Welcome to the Cyber Security Guide for NZ Law Firms
The storage of sensitive client information and management of large funds make law firms an attractive target for cybercriminals. It is therefore critical for law firms to understand and mitigate the cyber risks they face.
The ‘Cyber Security Guide for NZ Law Firms’ is a contextual resource to assist lawyers and law firms manage their cyber security risk.
With recent advances in cloud and legal technologies, law firms are transforming their information systems. While these new technologies present business opportunities, they also create new risks.
Law firms store large quantities of sensitive client information and process significant financial transactions on behalf of their clients. To quote the New Zealand Law Society, “the storage of personal and sensitive information on clients is an integral part of the work of a lawyer”.
A cyber attack or data breach has the potential to cause major disruption, reputational damage and financial loss. According to research, the most common types of attacks on law firms include business email or supply chain compromises, data breaches and the ever-present threat of ransomware.
In the event of a breach, a law firm is obliged to comply with several Acts including the Privacy Act 1993 and the Lawyers and Conveyancers Act 2008.
Cyber risk should be managed using the NIST cyber security framework or equivalent. Such frameworks involve a risk assessment, the selection of applicable security controls and an achievable roadmap of improvement. Legal professionals should also undergo cyber security training and awareness programmes to ensure they have more than a basic understanding of cyber risks.
Having worked on numerous cyber-related matters for New Zealand law firms, we are pleased to present you with this guide and accompanying collection of practical cyber security resources.
I trust that you and your firm will benefit from the guide and we would be happy to discuss any relevant aspects with you.
Incident Response Solutions
At a Glance
- More than a quarter of law firms experienced a data breach (The American Bar Association’s 2019 Legal Technology Survey Report).
- Every respondent suffered a security incident, with the most common attack being phishing (2019 Survey of Global Law Firms).
- The most significant cyber threats to a law firm are phishing, data breaches, ransomware and supply chain compromise (The UK’s National Cyber Security Centre’s 2018 Report).
- In quarter three 2019, there were 1,354 incident reports with phishing and credential harvesting activity 27% higher than in the previous quarter (CERT NZ’s Third Quarter 2019 Report).
- Companies with an incident response team that also extensively tested their incident response plan incurred significantly less costs on average compared to those that had neither measure in place (Cost of a Data Breach Report 2019).
- Total or partial outsourcing of services and the use of automation and robotics to assist with repeatable activities using third-party services are both increasing (The Cyber Threat to UK Legal Sector 2018).
Legal technology (commonly known as Legal Tech), refers to the use of technology and software to provide legal services. A vast number of vendors offer solutions, many of which are hosted in the ‘Cloud’.
Cloud computing enables convenient, on-demand access to a shared pool of computing resources that can be rapidly provisioned with minimal management effort or service provider interaction.
In 2017, the New Zealand Law Society issued a Practice Brief titled “Cloud Computing”. In summary, the Law Society reported that law firms are increasingly using cloud computing as an alternative to in-house systems. It stated that advantages such as flexibility and cost must be balanced against risks to privacy and control. It goes on to recommend that if the outsourcing arrangement could result in a third party accessing clients’ data, then contractual terms should be sought to ensure that:
- clients’ information is protected, and the cloud service will not compromise client confidentiality.
- the law firm makes all reasonable efforts to ensure attackers cannot access this client data.
According to the 2018 report ‘The cyber threat to UK legal sector’, a number of emerging trends are influencing the use of technology within law firms. These include:
- A continuing need to connect and collaborate with clients, placing requirements on technical capabilities
- Flexibility of the workforce requiring remote access to data
- An expansion of outsourcing services, using automation and robotics to assist with repeatable activities.
Another recent survey report ‘Will 2020 be the turning point in legal operations?’ focuses on eDiscovery solutions. The authors found that data security is a top concern amongst law firms, with 94% concerned about distributing electronically-stored information to multiple discovery vendors and law firms.
Consider the types of data that your law firm stores, all of which could be a target for cybercriminals:
- Contract Management
- Deals data
- eDiscovery data
- Intellectual property
- Legal research
- Personally identifiable information (PII)
Cyber Security in the NZ Legal Context
This guide considers the cyber security implications of the Privacy Act 1993 (The Privacy Act) and The Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 (Rules of Conduct and Client Care).
