personal computer and allegedly stole more than four terabytes of data from the firm’s Melbourne server, including client and staff documents.
HWL Ebsworth partner Andrew Miers then confirmed in an affidavit submitted to the Supreme Court of NSW that HWLE has, so far, incurred over $250,000 in costs to conduct a comprehensive review into the leaked data – and that that cost is only expected to grow.
Since then, major clients of HWLE have reportedly been impacted by the breach, including the Tasmanian government, files of the Queensland state government, the federal Fair Work Ombudsman and local neobank Judo Bank.
More recently, ASX-listed lender Latitude Financial suffered a major cyber attack that affected 14 million customer records, making it the largest data breach yet for an Australian company.
One customer has already filed a $1 million lawsuit against the organisation, and a potential class action is on the horizon, with Gordon Legal and Hayden Stephens and Associates currently investigating whether Latitude had taken proper steps to secure its data.
This came after IP services group IPH Limited (ASX: IPH) detected unauthorised access to a portion of its IT environment in mid-March. It subsequently halted trading and launched an investigation into the breach.
The cyber attack was on two of the intellectual property law group’s member firms: Spruson & Ferguson (Australia) and Griffith Hack. That data breach was later revealed to have cost the firm an estimated $2 million to $2.5 million, as reported by Lawyers Weekly at the time.
Following this, law firms of all sizes were advised to take note of the breach and take proper precautions to protect themselves from cyber criminals – such as implementing protective measures, like cyber insurance and taking a closer look at their positive security obligations. This is especially relevant in light of the HWLE breach – but the DotSec cyber maturity report found that 51 per cent of Australian law firms are not confident in their ability to detect and respond to cyber threats.
And as cyber security hacking incidents become more “common and formidable”, so do the actions related to them, raising potential questions as to what – and how much – data a company is allowed to keep on file.
“The Privacy Act 1988 (Cth) states that businesses such as Optus can only use personal information for the purpose of which they have collected it. Companies must then reasonably destroy or remove information once it is no longer needed for that purpose. In the case of Optus, IDs are checked and personal data collected to set up mobile or internet connections. However, some of the victims of the cyber attack have not been customers of Optus for over a decade. This means Optus failed to destroy or de-identify data that they no longer needed,” Ms Zhou explained.
“Similarly, the cyber attack on Latitude, the Australian personal loan and financial service provider, showed that the company had been storing customer records beyond the required seven-year time frame. It must be noted that the language used in the act is vague and relies heavily on words such as ‘reasonable’. This may give businesses wiggle-room to interpret adherence.”
Cyber security a must in FY24
The International Bar Association recently released a report emphasising the importance of cyber security for senior leaders, highlighting that law firms hold “large volumes of valuable personal and commercially sensitive information about their firms, employees, case information and clients”, making them a highly attractive target for cyber criminals.
“Data breaches can happen to any company, even some of the largest in Australia. All businesses should be investing in cyber resilience; taking reasonable steps to prevent a cyber attack and being prepared to respond to a cyber attack, and cyber response; and having a tested plan that can be executed if an attack occurs to mitigate its impact,” Mr Winokur explained.
“This is more important now than ever, as data breaches can expose businesses to a wide range of legal risks. These include regulatory investigations, regulatory complaints, demands from clients or customers, and, as we have seen more recently, class actions. This is in addition to the IT restoration costs and reputational harm that can be suffered.”
According to Dotsec’s Legal Cyber Study Report, threats remain the single most driving factor for cyber security improvement, with only 3 per cent of organisations solely focused on how cyber security can provide a competitive edge for “winning and keeping clients”.
However, despite 49 per cent of cyber attacks being detected internally, there was also a significant percentage (32 per cent) that was detected by clients and third parties. Twelve per cent of attacks were only detected post-incident.
Criminal threats aside, a cyber incident can also drive down an organisation’s share price and damage its reputation, especially short term. In fact, data from Bitglass back in 2019 showed that companies in the US suffered an average decline of 7.5 per cent in stock value following a data breach.
