Law firms have much to do to provide the best possible assurance against data breaches. And Australian law for cyber security and data protection is unnecessarily complex, fragmented and leaves important gaps that need to be filled.
Such are the conclusions of a survey released in November 2019 of 250 Australian lawyers, along with the results six panel events held around Australia which brought together specialised lawyers and cyber security experts. The survey, taken by the Governance Institute of Australia, is called Decoding Cybersecurity: Clause and Effect.
Cyber security is all about planning
Australian lawyers responding to the survey agreed that the essential element for cyber security is planning, but that law firms, in general, aren’t making enough of a preparative effort.
“We’re much more likely to do a fire drill than a data breach drill. And when I say drill, I don’t mean testing if people can spot a phishing email. I mean getting the senior executives in a room and running a ransom demand scenario and seeing how people react,” admits one survey respondent.
In fact, more than 63% of respondents named human error as the most important factor in data breaches. Yet only 22% of the Australian lawyers surveyed felt that they were totally aware of the dimensions of the human-error threat.
“Most of the vulnerabilities within Australian legal firms could be attributed to lack of awareness and lack of understanding, not only about the type of information you hold or the value of that information to a potentially malicious third party, but also the protections that need to be put in place around the many systems used to access, store and back up this information, and also the protections around how that information is transmitted,” one respondent complains.
This highlights a clear need for better education of what is required to keep data secure and the importance of consistency in doing so, the survey notes.
Recommendations for cyber security planning
The survey makes the following recommendations:
- People must be educated on the business’ cybersecurity controls and empowered to speak up if they feel that these are lacking or suspect anything untoward. People must be continuously trained in how to spot breaches through bi-weekly exercises, phishing tests and incident responses.
- Law firms must implement, communicate and enforce clear procedures and rules around the use of technology and data transmission. At a minimum these should include guidelines around working from home, use of third-party platforms such as Gmail or Dropbox and use of mobile phones.
- Cyber resilience and incident response strategies must be developed, continually updated, and rehearsed so that they are up to date and ready for when they’re needed.
Cyber Security law is inadequate say 82% of lawyers
As regards Australian cyber security law, 82% of the Australian lawyers surveyed believe that it is inadequate.
“The reality is that there are actually quite a lot of data laws, but there is a gap in the sense that there is no harmonised or clear cyber security law in Australia,” comments one respondent.
What’s more 47 % of survey respondents said that better laws are needed. “There was, however, agreement amongst panellists that a lack of harmonised or dedicated cyber security laws in Australia means that there is now a poorly aligned patchwork of legislation that is used to govern actions in the digital space.
- Existing criminal codes can be used to cover digital offences. The crime ‘Receipt of stolen goods’ was notably used by the Australian Federal Police in June 2019 as the basis for a raid on ABC headquarters – the ‘goods’ in that case being digital files received by journalists.
- Sector-specific legislation such as the Telecommunications Act 1997 or the Security of Critical Infrastructure Act 2018 imposes guidelines and obligations around reporting of security incidents that are reasonably extended to digital activities.
- Directors who do not exercise due care and diligence in ensuring the cyber security of the Company could be in breach of their statutory obligations under the Corporations Act 2001.
- There is growing pressure from regulators such as ASIC, APRA and the ACCC, who now include cyber resilience as part of the risk management and disclosure obligations for entities in their respective sectors.”
“There have been a number of laws that have been very slowly adapted or have evolved over time, but we don’t have a Lord of the Rings type one piece of legislation which covers it all. We have a series of different laws at both State and Commonwealth level which try and regulate cyber activity together.”
The Privacy Act 1988 could be described as the ‘go-to’ piece of legislation when people consider
Australian cybersecurity law. The recent inclusion of the Privacy Amendment (Notifiable Data Breaches) Act 2017 has made it the most comprehensive piece of legislation relating to data-handling in Australia, and it is considered by many as Australia’s answer to Europe’s General Data Protection Regulation (GDPR), according to the survey.
But there are gaps in the Act, the survey finds. The act does not apply to businesses with less than AUD 3 million ($2,03 million) in annual revenue, for example. The definition of a “significant breach,” meaning one that requires notification of all those affected, is not clear. And consumers do not have a ‘right to be forgotten’ which is a prominent feature of the GDPR.
Considering the gaps in Australian legislation, and the lack of preparation at law firms (and other businesses, technology that supports security at every level would be a desirable choice.
Diligent Governance Cloud provides the highest grade of security
To maintain the standard of security that law firms require, Diligent’s Governance Cloud, the software that has created the standard for Modern Governance in every respect, also provides the highest level of security.
With so much at stake and so much to oversee, Diligent’s integrated solutions addresses all director needs. Having a fully integrated Enterprise Governance Management system will aid board directors in developing governance frameworks that work for the benefit of the board, the managers, shareholders and stakeholders.
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…
February 27, 2020
Disclosure and conflict of interest: keep your board out of trouble
Board members’ duty of disclosure is fundamental to effective board functioning, yet too often, we see directors caught out by conflicts of interest. This ‘trouble’ can be significant and even life-changing, including being banned from holding directorships or even time in gaol. Yet it’s a problem that is entirely avoidable…