This guide does not to attempt to, nor should it be used to determine whether the Privacy Act or the Rules of Conduct and Client Care prevail. If in doubt, seek legal advice.
In 2014, the New Zealand Law Society issued a Practice Brief titled “Protecting Clients’ Personal Information”. A summary follows, we recommend that the brief also be read in full.
The Privacy Act
Any law firm or lawyer in sole practice has obligations as an agency under the Privacy Act, including the mandatory designation of a privacy officer.
Principle 5 of the Privacy Act requires that an agency holding personal information shall ensure that the information is reasonably protected by security safeguards against loss and misuse. If it is necessary to give the information to a person in connection with the provision of a service, then all reasonable steps must be taken to prevent unauthorised use or unauthorised disclosure of the information.
A cyber incident response plan will assist in dealing with a privacy breach and should include a determination of what constitutes a ‘serious’ privacy breach requiring notification of the Office of the Privacy Commissioner. For further guidance, visit the website and the ‘Data Safety Toolkit’.
Rules of Conduct and Client Care
Under the Rules of Conduct and Client Care, lawyers are required to protect and hold in strict confidence all information concerning a client acquired in the course of the professional relationship. In the event of a privacy breach, a lawyer may also have the obligation to ensure clients are fully informed of any potential compromise of privacy and confidentiality.
A summary of the key chapters relating to cyber security follows.
Chapter 7 (Disclosure and communication of information to clients)
Subject to limited exceptions, a lawyer must promptly disclose to a client all information that he/she already has or acquires that is relevant to the matter in respect of which he/she is engaged by the client.
Chapter 8 (Confidential information)
A lawyer has a duty to protect and to hold in strict confidence all information concerning a client, the retainer, and the client’s business and affairs which he/she acquires in the course of the professional relationship. The obligation of confidentiality continues indefinitely after the person has ceased to be the lawyer’s client.
Chapter 11 (Proper professional practice)
A lawyer must take all reasonable steps to prevent any person perpetrating a crime or fraud through the lawyer’s practice. This includes taking reasonable steps to ensure the security of and access to electronic systems and passwords.
A Global Perspective
For a wider view on law firm cyber security, we have drawn on a number of recently published legal reports from around the globe.
2017 Roundtables Key Takeaways – Cyber Security and Legal Practice (Australia)
- Cyber security threats are increasing
- Cyber security among the nation’s legal firms is inadequate and most professionals with responsibility for cyber defences are aware of their vulnerabilities
- The fight against cyber threats is hampered by a lack of resources, especially among smaller law firms without dedicated internal IT capabilities
- Employees are the weakest link
- Investment in awareness and training of cyber security issues is increasing.
2019 Cyber Security Report – American Bar Association (ABA) (United States)
- Over a quarter report that their firms have experienced some sort of security breach
- Consequences of security incidents:
- consulting fees for repair (37%)
- downtime/loss of billable hours (35%)
- expense for replacing hardware or software (20%)
- destruction or loss of files (15%)
- notifying law enforcement of breach and notifying clients of the breach (9% each)
- More than a third report they were aware that their systems had been infected with malware
- Less than a third of law firms have an incident response plan.
PwC Law Firms’ Survey 2019 (Global)
- Every respondent suffered a security incident
- Common attack types included phishing, malware, network intrusion, denial of service and confidential information loss or leakage
- Network intrusion was the least commonly known cyber security attack and this, perhaps, implies poor detection capabilities across the legal sector
- The insider threat is prevalent amongst all sizes of firms with the majority having experienced incidents due to insiders over the last year
- Participation in annual crisis management exercises is low.
Cybercrime – The Threats We Know
A cybercriminal may attempt to compromise your law firm using any number of attack types. Based on our experience of responding to actual incidents in New Zealand, we consider that the first four are the most prevalent attack types with the largest potential impact.
In this section, we first describe each threat and then provide some recommendations (in bullet points).
Business Email Compromise
Email compromises have become so common that the New Zealand Law Society have a dedicated Practice Resource on their website.
A business email compromise is typically launched via a phishing attack by changing (or ‘spoofing’) an email address to make email messages appear convincing. A phishing email contains a link to a fake website encouraging the victim to enter their login credentials (to their email account). The cybercriminals scan the emails for payment instructions and then send an email requesting that the victim make the payment to a different bank account. In some cases, cybercriminals may forge the bank account details on the invoice to circumvent traditional fraud controls. To hide their tracks, cybercriminals set up auto-forwarding and deletion rules in the compromised email account.
