��������

Data privacy and the law

Regardless of a firm’s choice of data sharing techniques, said businesses will have to get ahead of the game if they are to better serve clients and navigate evolving regulatory and security requirements, writes Unisearch.

Unisearch with Professor Lyria Bennett Moses and Professor Scott Sisson • 09 November 2021

When the COVID-19 pandemic first hit, managing cyber security and data privacy was in the spotlight. For many firms, its “front-of-mind” presence has diminished as the “new normal” is accepted. Though to the contrary, the widely adopted hybrid work-from-home/office decentralisation significantly exposes law firms to greater data privacy risk.

Professor Lyria Bennett Moses encouraged law firms to remain vigilant about risks associated with data breaches and prioritise data privacy security measures – particularly given the sensitivity of client information.

“From the Panama Papers to ransomware threats to publish data, lawyers have good reason to be concerned about protecting the confidentiality of their client’s information in the face of cyber threats. The risks of disclosure are primarily reputational and, to a lesser extent, the possibility of litigation by a disgruntled client. Legal requirements related to information security come from a variety of places, including the Privacy Act 1988 (Cth) APP 11, promises made in contracts, and the duty of care in tort,” she said.

While the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 rule 9 requires solicitors not to disclose confidential client information, they have less to say on the responsibility to keep information secret, other than a general standard to be competent and diligent (r 4.1.3). Data breach notification rules, which apply to the majority of law firms, and the related reputational risk are likely of more concern than professional conduct requirements and direct legal risk,” said Professor Bennett Moses.

“Lawyers also need to keep track of cyber security obligations for all organisations, law firms included, as these are likely to increase. The Attorney-General’s Department is conducting a review of the Privacy Act 1988, asking questions inter alia as to whether the small business exemption should be modified, whether changes should be made to security requirements and, most crucially, whether the act should be modified to include a direct right of action for those impacted by failure to comply with privacy obligations.

“Further, the Department of Home Affairs is exploring regulatory incentives for cyber security practices, referring to the same issues being considered by the Attorney-General’s Department as well as ways to encourage ‘secure by design’ practices, possible changes to the Australian Consumer Law, the possibility of creating an enforceable cyber security code, and potential reforms that would strengthen corporate governance of cyber security risk.”

Professor Scott Sisson concurred.

“Most cyber security advice focuses on authentication, access controls, firewalls, anti-virus protection, software updates and care in the face of social engineering attacks. All of those things are important. However, it is also worth considering whether data and information can be stored and used in such a way they are protected even if a third party gets access,” he outlined.

“In fact, third party access to and sharing of data is often a requirement of doing business. In this situation, there are a growing number of techniques available that are explicitly designed to allow for direct sharing of data between two parties, even those with mutual trust, that still provides a degree of privacy protection.”

At a practical level, suppose a law firm wishes to engage a data analytics firm to help it improve the accuracy of its costs estimates. For example, there is rich data in historic costs estimates, finance records, and invoices that could be used to provide better estimates, but these may also contain confidential information.

Alternatively, an international law firm may need to share data with overseas offices so that global trends can be understood. Or a firm might have the requirement to share information between departments or local offices or with employees analysing the data at home.

The question, therefore, becomes: can law firms extract value from their data without compromising its privacy and confidentiality?

“Firms need to share sensitive data, so it’s important to implement privacy-centric procedures that support sharing whilst limiting breaches. There are a number of approaches that data custodians can use when they need to release data – whether this is publicly within departments in a single organisation, within a small group of organisations, or between countries. It’s important to note that simply providing aggregated data is not enough to guarantee that your individual-level data remains private,” said Professor Sisson.

He provided further technical explanation, stating: “One data privacy technique, known as ‘differential privacy,’ adds a random number, positive or negative, to each data point – so in principle, the larger numbers that are added, the more secure the data becomes, although the data are then less accurate.”

“Another approach is applying a ‘synthetic data’ model that randomly generates data with similar properties to the real data. Then there’s ‘federated learning’, which is a decentralised technique that shares the result of data analyses rather than the data itself. And finally, ‘homomorphic encryption’, which allows data analysis to be directly performed on encrypted data,”
he detailed.

“Which data sharing technique to use in a law firm will depend on the exact analytical needs and sensitivity of the data involved – and it may be that different methods are required for different situations. As such, we encourage legal practices, independently of size, to invest in a data-privacy audit through a professional organisation to determine how the firm’s data privacy needs can best be achieved.”

In addition, Professor Bennett Moses strongly suggested the legal industry “get ahead of the game”, both internally and in assisting corporate clients with the possibility of increased information security requirements.

Unisearch is a leading provider of expert opinion services. Professor Lyria Bennett Moses is a Unisearch expert and professor at ��������’s faculty of law and justice, as well as serving as a director for the Allens Hub for Technology, Law and Innovation. Professor Scott Sisson is a Unisearch expert and director of the �������� Data Science Hub in the School of Mathematics and Statistics at ��������.