Lawcovernotes December 2017

9. A solicitor’s duty of confidentiality is fundamental to legal practice. Conduct Rule 9 states that a solicitor “must not disclose any information which is confidential to a client and acquired by the solicitor during the client’s engagement” except in very limited circumstances. Breach of a conduct rule is capable of amounting to unsatisfactory professional conduct, or professional misconduct, so disclosing client information can have serious consequences for solicitors. While deliberately disclosing client information is clearly a breach of the rules, what is not clear is whether inadvertent or negligent disclosure might also amount to a breach. For example a solicitor absent mindedly leaves a client file on a train. While there is no intention to disclose the client’s confidential information, it is certainly the case that it has been disclosed and, arguably, the solicitor has breached the rules. Taken one step further, imagine that instead of leaving a client file on a train, the solicitor leaves their computer system vulnerable to a cyber attack. If such an attack occurs and client information is disclosed, does that also constitute a breach of the rules? Arguably it does, and the solicitor is at risk of facing disciplinary action. It is this vulnerability to cyber attacks, and the increasing frequency with which they are occurring, which has led the Federal government to bring in the Mandatory Breach Reporting regime under the Privacy Act . That regime comes into effect in February 2018 and requires that breaches of privacy which could lead to “serious harm” be notified both to the Office of the Australian Information Commissioner, and to the affected person. That requirement is mandatory and there are penalties for non-compliance. Solicitors are more vulnerable to breaking the rules if their systems lack appropriate safeguards. Solicitors who take reasonable steps to secure their systems against cyber attacks are not only protecting their own business assets, they are also fulfilling their obligations to safeguard their client’s information and privacy. Many law practices will be subject to the Privacy Act, but even law practices which are not covered by this regime are required to treat clients’ confidential information with utmost care. Elissa Baxter General Counsel Cyber security breaches can cause enormous inconvenience and loss to a legal practice, but they may also have disciplinary consequences.