Law firm data retention and cyber crime

Law Firm Data Retention in the Time of Cybercrime

The recent Cyber-attacks on Optus and Medibank may have grabbed most of the headlines with respect to Cyber breaches in Australia, but it is obviously a worldwide issue, with 2022 reports of data breaches at NATO, Samsung and Uber being just some examples. In Australia, there is now a report of a Cyber-attack every seven minutes, with attacks spreading to real estate and Defence. In fact, The Australian Cyber Security Centre’s (ACSC) latest threat report revealed that it had received more than 76,000 cybercrime reports in 2021-22 — a 13% increase (ABC). The agency also responded to 135 ransomware incidents during the last financial year, a 75% increase on the previous year.

Although there haven’t been any recently reported incidents of breaches in Australian legal firms we are aware of some incidences, and these, along with the aforementioned spate of major cyber-attacks, have made us wonder about the overall vulnerability of legal firms, and the risk associated with their retention of considerable volumes of client data. 

When we refer to Australian legal firms it should be noted that we are referring to a relatively small segment of the total legal market in terms of the number of firms – in general, the mid to larger firms, or 200 plus users, including several international firms - and often driven by the expectations of their clients, these firms have been investing significantly in cyber security. According to Neil Blum, Head of IT at Barry Nilsson, `the firm has seen a rapid and steadily increasing onus on its cyber security capabilities that is being driven primarily through client demand. The firm is now required to collect, use, share, store and transmit client data, acting in the capacity of data processors and controllers, therefore by extension, it has to be as secure as our clients. Maintaining a comprehensive Information Security Management System (ISMS) is crucial to continually meet the ever-increasing requirements for data security.’

The majority of larger Australian firms have invested in Mimecast’s cloud cybersecurity services for email, data, and web protection for critical communications, and as phishing is the main form of cyber-attacks, firms are also investing in cyber education in an effort to create cyber-aware cultures to better protect the business and client data. Another company that specialises in neutralising inbound email threats is Egress, a UK company that has recently expanded into Australia. While investments to date have provided a good level of foundational security, firms remain vulnerable to advanced phishing threats that are engineered to do significant damage, such as business email compromise and impersonation attacks, invoice and payment fraud, and account takeover attacks. Jack Chapman, VP of Threat Intelligence at Egress. warns that `these types of phishing emails rely heavily on social engineering and are built using the latest techniques to get through the signature-based protection provided by Microsoft 365 and secure email gateways, and trick people into falling victim despite training programs. Egress provides integrated cloud email security that detects advanced phishing threats directly within Microsoft Outlook, dynamically bannering emails to highlight the risk to the individual when they need it most (when faced with a phishing email!). The intelligent, AI-powered detection capabilities of Egress make it highly effective at detecting phishing attacks, while the banners provide real-time teachable moments that tangibly reduce risk.’

One telling revelation of these recent cyber-attacks is the amount of historical client data that organisations are retaining, often because it is easier to retain rather than purge, but also because there is a tacit recognition of its potential value. With respect to the legal sector, as Jack Geng, Special Counsel at Barry Nilsson, explains, `like many professional service providers, lawyers have a professional obligation to maintain client records. The motivation for maintaining client data is very different to many businesses as the accuracy and completeness of the client file may go to the heart of the legal service being provided. Lawyers are frequently required to advise on the most intimate aspects of their clients’ business and personal affairs, and the materials used (however trivial) to reach such an opinion may form a critical foundation of the advice provided. Just by way of example, a corporate client may ask me to advise on a claim by a third party against its business. The client may supply a bundle of sensitive materials. While not every document is going to be relevant to the advice, the inclusion of all the documents can demonstrate consideration of the totality of the client’s position. There is obviously much nuance to this position, but I see the real challenge for many lawyers is not necessarily purging non-critical data from their client file (doing so may be very time-consuming and costly for the client), but rather ensuring sufficient systems are in place to protect their client’s data once a matter has concluded. Archiving/destruction practices and procedures (including encryption of the whole file) will be critical for lawyers to ensure sufficient steps have been taken to protect their clients’ data.’

Consideration of these requirements has made it difficult to have a simple policy where one rule fits all, so it has always been easier to keep all client data indefinitely. Perhaps not surprisingly the recent publicity about data loss has prompted discussion within legal about data retention policies, or lack thereof, a recognition of the potential risk of holding historical data indefinitely. With respect to unstructured data, such as Word documents, this is usually filed in document management systems, and increasingly these are hosted in the Cloud, which provides high levels of security. Fortunately, the major Document Management Solution providers, such as iManage with its Records Manager, are making it easier to implement data retention policies that are applicable to individual client matters. Gianni Giust, Director ANZ for iManage, confirms that `the increasing number of data breach incidents and more stringent client requirements for data protection and information governance are driving significant interest in iManage’s Records Manager. Records Manager, part of the iManage platform, allows firms to simplify the management of both physical and electronic records and enforce governance policies automatically – including trigger events, retention periods, and disposition rules. Safe disposal of data that is no longer relevant helps to reduce the firm’s threat surface and the impact to the business in the event of a data breach.’

It is reasonable to assume that cyber security will continue to be a source of growing concern for all organisations, and inevitably insurers will increase premiums along with their expectations about what preventative security measures are being implemented to mitigate the risk of successful attacks. And it is also reasonable to assume that organisations that don’t invest sufficiently in the prevention and detection of cyber-attacks will be at the greatest risk. As Sam Sofianos, CIO at CBP, states, `the damage caused by a breach will far outweigh any investment in improving security’ and adds that `it is inevitable that firms will suffer a breach at some point, so the tools that allow timely intervention and containment are crucial as they should be able to mitigate the risk associated with a breach’. This suggests that it is not sufficient just to invest in technologies such as SIEMs (or SEIMs) from companies such as Rapid7, it is also imperative to have 24/7 monitoring to ensure timely intervention.

Authored by:

John Duckett

John DuckettDirector of InPlace Solutions

Subscribe to the Legal Practice Intelligence fortnightly eBulletin.   

Disclaimer: The views and opinions expressed in this article do not necessarily reflect the official policy or position of Novum Learning or Legal Practice Intelligence (LPI). While every attempt has been made to ensure that the information in this article has been obtained from reliable sources, neither Novum Learning or LPI nor the author is responsible for any errors or omissions, or for the results obtained from the use of this information, as the content published here is for information purposes only. The article does not constitute a comprehensive or complete statement of the matters discussed or the law relating thereto and does not constitute professional and/or financial advice.

Back to blog