Reports last week revealed that computer hackers in China who had “attacked” the federal Department of Finance, Treasury Board and departments within the Saskatchewan government in 2010 were attempting to obtain confidential information about the $40 billion takeover attempt of Potash Corp. of Saskatchewan by Australian company BHP Billiton Ltd., a sale Ottawa refused to approve.
Although friends and colleagues in Saskatchewan told me they were flattered that both “Saskatchewan” and “potash” were the subject of international intrigue, high-tech espionage and a potential plot for a James Bond movie, one of the most interesting aspects to the story was that the hackers also targeted the two primary Toronto law firms involved in the transaction: Blake Cassels & Graydon LLP, which represented BHP, and Stikeman Elliott LLP, which represented Potash Corp.
The law firms had sophisticated Internet security systems in place to prevent the malware from accessing and disclosing any confidential information about the transaction or any other client information. But the fact cyber-spies interested in the potash deal would attack law firms for information that might give them, their “customer,” or perhaps their country an edge, should reinforce within the legal community the importance of continuously maintaining and updating online security. If cyber spies can’t get the intelligence they want from the source, they might target its legal, accounting and other professional service providers.
The Canadian Bar Association’s code of professional conduct states: “The lawyer has a duty to hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship, and shall not divulge any such information except as expressly or impliedly authorized by the client, required by law …” So lawyers have a duty to keep client information confidential and secure, whether that information is on paper or within their servers.
There is regular discussion in my professional circles about the need for rigorous Internet security and, lately, why storage of an electronic document relating to a client’s business transaction “in the cloud” may put our obligations of confidentiality at risk. Even taking a laptop home at night or to a conference may breach that obligation if the laptop is lost and the information is accessed by a third party. So, as much as I get annoyed with constantly having to change (and to remember) complicated passwords, there is a good reason for constant upgrades of online security features, and a cyber attack on Canadian law firms should remind all of the country’s lawyers that security must not be taken for granted.
But this story isn’t necessarily for large clients engaged in $40-billion transactions or, for that matter, their big law firms. I’ve been around enough transactions in my career to know that there are rarely only two parties and two law firms involved in a complicated deal. A large transaction often involves a myriad of other parties who will have their own lawyers. And although one expects the big Bay Street or Burrard Street law firms to have sophisticated Internet security systems in place, how secure are the other parties’ servers and how secure are the servers of their smaller “boutique” law firms to a cyber attack?
Likewise, small startup businesses in high-tech or bio-tech may have extremely valuable confidential information on their servers that they have created or acquired, and it may be so valuable that competitors in other parts of the world might want to snoop around to get that competitive edge they otherwise wouldn’t get. Due to costs, some of these startups might be using smaller and less expensive legal and accounting firms outside of a downtown core, where online security might be limited to spam filters and anti-virus software.
The BHP/Potash story should serve as a wake-up call to clients who need to be sure the confidential information contained on their lawyer’s servers relating to their businesses will be kept confidential and secure, and immune from attack by cyber criminals or cyber spies.
It’s more than fair to ask your lawyers, and indeed your accountants and other service providers, about their internal cyber-security systems, especially if the information they are providing to you or the work product you are providing to them would cause horrific damage or embarrassment if disclosed.
Special to The Globe and Mail
Tony Wilson practices franchising, licensing and intellectual property law at Boughton Law Corp. in Vancouver, and he is an adjunct professor at Simon Fraser University. His newest book, Manage Your Online Reputation, was recently published. His column appears every other Tuesday on the Report on Small Business website.
Join The Globe’s Small Business LinkedIn group to network with other entrepreneurs and to discuss topical issues: http://linkd.in/jWWdzT