- Use stronger passwords and enable two-factor authentication (2FA or MFA)
- Conduct cyber security user awareness training
- Implement processes to verify invoices and account details for money transfers
- Use ‘cooling off’ periods for changing account details for high-value transactions
- Educate your clients about your firm’s finance processes to help them avoid falling victim to email fraud.
Data or Privacy Breach
Lawyers who breach their clients’ privacy may have breached their professional obligations under the Lawyers and Conveyancers Act 2006. A breach can also have a devastating impact on a firm’s reputation.
In 2016, Panama-based law firm Mossack Fonseca suffered a major data breach (the Panama Papers). It is estimated that over two Terabytes (TB) of data were compromised. This is roughly equivalent to the amount of information contained in an average library. According to Action Fraud, in the two years to March 2018, eighteen law firms reported hacking attempts. Data and privacy breaches can also be caused by an accidental act by an employee.
- Conduct a security audit of both physical and technical security, including the NIST cyber security framework phases of identify, protect and detect
- Review supply chain providers
- Ensure your cyber incident response plan is operational and understood by all relevant staff.
Ransomware is a type of malicious software (or Malware) that locks files, preventing victims from accessing electronic data until a ransom has been paid.
High-profile incidents such as WannaCry and NotPetya both in 2017, highlight the nature and ferocity of such attacks. Global law firms are known to have been impacted by such attacks.
- Regularly back up your data and test the restore process
- Ensure systems are regularly patched
- Implement an anti-malware solution that includes ransomware mitigation.
Supply chain compromise
The cyber risk profile of law firms will continue to increase as they adopt more legal tech and cloud services. The supply chain can be compromised in various ways. For example, the NotPetya ransomware attack is understood to have been spread by infecting the cloud providers’ system used to deploy software updates to its clients, otherwise known as a watering-hole attack.
Managed service providers (MSPs) delivering technology services to clients are an attractive target as they host data for multiple organisation. If a system is not properly secured, once entry is gained, an attacker can traverse it in search of valuable information. According to a US Justice Department indictment in 2018, a hacking group targeted managed service providers to steal intellectual property (Advanced Persistent Threat 10, or ‘APT10’).
- Maintain a register of suppliers with access to sensitive information
- Separate or protect critical devices from networks that are accessed by third parties
- Ensure your suppliers, and their suppliers, adhere to the same or better security protocols as your firm.
Cryptojacking involves stealing victims’ physical or cloud computing services to use their processing power and electricity supply to ‘mine’ crypto currencies such as Bitcoin and Monero.
- Set payment thresholds and regularly review invoices from cloud providers.
Malicious insider attacks
A disgruntled employee who has physical and electronic access to your information systems can cause significant damage, such as stealing intellectual property or destroying data.
- Restrict employees’ permissions from being able to either copy or delete certain data.
Remote Desktop Protocol (RDP)
RDP is designed to provide access to a computer system for support purposes. Cybercriminals take advantage of vulnerabilities in this software to copy data and launch ransomware attacks.
- Ensure that your software is regularly updated to minimise this risk.
Social engineering involves human interaction that relies on trust to trick people. Phishing and whaling are common formats; the latter involves an email being sent purportedly from the CEO to the CFO requesting urgent payment of funds.
- Insurance companies now offer optional policy extensions to cover this threat
- Provide staff with suitable cyber security awareness and training.
The more you post online, the easier it is to have your identity stolen. According to the NZ Law Society, lawyers also need to be aware of the potential consequences of their use of both personal and professional social media accounts, as content has the potential to reach unintended audiences, including the Lawyers Complaints Service.
- Be careful about what you share on social media, particularly sensitive information.
Websites are hacked to obtain login credentials and PII information which can later be used to commit further crimes, or sell the compromised information on the dark web. The dark web is an area of the internet, which is difficult to access, frequented by cybercriminals.
- Dark web monitoring of your information may identify cyber risks
- In the event of a cyber attack, ensure all affected login credentials are changed.
