Barrister Cyber Risk

The Issue:

Any barrister who does not appreciate their stored data is subject to a cyber risk ought not be in practice.  Steps need be taken to protect such data from illicit access thereto, not just to avoid being sued for damages, but to avoid likely regulatory prosecution by a raft of regulators.

If I now have your attention, I commend every barrister reading to attend carefully the matters I canvass below.  Perhaps you already have such matters in hand; if so read another article in this issue of Hearsay.

Cyber attacks against commercial and government institutions and individuals are a daily reality.  The principal object of the attacks – if successful – is extortion, by ransomware (ie data access prevention) or threat of public exposure of copied data.  The attacks occur at the behest of what are described in the cybersecurity industry as “threat actors”.

Suffice it to say the legal industry is not immune from cyber attacks.  Much publicity was attracted this year by dint of the 2023 attack made in Australia upon solicitors HWL Ebsworth.

While I have not been able to gain access to statistics for Australia in relation to cyber attacks in the legal industry, data from the United Kingdom is available, and is disturbing.

In April 2022, IT systems operated by the UK Bar Council, and Bar Standards Board, were taken offline following a successful cyber attack.

The UK Law Society Gazette of 9 December 2023 reported that 65% of UK law firms had been the victim of an attempted cyber attack.

In the same Gazette of 27 August 2024, it was written that:

The number of successful cyber attacks against UK law firms rose by 77% in the past year to 954, up from 538 the year before … Chartered accountants Lubbock Fine said that the wave is driven by criminals seeing law firms as prime targets for ransomware attacks or blackmail (my emphasis).

Despite such history, the response of not just lawyers, but all commercial organisations in Australia has been relatively relaxed apropos of cyber risk.  In the Herbert Smith Freehills 2024 “Cyber Risk Survey” of commercial organisations, the following was recorded:

Today, almost 80% of respondents to our cyber risk survey believe the cyber risk to their organisation is increased compared with last year. However, our data shows that many are still not taking crucial preparatory work – perhaps one of the most jarring findings from our survey was that 58% of respondents said it would use an actual cyber attack to motivate their organisation to meaningfully improve their data risk management…

[M]essages [however] are coming through: protect the network you have, not the network you think you have, select a standard and measure yourself against it, invest in early detection tools and basic cyber hygiene…and have a good incident response plan.

For lawyers in Queensland, there are three regulatory bodies which can prosecute them for failure to adequately protect the electronic data they hold against cyber attack:  the Queensland Legal Services Commission (QLSC), the Office of the Australian Information Commission (OAIC) and the Australian Securities and Investments Commission (ASIC).

There is much publicity now concerning regulatory prosecutions in this space.  It is instructive to note what the regulators are saying in their published utterances, at least in the case of the OAIC and the ASIC (albeit there is no reason why the QLSC would take a different approach):

1. OAIC:
   • “The OAIC has underway several investigations into organisations in relation to data breaches, including Singtel Optus Pty Limited, Latitude group of companies and HWL Ebsworth Lawyers” (OAIC Corporate Plan 2024-25)
   • “The OAIC’s civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited will continue in the Federal Court in 2024–25. This enforcement action is an example of how the OAIC is prioritising regulatory action where there is a high risk of harm to the community. It sends a strong message to the regulated community that keeping personal information secure and meeting the requirements of the [notifiable data breach] scheme must be priorities.” (OAIC Corporate Plan 2024-25)
2. ASIC:
   • “It is a foreseeable risk that your company will face a cyber attack… [A]s a director you have to make it your business to be across questions of cyber resilience and make cyber security a priority” (ASIC Chair, Joe Longo, speech at AICD Australian Governance Summit, March 2024)
   • “ASIC chairman Joe Longo has previously warned that the watchdog would bring charges against directors who fail to adequately prepare for hacks, and ASIC commissioner Simone Constant confirmed the process was under way” (Australian Financial Review, 17 September 2024)
   • “When we’re thinking about these investigations and the regulator’s concerns, we are not talking about the response to a hack or a cyber event … That’s a very small part of the story” (ASIC Commissioner Simone Constant, speech at the Australian Financial Review Cyber Summit, September 2024)

Glossary of Terminology:

Below I set out a hypothetical – but real – incident timeline, including my commentary in relation thereto.  I have assembled the same with the assistance of Alex Halim of Cyber Safe Business, an expert CISO (see below), who deals with these matters on a day to day basis.

