HWL Ebsworth is facing an official investigation by Australia’s privacy watchdog following a cyber security incident last year.
The investigation will cover whether the law firm violated the Privacy Act by failing to protect sensitive data or properly notifying individuals affected by the breach.
The breach saw 1.1TB of data lost to hackers and impacted 65 government agency clients’ data as well as data belonging to private firms as well.
The Office of the Australian Information Commissioner (OAIC) made “preliminary inquiries” at the time of the breach last year, but said there was now a need to open a formal investigation into the law firm’s “personal information handling practices”.
Depending on the outcome of the investigation, the law firm could face civil penalties or orders to compensate individuals affected by the hack, such as National Disability Insurance Scheme (NDIS) participants whose sensitive medical records were leaked.
If OAIC “is satisfied that an interference with the privacy of one or more individuals has occurred,” HWL Ebsworth could be ordered “to take specified steps to ensure that the relevant act or practice is not repeated or continued and to redress any loss or damage suffered by reason of the act or practice,” a statement read.
OAIC said that its investigation will cover both the protections HWL Ebsworth had in place before the breach and the actions it took to mitigate the damage to individuals affected by it.
“The OAIC’s investigation is into HWL Ebsworth’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals,” it said.
NDIS participants and prospective participants have accused HWL Ebsworth of running “fishing expeditions” in cases they were involved in, putting the firm in receipt of a large amount of personal and sensitive data.
The firm declined to answer iTnews’ questions about why it collected so much information or if it had a data retention policy that would delete sensitive information once the alleged requirement for it had elapsed.
Some 644 appellants in cases involving the NDIA were caught up in the HWL Ebsworth breach. They still have not been told which of their specific health records were exposed.
Others complained that they could not try to check which of their records had leaked because a Supreme Court injunction prevented them from accessing the stolen data set to check.