Posted by Rachel Holland on September 1 2023 in News

Cyber security and data breach responses remain of utmost importance for all businesses. With the confidentiality requirements and large financial transactions which law firms undertake, it is especially so in the business of law.

cyber security

How big is the problem, and what are we doing about it?

The recent data breach incidents at the Australian law firm HWL Ebsworth and Mahony Horner Lawyers in Wellington, have highlighted the breadth of companies and individuals whose information can be compromised through a law firm breach. HWL had amongst their clients; government agencies, the four big banks, and data related to hundreds of clients that spanned over five years. One of the risks which came to light with the New Zealand breach is the value to cyber criminals of the clients’ identity information (mostly passports and driver's licenses). Such information must be held for five years, required by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009.

This is a growing problem as legal service providers need to take advantage of the efficiencies that technology has to offer, and there is increased expectation that legal practitioners are available regardless of their location. The industry is becoming progressively reliant on multiple technologies which introduce system vulnerabilities to cybercrime. Additionally, as locked down as our systems may be, we are unable to isolate ourselves from our suppliers or our clients, both of which can inadvertently provide accessways to our data.

As with other industries, a robust data breach incident response plan is no longer a “nice to have”; instead, it’s a “must have”. Similarly, obtaining cyber insurance, which has been common practice for a while, is becoming more expensive and comprehensive. Both solutions are like the ambulance at the bottom of the hill, and prevention is what we stay focused on.

Prevention starts with strong and monitored firewalls, end-point detection and response (EDR), and anti-virus software. It also requires close attention to the rollout of software updates and patches.

However, “74% of all breaches include the human element, with people involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.” [1] So, prevention must also include regular cyber security training for staff. They must be kept updated on how to recognise emails and messages from bad actors, and the risks associated with public Wi-Fi, readily available apps, and sharing credentials. The final weapon in our armament is the dreaded IT protocols and policies, which need continuous reinforcement. These include time-consuming steps such as verifying all bank account details for payments by phone from a known phone number, not the phone number on the potentially doctored invoice or phishing email.

We hope this gives our clients some level of comfort around the measures we have in place and the priority we place on protecting their data. If you are a fellow business owner, I highly recommend the Version 2023 Data Breach Investigations Report. It is a dry old read, but the authors have made valiant attempts to keep the important message accessible with regular dad jokes. There is a lot to keep on top of with the endless and rapidly evolving threats to our and our client’s data but facing it head-on is the only response. There really isn’t an alternative. Time and money not spent now is time and money that will be spent if your business is targeted.

Law firm HWL Ebsworth said it had already spent 5,000 hours and $250,000 fighting Russia-linked hackers, as a judge extended an injunction aimed at stopping further. [1]

Rachel Holland | Practice Director |

[1] Verizon 2023 Data Breach Investigations Report

This paper gives a general overview of the topics covered and is not intended to be relied upon as legal advice.