An introductory glossary to such timeline, provided by Alex, is this:

Threat Actors

Threat actors are people or groups who intentionally cause harm to computer systems, networks, or data. They can be hackers, cybercriminals, or even organizations that launch cyberattacks to steal information, disrupt services, or damage systems.

For example, if someone tries to break into your company’s network to steal customer data, that person is a threat actor. They are called “actors” because they are actively doing something harmful. Their actions could range from spreading viruses to holding data for ransom or spying on sensitive information.

In short, threat actors are the bad guys in the cybersecurity world!

Advanced Monitoring for Microsoft 365

Advanced Monitoring for Microsoft 365 refers to tools and services that provide deeper insights and tracking of your Microsoft 365 environment’s health, security, and performance. It helps IT admins keep an eye on things like:

• User activities: Who is logging in, from where, and what actions they are taking.
• Security threats: Alerts for suspicious activities, unauthorized access, or data breaches.
• Service performance: Monitoring the uptime and performance of services like Outlook, Teams, or SharePoint.
• Compliance tracking: Ensures that your organization meets regulatory requirements by monitoring data usage and access.

In short, it’s a way to ensure everything runs smoothly and securely by getting detailed reports and alerts about your Microsoft 365 system.

Multifactor Authentication (MFA)

Multifactor Authentication (MFA) is an extra layer of security that requires users to verify their identity in two or more ways before they can access an account or system. Instead of just entering a password, MFA asks for additional proof, such as:

• Something you know: Like a password or PIN.
• Something you have: Such as a smartphone, security token, or an app that generates a code.
• Something you are: Biometrics, like fingerprint or facial recognition.
• The goal of MFA is to make it harder for attackers to gain access, even if they have your password. For example, after entering your password, you might also need to enter a code sent to your phone or scan your fingerprint to complete the login.

Secure Email Gateway (SEG)

Secure Email Gateway (SEG) is a tool that helps protect an organisation’s email system from threats like spam, phishing attacks, viruses, and malware. It acts as a filter, scanning all incoming and outgoing emails to identify and block harmful or suspicious messages before they reach the user’s inbox.

Some key functions of a Secure Email Gateway include:

• Spam filtering: Identifies and blocks unwanted or suspicious emails.
• Virus/malware scanning: Detects and removes emails with harmful attachments or links.
• Phishing protection: Prevents email-based attacks where attackers try to trick users into sharing sensitive information.
• Data loss prevention (DLP): Ensures sensitive data like personal or financial information isn’t accidentally sent outside the organization.

Essentially, an SEG serves as a security checkpoint for your email, preventing harmful or unauthorized content from entering or leaving your system.

Endpoint protection

Endpoint protection is a type of security solution designed to protect individual devices, known as “endpoints,” such as computers, smartphones, tablets, and servers, from cyber threats. These devices are common entry points for attackers trying to infiltrate a network, so endpoint protection works to safeguard them.

Key features of endpoint protection include:

• Antivirus and malware protection: Scans and blocks harmful software from infecting the device.
• Firewall: Monitors and controls incoming and outgoing network traffic.
• Intrusion detection: Identifies suspicious activity or potential attacks on the device.
• Data encryption: Protects sensitive data on the device in case it’s stolen or compromised.
• Endpoint detection and response (EDR): Offers advanced monitoring to detect and respond to more sophisticated threats in real-time.

Overall, endpoint protection ensures that devices connected to a network remain secure, minimizing the risk of data breaches or malicious attacks from hackers.

Cybersecurity assessment

Cybersecurity assessment is a process used to evaluate an organisation’s security posture, identify vulnerabilities, and determine how well its systems and data are protected from cyber threats. It involves analyzing the effectiveness of existing security measures, identifying gaps, and making recommendations to improve overall security.