Cyber Risk Management
Since a law firm’s information systems are an attractive target, cybercriminals will go to great lengths to compromise them. All legal professionals must therefore understand and actively participate in managing their firms’ cyber risk. Ultimately however, it is senior management who should take ownership of this risk and track it at the firm’s partnership meetings. A senior member of staff must be appointed to oversee data privacy and cyber security, ensuring he/she has the requisite resources to ask and act on the following questions relating to cyber attacks:
- Does the board understand its exposure?
- What are the vulnerabilities of the organisation?
- What are the likely business impacts?
- What is the planned response?
- How often does the organisation undergo testing of its preparedness?
One of the first steps in a cyber risk programme is to decide on and then use a suitable framework, comprising a risk assessment and selection of relevant security controls.
Cyber Security Framework
The New Zealand Government encourages the use of the National Institute of Standards and Technology (NIST) cyber security framework which was first published in 2014. The framework enables firms to assess maturity across five functions: identify, protect, detect, respond and recover. Law firms can use the NIST cyber security framework to:
- Describe their current cyber security posture;
- Describe their target Profile for cyber security;
- Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress towards the target Profile; and
- Communicate the cyber security risk to internal and external stakeholders.
In 2020, NIST also released a Privacy Framework, which has an overarching structure modelled on that of the Cyber security Framework. The two frameworks are designed to be complementary, given that Privacy and Security are related, but distinct concepts. Law firms can use the NIST Privacy Framework to:
- Take privacy into account as they design and deploy systems, products, and services that affect individuals;
- Communicate about their privacy practices; and
- Encourage cross-organisational workforce collaboration through the development of profiles, the selection of tiers and the achievement of outcomes.
We also recommend referring to The Institute of Directors ‘Cyber Risk Practice Guide’.
Incident Response Recommendations
Your law firm needs to be ready to act in the event of a cyber incident. With robust incident response procedures in place, you will be better prepared to respond and recover.
Refer to the checklist below in the event of a data or privacy breach:
- Follow your cyber incident response plan
- Enable your response team
- Conduct a forensic examination
- Contact issuing banks
- Alert your insurance company if applicable
- Notify affected individuals
- Notify the New Zealand Law Society
- Notify the Office of the Privacy Commissioner and any other relevant jurisdictions
- File a complaint with the New Zealand Police and CERT NZ
- Confirm contractual obligations with suppliers and other third parties
- Have a public relations strategy in place
Contact us for a free cyber incident response template that is configured for NZ Law Firms.
How we can help you
We can help you at any stage of the development of your incident response process which we’ve summarised into the guide below.
|Strategy and plans|
We develop and improve incident response plans; we can also help with your security strategy, framework and roadmap of improvements.
|Testing through simulations|
Using forensic and cyber experts, we facilitate robust tabletop exercises to test and improve your incident response plan.
|Panel of experts|
We establish a suitable panel of experts including a breach coach and forensic, security, legal and public relations specialists who are ready to assist.
|Forensic technology expert witness|
We have significant experience in providing expert witness reports and in delivering expert witness testimony at trial.
|Electronic investigations and eDiscovery|
We love finding needles in haystacks, using our analytical and investigative techniques to a Forensic standard. Our eDiscovery expertise is also recognised by the Courts.
We help you to identify, contain and eradicate risks from your business, e.g. if a staff member has stolen your IP, we can wipe it from their electronic devices and cloud storage.
|Return to business as usual|
You may require data breach notification services, assistance with your cyber insurance requirements, or general security recommendations.
|Post-incident review and improvement plans|
Following an incident, we evaluate your response to correct any weaknesses and build on your strengths.
Incident Response Solutions has developed the following resources, tailored to the needs of New Zealand Law Firms.
• Cyber Incident Response Plan
• Cyber Incident Simulation Exercises
• NIST Cyber Security Framework Assessments
• NIST Privacy Framework Assessments
• Incident Response Retainer
Incident Response Retainer
With our Incident Response Retainer, you can take comfort knowing that when you need us, you will quickly have access to Incident Response experts, along with a comprehensive network of associated professionals. We can tailor a plan to meet your requirements, including the following:
- A welcome pack and initial consultation to explain how to maximise the service
- Access to a panel of experts who are ready to help
- Support desk for ad-hoc queries
- Our monthly Forensic and Cyber Bulletin
- Yearly forensic readiness assessments
- Yearly assistance in drafting or revising your cyber incident response plan
- Board briefing packs and deep dive presentations
- Access to our Incident Response Service Desk Tool for managing incidents
- Facilitation of a yearly cyber incident tabletop simulation
- Discounted rates on our forensic technology expert services
American Bar Association (2019), 2019 Legal Technology Survey Report <https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cybersecurity2019>, accessed 6 January 2020.
