The Shared Responsibility Model: Why "using Cloud" doesn't Equal being "Cyber Safe"
Exploring Cloud risks
James Cole, Partner
Companies often believe that using "Cloud" makes them safe and transfers all of their cyber risk, this is simply not true. Companies have many of the same responsibilities, and even some new liabilities, when using Cloud-based services."
Recent years have seen an increased transfer of business IT systems and services into third-party owned and operated systems "in the Cloud". While Cloud-based systems do help to reduce certain risks and lower total cost of ownership of a system, they can also increase an organisation's risk exposure, whether it's from cyber and data incidents or regulatory risk.
When your business moves a system into the Cloud, what you are transferring is your risk of operating the physical world hardware and some of the underlying infrastructure software and related security. However, your business remains liable for many aspects of the system security and all of the data that you collect, process, store, and disclose in the process. Your business may also have various new legal obligations and risks when using Cloud-based systems.
In practice, this means businesses need to understand the risks associated with using Cloud services and actively identify, minimise and manage these risks by incorporating cyber and privacy as core components of your enterprise risk framework and doing detailed due diligence of all your Cloud Service Providers (CSP).
Understanding the Shared Responsibility Model and Your Cloud Risks
When it comes to Cyber and Privacy, we frequently hear people say: "we use Cloud so we're safe" or "we transferred our risk to the Cloud".
However, using Cloud services does not transfer the majority of your cyber and privacy risks. You are still the one responsible for a large portion of the security and management of the system and all of the data you store or process in the Cloud. The Cloud Service Provider (CSP) only assumes some specific, and limited, aspects of the security and management of the system. You may also have increased legal risks as a result of using a CSP.
The relationship between you and your CSP is governed through a security and compliance framework, integrated into Cloud Service agreements known as the Shared Responsibility Model (SRM).
The Shared Responsibility Model is a security and compliance framework that outlines the responsibilities of Cloud Service Providers (CSP) and customers for securing every aspect of the cloud environment. This includes the hardware, underlying infrastructure, endpoints (i.e. your laptop or phone), data, configuration and settings, operating system (OS), network controls, access rights, monitoring and breach response.
So who is a CSP? You probably use a few of them. You are likely familiar with Microsoft 365 and Gmail. But there are some other well known commercial CSPs such as Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP), SalesForce, Xero, SAP, and so on... Basically, almost any third-party service provider that provides you with "online" software or infrastructure or platforms is likely to be a CSP.
The SRM establishes a clear line of responsibility. The CSP must monitor and respond to security threats related to the cloud itself and its underlying infrastructure. The customer, including individuals and companies, are responsible for securing and monitoring of data and other assets they store in any cloud environment. The customer is also responsible for configuring, managing, and monitoring security settings inside the cloud service. The CSP may provide security features, but it's the customer that is responsible for configuring, and monitoring, those features.
Unfortunately, this notion of shared responsibility can be poorly understood, leading to the assumption that your Cloud-based workloads, applications, data, and platforms are fully protected by the CSP. This can result in users unknowingly running workloads in a public cloud that are not fully protected, making them vulnerable to attacks, increasing their Cyber and Privacy risks, particularly unmanaged risks that can result in costly breaches.
There are also substantial legal issues that can arise when using Cloud beyond just security. You can be held responsible for any breaches of privacy laws, including the laws of wherever the CSP is storing the data - even if that's another country. Data sovereignty is an issue we discuss in more detail below.
There are three main cloud service models:
- 1.Software as a service (SaaS)
- 2.Infrastructure as a service (IaaS)
- 3.Platform as a service (PaaS)
Each of these cloud models are subject to the concept of the shared responsibility model. However, ownership of security tasks and functions varies depending on the delivery model in use.
Software as a service (SaaS): SaaS is a software delivery model where a customer subscribes to access software hosted by the vendor on underlying systems that they own or operate. Xero and Microsoft Office Online are an examples of a SaaS system. In this model, the provider is responsible for application security, its maintenance and management, and the legal issues associated with data sovereignty and disclosure - such as offshoring personally identifiable information if the SaaS provider hosts the software in another country.
Platform as a service (PaaS): PaaS is a platform delivery model that can be purchased and used to develop, run and manage applications. In this model, the vendor provides both the hardware and software generally used by application developers; the service provider is also responsible for some aspects of the platform and infrastructure security.
Infrastructure as a service (IaaS): IaaS is an infrastructure delivery model a vendor provides a wide range of compute resources such as virtualised servers, storage and network equipment over the Internet. In this model, the customer is responsible for maintaining security of anything they own or install on the cloud infrastructure, such as the operating system, applications, middleware, containers, workloads, data and code.
Depending on the specific services used, Amazon AWS and Microsoft Azure can be examples of PaaS and IaaS systems.
Who has responsibility for what in Cloud models can be complex and depends heavily on the model being used, the usage, and even the country hosting the Cloud service.
One important point to note is that the customer is always responsible for the legal obligations arising under privacy law with respect to the data they collect, process, store, and disclose in or through Cloud services.
