Managing day-to-day client records is something most legal practices carry out well.
Using that client data to manage and develop client relationships is something only a handful of practices do satisfactorily. It’s a lesson we are yet to learn from the broader business world.
So if we aren’t using that client data, why and how are we storing it?
“People pretend data is gold – it isn’t; it’s uranium – super useful if used correctly and incredibly dangerous to just have lying around.”1
The recent Optus hack highlights the security risks of storing data. In Optus’ case 11.2 million records were allegedly stolen. With a current market of about 5.8 million customers, Optus was holding about 5.4 million records for former customers.
So where is your legal practice’s data stored? How secure is your data? According to Minister for Cyber Security and Home Affairs Minister Clare O’Neill in a discussion with Laura Tingle on the ABC’s 7.30 Report (Monday 26/9/2022), Optus allegedly left a door open to its data, the hackers just waltzed in.
Most legal practices hold their client’s full names, addresses, emails and telephone numbers. Many also hold their dates of birth. Adding identity documents such as passport, driver’s licence, Medicare card, tax file numbers and/or bank accounts opens the floodgates for identity theft if a cyber intruder enters your system.
The cyber intruder may not immediately release these personal details but hold them for ransom, release them in a piecemeal manner, or taunt you with threats of release for years to come.
The loss of client confidence following a cyber intrusion may be devastating to the sustainability of your legal practice, and to your personal wellbeing.
Are you storing necessary information?
The Privacy Act 1988 (Cth) regulates how business should handle personal information – while the Privacy Act may not apply to your legal practice it is a model of best practice and opt-in compliance is encouraged.
- Collecting unnecessary personal information is a breach of the Act. You should not scan, copy, email or store a client’s driver’s licence if sighting it is sufficient.
- Collect sensitive information only if it is reasonably necessary for the services being delivered and you have the client’s consent.
What to retain when verifying identification?
Where verification of identity is required, it is strongly recommended that you follow the VOI Standard.2
If verification of identity is not required, it is still strongly recommended that you take steps to verify the identity of your client. Evidence supporting the verification process ought to be retained to demonstrate that reasonable steps were taken, rather than copying or scanning client identification documents, details of the verification process may be recorded in a file note.
The Queensland Law Society Business Advisory Service offers cybersecurity advisory assistance to QLS full members. If you would like to ensure you have shut, locked and secured the doors to your cyber systems please call or message the Ethics Centre for a referral. firstname.lastname@example.org or 07 3842 5843.
Judy Hayward is a Queensland Law Society Special Counsel and Practice Management Consultant.
1 A quote from an anonymous source to the ABC thought to be a paraphrase of Cory Doctorow in ‘Personal data is as hot as nuclear waste’ in The Guardian (16.01.2008).
2 See the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) guidance note 5, Retention of Evidence, and Item 3.3(b) of [61-2700] Land Title Practice Manual which requires the identity verifier to retain a copy of all documents produced by the person being identified. See also [61-2330] Land Title Practice Manual concerning a witness’s record-keeping obligations.