Data leakage: Prevention better than cure

Inadvertent leaks of sensitive information are serious lapses of a lawyer’s duty to keep clients’ information confidential (r9) (NSW government, Legal Profession Uniform Law Australian Solicitors’ Conduct Rules (2015), r9). Surprisingly, many people still make the simplest of mistakes in protecting data.

Understanding how data leaks occur and how to prevent them should be part of every lawyer’s cybersecurity toolkit. Here are some of the most common ways data from law firms is leaked, along with straightforward strategies for prevention.

Storing or communicating sensitive information via free email services like Hotmail or Gmail can expose data to unauthorised access. Free email services are easy targets for the creation of similar email addresses that are used in phishing scams.

Prevention

Use secure, encrypted email services designed explicitly for business communications.

Ensure email data is hosted in Australia and implement multifactor authentication.

Use email accounts hosted on your own domain – for instance, www.ExampleLawFirmName.com.au – to prevent email spoofing.

Law firms often use cloud storage solutions. Incorrectly setting up and maintaining storage can lead to the accidental exposure of files to unauthorised users, such as former employees.

Prevention

Regularly check cloud settings and permissions to ensure only authorised personnel can access sensitive data.

Keep an up-to-date list of who can access systems and have the IT team to check the access logs.

Misaddressed emails are one of the leading causes of data leaks. They occur when confidential information is accidentally sent to an unintended recipient. Similar names or email addresses can increase the risk of this, especially in large organisations. Replying to group email messages or CC lists with sensitive information can also cause a leak.

Prevention

Use email verification software to verify recipient addresses automatically against a database of known contacts.

Use the option to delay email sending in email application settings.

Carefully review email addresses before sending – always paying attention is the best strategy for avoiding sending emails to the wrong party.

Outsourcing services can introduce vulnerabilities if third-party vendors do not adhere to strict security protocols. When using generative artificial intelligence (Gen AI) tools for tasks such as document analysis or contract review, sensitive client information may be leaked into these systems. This can occur with Gen AI models that learn from user inputs, which can potentially store and expose confidential data.

Prevention

Perform thorough due diligence before engaging third-party vendors.

Regularly review their security practices and ensure they comply with your firm’s cybersecurity standards.

Establish clear contracts that outline data handling responsibilities.

Many people use personal devices to access work information. Without adequate cybersecurity, personal devices can be an access point to work systems.

Prevention

Increase the cybersecurity measures on personal devices so they are as secure as work devices.

Alternatively, allow your firm to place cybersecurity measures onto your personal devices, including personal phone, tablet and laptop.

Sensitive information can be leaked through lost or stolen devices and unauthorised physical access to office spaces.

Prevention

Implement robust physical security measures, including secure office access controls.

Encrypt devices that store sensitive information.

Use strong passwords and lock devices when not in use. Install software to find, secure and erase data on all mobile devices, including phones and laptops.

Proactive approach

Adopting a proactive approach to mitigating data leakage risk is vital for all law firms. By implementing simple yet robust strategies, firms can significantly enhance their cybersecurity posture.

• Cybersecurity standards: Consult the VLSB+C’s Minimum Cybersecurity Expectations (VLSB+C, Minimum Cybersecurity Expectations). This is the best resource for law firms looking to implement a cybersecurity strategy.
• Data loss prevention (DLP) policies: Set up DLP policies that support good habits. Incorporate personal, technical and physical standards for the firm to uphold.
• Education and training: Regularly train employees on how to have good cybersecurity and privacy hygiene. Encourage practices such as double-checking email addresses by clicking on them to see the full address.