Key elements of a cybersecurity assessment include:

1. Risk identification: Analyzing potential threats (e.g., malware, phishing, hacking) that could affect the organization.
2. Vulnerability scanning: Checking systems, networks, and applications for weaknesses that could be exploited.
3. Security controls evaluation: Reviewing current security measures (firewalls, encryption, access controls) to see how well they prevent attacks.
4. Compliance review: Ensuring that the organization meets regulatory requirements (e.g., GDPR, HIPAA) for data security.
5. Incident response readiness: Assessing how prepared the organization is to detect, respond to, and recover from cyberattacks.

The goal is to provide a clear understanding of where an organization is vulnerable and what steps can be taken to strengthen its cybersecurity defences.

Chief Information Security Officer (CISO)

Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and managing an organization’s information security program. Their primary goal is to protect the company’s sensitive data, systems, and networks from cyber threats.

The CISO ensures that security policies and practices align with business goals while staying compliant with regulations. They identify potential risks, develop strategies to mitigate them, and lead teams to respond to cybersecurity incidents.

In essence, the CISO is the key figure ensuring a company stays safe in the digital world, combining leadership, strategy, and technical expertise.

Hypothetical Timeline:

My hypothetical – but nonetheless real – incident timeline can be viewed here.

Counsel’s Data Most at Risk:

In my view there are three categories of documents which present the greatest risk of exposure to regulatory prosecution were they to be hacked:

1. advices to solicitors;
2. electronic briefs, the content of which can include privileged solicitors’ advices to the client, privileged witness statements and the document disclosure of all parties to a piece of litigation;
3. email traffic between counsel and solicitors, and between counsel on the same side.

If a briefcase containing paper copies of the above documents is left by counsel in a bar, and stolen, and falls into the wrong hands, the concern would be great.

If a computer or laptop in counsel’s chambers overnight is not shut down or placed in “sleep” mode, and data is accessed and copied by cleaners who sell the data, the concern would be great.

Why should cyber risk be any different?

Barristers’ Conduct Rules 2011:

While there is no specific rule in these statutory regulatory rules which addresses cyber risk security, a number of the generic provisions certainly do:

Rule 10

These Rules are not intended to be a complete or detailed code of conduct for barristers. Other standards for, requirements of and sanctions on the conduct of barristers are to be found in the inherent disciplinary jurisdiction of the Supreme Court, the Legal Profession Act 2007 and the general law (including the law relating to contempt of court).

…

Rule 12

A barrister must not engage in conduct which is:

…

(c)        Likely to diminish public confidence in the legal profession or the administration of justice or otherwise bring the legal profession into disrepute.

Rule 108

A barrister must not disclose (except as compelled by law)*…confidential information obtained by the barrister in the course of the practice concerning any person to whom the barrister owes some duty or obligation to keep the information confidential unless or until:

…

(b) The person has consented to the barrister disclosing…the information generally or on specific terms; or

(c) The barrister discloses the information in a confidential setting for the sole purpose of obtaining advice in connection with the barrister’s legal or ethical obligations.

Rule 109

A barrister must not disclose (except as compelled by law)*…confidential information under Rule 108(b) in any way other than as permitted by the specific terms of the person’s consent.

* My note – absolute obligation.

Legal Profession Act 2007 (Qld):

Relevantly, this Act provides:

418 Meaning of unsatisfactory professional conduct

Unsatisfactory professional conduct includes conduct of an Australian legal practitioner happening in connection with the practice of law that falls short of the standard of competence and diligence that a member of the public is entitled to expect of a reasonably competent Australian legal practitioner.

419 Meaning of professional misconduct

(1)   Professional misconduct includes—

(a)   unsatisfactory professional conduct of an Australian legal practitioner, if the conduct involves a substantial or consistent failure to reach or keep a reasonable standard of competence and diligence; and

(b)   conduct of an Australian legal practitioner, whether happening in connection with the practice of law or happening otherwise than in connection with the practice of law that would, if established, justify a finding that the practitioner is not a fit and proper person to engage in legal practice.

(2)   For finding that an Australian legal practitioner is not a fit and proper person to engage in legal practice as mentioned in subsection (1), regard may be had to the suitability matters that would be considered if the practitioner were an applicant for admission to the legal profession under this Act or for the grant or renewal of a local practising certificate.

Prosecution of barristers for such misconduct, of course, is not confined to contraventions of the above Barristers’ Conduct Rules.