Centre for Legal Innovation (2017), Cybersecurity and Legal Practice – Who is Responsible for What, When, Where, 2017 Roundtables Key Takeaways How and Why? <https://www.cli.collaw.com/-/media/col/cli_files/cybersecurity-and-legal-practice-rt-2017—key-takeaways.pdf?la=en>, accessed 13 February 2020.
CERTNZ (2020), Top 11 tips for cyber security <https://www.cert.govt.nz/individuals/guides/getting-started-with-cyber-security/get-started-cyber-security>, accessed 13 February 2020.
Financial Markets Authority (2019), Cyber-resilience in FMA-regulated financial services <https://www.fma.govt.nz/compliance/guidance-library/cyber-resilience-in-fma-regulated-financial-services/>, accessed 6 January 2020.
IBM (2019), Cost of a Data Breach Report 2019 <https://www.ibm.com/security/data-breach>, accessed 6 January 2020.
Institute of Directors (2015), Cyber Risk Practice Guide <https://www.iod.org.nz/resources-and-insights/guides-and-resources/cyber-risk-practice-guide/#>, accessed 6 January 2020.
National Cyber Security Centre (2019), Email security and anti-spoofing <www.ncsc.gov.uk/guidance/email-security-and-anti-spoofing>, accessed 6 January 2020.
National Cyber Security Centre UK (2018), The Cyber Threat to UK Legal Sector <https://www.ncsc.gov.uk/report/-the-cyber-threat-to-uk-legal-sector–2018-report>, accessed 6 January 2020.
National Cyber Security Centre (2019), Phishing attacks: defending your organisation <www.ncsc.gov.uk/phishing>, accessed 6 January 2020.
National Institute of Standards and Technology (2011), The NIST Definition of Cloud Computing <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf>, accessed 6 January 2020.
New Zealand Government (2019), Privacy Act 1993 <http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html>, accessed 20 December 2019.
New Zealand Government (2019), The Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 <http://www.legislation.govt.nz/regulation/public/2008/0214/latest/DLM1437811.html>, accessed 20 December 2019.
New Zealand Law Society (2017), Cloud Computing Guidelines for Lawyers <https://www.lawsociety.org.nz/practice-resources/practice-briefings/Cloud-Computing.pdf>, accessed 30 June 2019.
New Zealand Law Society (2020), Email scam information <https://www.lawsociety.org.nz/practice-resources/email-scam-information>, accessed 6 January 2020.
New Zealand Law Society (2018), How fraudsters interfere in money transfers <www.lawsociety.org.nz/practice-resources/email-scam-information/how-fraudsters-interfere-in-money-transfers>, accessed 6 January 2020.
New Zealand Law Society (2019), Lawyers and social media <https://www.lawsociety.org.nz/practice-resources/the-business-of-law/legal-practice/lawyers-and-social-media>, accessed 18 February 2020.
New Zealand Law Society (2014), Protecting Clients Personal Information <https://www.lawsociety.org.nz/practice-resources/practice-briefings/Protecting-clients-personal-information-2014-06-19-v1.pdf>, accessed 30 June 2019.
Office of the Privacy Commissioner (2020), Data breaches <http://privacy.org.nz/how-to-comply/data-safety-toolkit-preventing-and-dealing-with-data-breaches/>, accessed 6 January 2020.
Opentext (2020) Next-generation legal operations Trends fueling law department growth and influence <https://www.opentext.com/info/ediscovery/corporate-legal-ops-survey>, accessed 14 February 2020.
PwC (2019), PwC Law Firms’ Survey 2019 <https://www.pwc.co.uk/industries/law-firms/pwc-law-firms-survey-report-2019.pdf>, accessed 6 January 2020.
WIRED (2018), How China’s Elite Hackers Stole the World’s Most Valuable Secrets <https://www.wired.com/story/doj-indictment-chinese-hackers-apt10/>, accessed 6 January 2020.
WIRED (2018), The Untold Story of NotPetya, the Most Devastating Cyberattack in History <https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/>, accessed 6 January 2020.