New ransomware reporting rules raise stakes for law firms
Most companies targeted for ransomware payments cough up. For law firms, a decision to pay is mired in ethical and regulatory challenges.
Two years on from HWL Ebsworth’s mass data breach, Sydney law firm Brydens Lawyers is weathering the storm of a recent cyber attack — with court injunctions in place to halt the spread of compromised data. HWL Ebsworth didn’t pay up, and from public statements, it appears Brydens has followed a similar path.
Next month, ransomware payment rules for businesses with an annual turnover of at least $3 million will place a spotlight on the vulnerability of law firms and other businesses to cyber risk and reveal just how common ransom payments are in the legal industry.
"There is some speculation that a number of law firms have paid in the past, said McGrathNicol partner Darren Hopkins, who worked on the HWL Ebsworth breach response. “And I think there’s some large firms that have paid large sums of money.”
While the new rules won’t make ransom payments illegal, companies will be required, for the first time, to report any such payment to the Australian Signals Directorate, much like current requirements to notify the privacy regulator of a Notifiable Data Breach.