On 24 October 2017, international offshore law firm Appleby confirmed it was the victim of a cyber “security incident” in 2016.
The firm, along with trust company Asiaciti and 19 other registries, working in what are known as "secrecy jurisdictions" (commonly interchanged with the term "tax haven"), had a combined total of 13.4 million files stolen and sent to 97 media outlets.
This information was then made public, in what is now known as The Paradise Papers.
From Appleby alone, a collection of 6.8 million loan agreements, financial statements, emails, trust deeds and other paperwork spanning nearly 50 years of the firm’s 125-year-old business were stolen.
While many media outlets are reporting the security incident as a leak from the company, Appleby is refuting this claim. It says: “…our firm was not the subject of a leak but of a serious criminal act and our systems were accessed by an intruder who deployed the tactics of a professional hacker.”
The firm insists there was no wrong doing on their part but, whether the exposure occurred via leak or illegal hacking, it is yet another reminder that even the most impressive law firms need security systems in place.
As of writing, it is unknown if any legal action against the firm will be taken. However, its liability and competency will, undoubtedly, be called into question in the coming months – adding insult to injury.
Your obligations as a practising lawyer in New Zealand
Under New Zealand’s Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 (or the Rules of Conduct and Client Care), lawyers have strict obligations of confidentiality - these obligations include ensuring that appropriate systems are in place to ensure information remains confidential – see Chapter 8 of the Rules.
Rule 11.4 also says that a lawyer must take all reasonable steps to prevent any person from perpetrating a crime or fraud through the lawyer’s practice. The rule includes specific reference to taking reasonable steps to ensure the security of access to electronic systems and passwords.
Lawyers are also agencies under the Privacy Act 1993 and so must ensure that they comply with the Privacy Act’s information Privacy Principle 5. This explains and highlights that storage and security of personal information which must be protected by reasonable safeguards. Reasonable can be interpreted as a security measure that balances with the risk to your clients’ safety.
Security and education
While New Zealand has a lot of boutique and regional firms that don’t play host to millions of files on Bono’s or the Queen’s investment portfolios, it doesn’t mean we are going unnoticed.
Lawyers in New Zealand have been caught up in both scams and ransomware breaches before, as it is so easy to infiltrate businesses who don’t have proper security checks and balances in place.
What is even scarier is that a lot of firms don’t know they have been breached until it’s too late and many small firms make for very easy targets.
Hackers can gain access months in advance before they do anything and all it takes is one, staff member to click on a link, or download an attachment, for you to activate a worm that can make its way into your share points and desktop files, accessing passwords, all in the background while you work.
And, just like that, you’ve compromised both your clients’ information and your integrity.
If you want to brush up on your privacy obligations as a legal professional, the NZLS Practice Briefing Protecting Clients’ Personal Information is recommended reading on this issue.
The Government cybersecurity agency Cert NZ is also always available for advice or assistance on cybersecurity threats. In a very timely move, Cert NZ will be holding Cyber Smart Week from 27 November to 1 December.