Cybersecurity and the Future of the Legal Industry

As more of our lives move online, the importance of cybersecurity is becoming increasingly relevant to the average citizen.

In Australia, the Privacy Act 1988 (Cth) (‘Privacy Act’) protects how private organisations collect, store and use your personal information. Inclusive within it are provisions relating directly to your digital information.

However, the 2019 Decoding Cybersecurity: Clause and Effect Report (‘The Report’) published by LexisNexis has questioned the effectiveness of Australian digital privacy protection. Indeed, following a roadshow of discussions amongst legal and IT professionals, the report expands on an earlier survey. Here we discuss what this report potentially indicates for the future of the legal industry.

Australian Privacy Principles (APPs)

First, we need to understand briefly how your digital privacy is protected under Australian law. Schedule 3 of the Privacy Act sets out the APPs. These cover how private organisations interact with your personal information, including:

• How they collect it. The information must be necessary for at least one function of the organisation.
• How they use it. In particular, how they use it to develop targeted advertising (APP 2).
• Requirements for protecting your privacy with certain thresholds of security (APP 4).
• Providing, where lawful and practical, the opportunity for anonymity (APP 8).
• When data may be retained, and when it must be destroyed or have your name taken off it (APP 11).

Of note, the Privacy Act only applies automatically to a certain number of organisations. These being:

• Australian Government agencies
• Private and non-profit organisations with over $3m in annual revenue
• Health service providers

However, the Privacy Act does not apply to small businesses, except for:

• Small business health service providers (such as Gyms, private hospitals, child-care centres)
• Small businesses that deal in purchasing and selling personal information
• Credit reporting bodies
• Any business that opts into the Privacy Act

We recommend contacting a lawyer if you are unsure of how your digital privacy may be affected by the law.

Get a free Privacy Policy when you sign up to Lawpath today.

A Privacy Policy is required by law in certain circumstances. It outlines how your business will use, store and collect your customers information.

Get started

The Report

In the report, LexisNexis aimed to address 5 key topics of discussion. These were:

1. The challenges cybersecurity poses to the legal industry.
2. The current state of cybersecurity legislation.
3. Common issues businesses face when complying with cybersecurity law.
4. Whether law firms are practising these principles effectively.
5. The future of cybersecurity law.

Accordingly, these lead to several key talking points on the current state of Australian cybersecurity. Here we discuss two of them. For the complete report, you can request a copy here.

Lack of industry confidence

Concerningly, a large majority of lawyers surveyed for the report felt that current cybersecurity legislation is insufficient. Likewise, a majority also admitted they were not comfortably familiar with recent Privacy Act amendments.

This was despite the report also noting a significant, consistent increase in the number of cybersecurity practice billings in 2019.

Thus, a confidence gap appears to exist between lawyers and digital privacy legislation. Naturally, as technology is constantly evolving this gap may always exist. Furthermore, the law exacerbates this; the industry tends to react to changes, rather than proactively avoid them. Yet, given how data privacy affects the vast majority of people this finding is somewhat concerning.

Although, this also doesn’t mean your digital privacy is suddenly exposed to breach or theft. While concerning, hopefully, we will see a general industry response to address these shortcomings over the following year.

Playing catch-up

Furthermore, the report discussed changes to the Privacy Act implemented by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (‘PANDBA’). This act introduces guidelines for policy where it comes to potential breaches of data.

Specifically, when and how an organisation is to notify individuals that their data has been breached. These were modelled off Europe’s version of the Privacy Act, the General Data Protection Regulation (EU) (‘GDPR’).

However, the report noted general concerns from lawyers that key clauses present in the GDPR were still being mitigated.

In particular, a ‘right to be forgotten’ clause. This right is one for an individual to, upon request, have all personal data deleted by an organisation.

Likewise, the report discussed the Privacy Act’s current $3 million turnover requirement. With the amount of online data now shared between even small businesses, there are concerns this threshold is outdated.

What’s next?

Despite revealing some industry shortcomings, this report may serve to better the quality of digital privacy protection. The nature of law has meant it has always been slow to catch up to rapid social changes.

However, given the abundance of articles being written responding to the findings, lawyers are taking note. Hopefully, we see a strong response from the legal industry to address these concerns in the near future.