Cyber Security Q&A with Campbell Mckenzie

For a deeper understanding of these topics, consider attending Digital Law, Data, and Cyber Security Intensive, where Campbell McKenzie shares his expertise.

How can robust cybersecurity controls protect your law firm and ensure compliance with legal standards?

Law firms handle highly sensitive client information and financial transactions, making them prime targets for cyberattacks. Effective cybersecurity begins with strong governance, guided by frameworks such as the CIS Controls. These controls have evolved into a prioritised set of specific actions designed to mitigate common cyber threats. The ability to prioritise and categorise these controls makes them particularly effective, allowing firms to focus on key measures that offer the greatest reduction in cyber risk—providing the most “bang for your buck.”

Implementing these controls not only minimises the risk of cyberattacks but also ensures a structured response if an incident does occur.

Here are a few key cybersecurity considerations for law firms:

• Legal & Regulatory Compliance: The Conduct and Client Care Rules and the New Zealand Privacy Act 2020 mandate proper handling of personal and sensitive data. Firms must be prepared for mandatory breach notifications if client data is compromised.
• Security Beyond Standard Software: A generic software package may not offer the security measures required for a law firm, such as multi-factor authentication (MFA), encryption, and secure document management.
• Evolving Cyber Threats: Attackers continuously adapt to bypass security controls. A current trend is the theft of MFA tokens through advanced phishing techniques.
• Human Error as a Key Risk: Human factors are the leading cause of cyber incidents. It is therefore crucial that lawyers undertake at least annual cybersecurity awareness training, including education on how to recognise social engineering and phishing attacks.

How can staying updated on the latest advancements in document analysis and review tools enhance your law firm’s ability to manage digital evidence and maintain data security?

Traditionally, electronic document review tools offered basic functions such as searching, reviewing, coding, and producing documents for court. However, modern tools now integrate AI-powered features, including ‘GPT’ models that can assist in locating and summarising key points within a dataset.

Legal professionals must comply with the High Court Rules Discovery Checklist, which requires the use of advanced filtering techniques to manage large volumes of documents effectively. Given the increasing reliance on these tools, it is critical to ensure that all outputs remain traceable to the original source. This includes verifying:

• Where the document was collected from (device or cloud location).
• Who the author of an email is.
• How reliable an AI-generated summary is.

Using forensic-grade tools ensures that digital evidence remains unaltered, maintaining admissibility in court and aligning with discovery rules.

Additionally, as most document review platforms are now cloud-based, they must be secured against accidental or malicious data loss. The New Zealand Office of the Privacy Commissioner (OPC) mandates the use of multi-factor authentication (MFA) for protecting digital records:

“Two-factor authentication is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally. If you are a small business that has a cyber-related privacy breach and don’t have at least two-factor authentication in place, expect to be found in breach of the Privacy Act.”

— New Zealand Privacy Commissioner

Source: Privacy.org.nz

Is it really necessary for a law firm to have an incident response plan, or can they seek advice when a breach occurs?

Many New Zealand professional services firms have suffered cyberattacks in the past five years. From our experience in assisting clients through breaches, those that had prepared in advance were significantly better equipped to respond quickly and effectively, reducing the overall impact.

Waiting until a breach occurs before seeking advice is a high-risk strategy, especially given the legal profession’s duty to protect client confidentiality.

The Office of the Privacy Commissioner (OPC) outlines several key requirements for effective privacy breach management:

• A Fully Tested Incident Response Plan – This should be practised in a simulated scenario to ensure readiness.
• Timely Breach Notification Compliance – Organisations must assess and report breaches within OPC’s required timeframes.
• An Incident Log – Firms should record all security incidents, including near misses.
• Staff Training on Identifying and Escalating Incidents – Employees must know how to spot potential breaches and report them to the appropriate team.

Source: Privacy.org.nz – Breach Management

A well-tested incident response plan enables law firms to detect, contain, and recover from cyberattacks efficiently, minimising disruption while safeguarding both client data and the firm’s professional reputation.

Need Expert Assistance?

Incident Response Solutions specialises in helping New Zealand law firms prepare for, respond to, and recover from cyber incidents.

Call us on 0800 WITNESS

Visit us at incidentresponse.co.nz

Disclaimer: The statements, analyses, opinions and conclusions in Legalwise Insights are those of the respective authors and not of Legalwise Seminars Pty Ltd which acts only in the capacity as editorial co- ordinator of the content in Legalwise Insights. No part of any article can be regarded as legal or financial advice. Although all care has been taken in the preparation of all articles, readers must not alter their position or refrain from doing so in reliance on any information contained therein. Neither the respective authors nor Legalwise Seminars Pty Ltd accept or undertake any duty of care relating to any part of Legalwise Insights

Liability limited by a scheme approved under the Professional Standards Legislation