“Even big enterprises cannot ignore the loss of business reputation caused by a loss of customer trust. The net subscribers of Optus was at 121,000 from September to March following the cyber attack, which was less than half of the 304,000 prior to the attack,” Ms Zhou added.
“Singtel’s (which acquired Optus in 2001) share price was also 1.12 per cent lower after Optus announced the attack. To prevent more reputational damage, Optus’s CEO released a formal apology, and the company allocated $140 million to cover data breach costs, including replacing identity documents and investing in additional cyber protections.”
As such, BigLaw partners expressed the “pressing need” for the establishment of a specialist cyber panel, and last year, the Labor government revealed an overhaul of the country’s cyber security strategy, focusing on increased education and tougher penalties.
This came after cyber incident and data breach class actions climbed in the US, prompting big organisations to look at their cyber security measures and setting precedents in Australia.
“The government has already proposed 116 changes to the Privacy Act, and legal practitioners and businesses are eagerly awaiting to see a draft bill. Aside from that, Australia has already bolstered legislation relating to the security of critical infrastructure,” Mr Winokur added.
“There’s been some suggesting a new cyber specific legislation that would sit above what we currently have. If that was to be proposed, it would be interesting to see what it looks like. My view is that the focus should always be on good regulation. Good regulation gets good outcomes.
“When it comes to hot tips to takeaway, [we] all need to do an audit of what we are holding and why we are holding it. Most businesses are holding data they don’t need anymore. And I actually think [third-party risk] is the biggest issue for businesses to address in the next 12–24 months. It’s ok to share data, but businesses should make sure they have adequate contractual controls in place to set expectations around security, use, deletion and notifications.”
A breach can cause ‘irreversible harm’ to boutiques and SMEs
Following the Optus breach, smaller firms were warned that they were “sitting ducks” and were advised to become more diligent – especially as they typically don’t have the same resources as larger firms to protect against online criminals.
This is particularly true given the costs associated with large breaches; IPH’s breach costs the firm millions, which could bankrupt a smaller firm. The IBM data breach report also showed that the average cost of a data breach in 2023 across the globe was US$4.45 million, a 15 per cent increase since 2020.
“Although big enterprises may be able to handle fines and a marginal loss of reputation and still keep afloat, SMEs and small firms do not have that latitude and, with the Privacy Act Amendment, may find themselves potentially bankrupt if they do not bolster their cyber security system. According to the Australian Small Business and Family [Enterprise] Ombudsman, over 60 per cent of Australian SMEs don’t survive a cyber attack or breach,” Ms Zhou confirmed.
“Understandably, a kink in a small firm’s cyber security can lose them revenue, seeing as small firms are often part of larger supply chains such as companies or partners for larger organisations. Cost for recovery and remediation due to ransomware, which contributes to around 81 per cent of financially motivated cyber crimes globally, can cripple small to medium enterprises.
“Small businesses also rely heavily on customer loyalty. Customers are unlikely to continue with a business that cannot protect their interests. Businesses and firms are also subject to industry-specific regulations and compliance requirements, including answering a range of inquiries from the Office of the Australian Information Commissioner, the Attorney-General, the Australian Signals Directorate (ASD), and the AFP for data breaches.”
However, these warnings also apply to BigLaw firms, added Mr Winokur.
“A major cyber attack can cause irreversible harm to an SME or small firm, particularly due to reputational harm and exposure of confidential client documents. SME and smaller firms are generally in a more vulnerable position as they won’t necessarily be able to invest the same amount of money or time compared with larger businesses when it comes to cyber resilience and cyber response,” he said.
“Law firms have been hot targets by cyber criminals globally, and unfortunately, that applies to Australia. It is conceivable that a cyber attack could force a law firm out of business. It’s happened to other professional service operators, and it will happen to law firms.”
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.