Legal Regulator Guidance:

In what circumstances is the QLSC likely to prosecute for inadequate cybersecurity put in situ by a barrister?

Legal regulator guidance is emerging.  A helpful publication was issued by the Victorian Legal Services Board and Commissioner, namely “Minimum Cybersecurity Expectation”, published in August 2024.  It identifies conduct which in the opinion of that regulator, falls to be characterised as professional misconduct or unprofessional conduct.

Such publication – in my opinion – repays reading, and may be found here.

The salient practical “expectations” I discern from such document – directly or by way of extrapolation – are these:

1. Engage a competent and credential IT administrator, if not CISO.
2. Have a chambers’ cybersecurity compliance manual issued with strict requirement for study by and compliance by all barristers, staff members and external staff or consultants – (concerning strict phishing avoidance, home office use, external typing use, accountant use).
3. Have in place multi-factor identification, updated security software and access controls.
4. Delete – in a timely way – redundant sensitive data in directories (eg electronic briefs after advice furnished or interlocutory hearing conducted, even if it necessary to be re-briefed for further tasks).
5. Use strong passwords.
6. Have strong security and antivirus software.
7. Avoid use of unknown devices and accessories (eg USB sticks or scavenged hard drives).
8. Train staff in cybersecurity, to maximise cyber hygiene.
9. Distribute to chambers’ barristers and staff – and require they study – a cyber incident response plan.
10. Keep a record of any cyber incidents even if apparently minor.
11. Report data breaches to the OAIC in accordance with the Privacy Act 1988 (Cth).
12. Require the chambers’ IT administrator or CISO give a quarterly report on cybersecurity.

What to Do at a Technical Level?:

I am indebted to Alex Halim for assisting me with the technical suggestions below.

By way of immediate action, Alex recommends:

1. Ensure a strong password:
   • At least 12-16 characters long.
   • Mix uppercase and lowercase letters, symbols and numbers
   • Avoid re-using passwords across different accounts.
   • Create pass-phrase password which is strong but memorable e.g. “Tropical$Radio%Talk50”.
2. Enable multi-factor authentication [if not already so enabled].

By way of general protection measures, Alex recommends:

1. Start the journey with cybersecurity assessment. This process will allow chambers (or you, if practicing alone) to understand your business-critical systems and vulnerabilities to close the gap.
2. Engage a qualified and capable cybersecurity strategist (CISO) to help your chambers to develop cybersecurity mitigation risk strategy that align with your business goals and regulatory requirements.
3. Align the chambers’ and your procedure and policy to support cybersecurity culture.

By way of specific protection measures, Alex recommends:

1. Apply tools or technologies that enable protecting MS 365:
   • To circumvent potential unauthorized login.
   • To monitor and alert suspicious data exfiltration activities for all assets in MS 365.
   • With capability for immediate mitigation.
   • With extensive reporting capability.
2. Apply an endpoint protection and response (EDR) solution that has:
   • Capabilities of behavioral analysis, machine learning, and threat hunting for advanced threats.
   • Coverage of advanced threats such as zero-day attacks, fileless malware, Advance Persistent Threats, ransomware, etc.
   • Support incident response, forensic capabilities, and integrate with threat intelligence feeds for up-to-date information on new threats.
3. Apply application control policy to endpoint that has access to business-critical assets:
   • Application Whitelist database.
   • Change request to update the application whitelist database.
4. Apply advanced firewall (Internet Gateway) that has the features:
   • Advance Internet traffic monitoring.
   • Integration to monitoring system for detection and response.
5. Apply secure remote access technology that has the features:
   • Machine learning behavioral analysis.
   • Support in transit encryption.
   • Support incident response, forensic capabilities, and integrate with monitoring system for detection and response.
6. Apply cybersecurity hygiene culture, consisting of continuous cybersecurity awareness program that is accountable and reportable.
7. Have an incident response plan.
8. Have a mitigation risk strategy.

Conclusion

Counsel ought be under no misapprehension that protection of their practice – coupled with protection from regulatory prosecution – necessitates proactive and comprehensive action against cyber risk.

No system of protection is infallible, but having an up to date multi-layered cybersecurity system will minimise the prospect of practice disruption, the risk of regulatory prosecution and – perhaps – a suit or suits for damages by affected persons.