The CSP is generally only responsible for the underlying technology and making security features available. With SaaS applications, the vendor is also responsible for some aspects of the application security, such as security of the application code, but they are not responsible if the customer fails to turn on and use a security feature, such as Multi-Factor Authentication.
The vendor is generally responsible for the security and maintenance of the underlying networks and hardware that support the existence of the Cloud service. Almost all other aspects of security are the responsibility of the customer.
Direct Control
Direct control is a critical concept in the SRM. Essentially, it boils down to the party that has direct control over an asset in the Cloud is the party fully and completely responsible for it. For example, since you control what data to put into a Cloud application, you are solely responsible for it. Since the CSP has direct control over the physical server in the data centre hosting the application, they have full and complete responsibility for that hardware.
The customer will always have responsibility for data security, compliance and access control regardless of what cloud model is being used.
Customers are typically also responsible for:
- the data;
- user access control and credentials (including MFA);
- identity and access management;
- Endpoint security;
- Network security;
- Security of workloads and containers;
- Configuration of the service;
- APIs and middleware;
- Code they create on development platforms; and
- security monitoring and response inside the cloud environment.
The CSP is typically responsible for the security of
- The physical hardware and infrastructure assets;
- The virtualisation layer
- Network controls and provider services underlying the service; and
- Physical facilities such as Data Centres that host the Cloud-service.
In some IaaS and PaaS models, security responsibilities may vary depending the nature of the service and the services agreement. For example, if a customer is storing data in a cloud service, such as Dropbox, the CSP is responsible for all aspects of the data centre security and the software vulnerabilities in their mobile app. However, the customer is wholly responsible for securing any data they store in that service such as determining who can access and download copies of the data, encrypting the data, and complying with all laws applicable to the data, such as the privacy laws.
Based on the concept of divided responsibility, no party has authority over another in terms of how they protect their assets. A customer cannot dictate to the CSP how to monitor and test the security of the physical hardware. For example, a customer cannot dictate how or when their CSP performs monitoring and testing. That doesn't mean the customer is absolved of their responsibility to conduct due diligence. If you are storing personally identifiable data in the CSP's service, you are the Controller and can be held liable if you use an in-secure CSP service.
Most reputable CSPs have detailed trust and security disclosures publicly available on their website. If they are publicly traded, they may also make market disclosures about their cybersecurity (especially those regulated by the US Securities and Exchange Commission as of end of 2023).
The SRM is critical to understanding what you can and cannot hold a CSP liable for in a breach situation. Many companies have tried, following a major cyber security incident, to take legal action against a CSP to recover damages - unsuccessfully due to the SRM.
System hacks involving cloud-based data are extremely common. We often see breaches involving Cloud services such as Microsoft 365 that are successful attacks only because the customer failed to configure the MFA security features in M365 and failed to implement basic monitoring and detection controls. In this example, it would be challenging to bring an action in negligence against Microsoft because the victim company may have been negligent in not enabling and using Microsoft's provided security features.
While there have been some cases in the United States to test the SRM, thus far nobody has successfully brought an action against the CSP for a breach involving any area of customer responsibility under the SRM.
While the SRM can be complex at times and requires careful consideration and coordination between the CSP and customer, the approach offers several important benefits to users. These include:
- Efficiency: Though the customer bears significant levels of responsibility under the SRM, some key aspects of security, such as hardware and virtualisation technology risks are managed by the CSP. In a traditional on-premises model, these aspects were managed by the customer. This transfer of risk can free up the customer's resources to focus on other areas of security and lower total cost of ownership.
- Enhanced protection: Most, but not all, CSPs are heavily focused on security in their cloud environment and often attain difficult and costly independent certifications. But it remains the customer's responsibility to validate the CSPs monitoring and testing, patching and updating, and data soverignty compliance.
- Cost of Ownership: Hardware ages and fails, and uses a lot of electricity. Server racks generate large quantities of heat and post substantial fire risks. By transfering to a Cloud-based system, customers no longer carry the bulk of those risks. The customer doesn't have to buy new servers every few years and the current ones reach End of Life, or run an air conditioner 24/7/365 in a server room, or risk a failed hard drive losing all their data. The purchase and maintenance of physical hardware is a substantial cost that is transferred as part of the move to Cloud.
As organisations shift to the cloud, many are defining their relationships with CSPs for the first time and only just leaning about the SRM. There are a number of key considerations to include in your due diligence before you sign up to that Cloud service:
- 1.Carefully review the service agreement. Security responsibilities will differ depending on the cloud model, cloud provider and other variables. It is critical for organisations to carefully review the service agreement to ensure they are fully aware of their security responsibilities and to identify any potential areas that need to be clarified.
- 2.Examine data sovereignty issues. Customers are wholly responsible for the data they put in a Cloud service and that includes compliance with data sovereignty issues. You need to know the legal status of the data going into the Cloud-based system and ensure that the CSP's hosting is consistent with your legal obligations and does not expose you to contraventions of law, legal claims, class-actions, or increased geo-political risk factors.
- 3.Prioritise data security. Cloud customers are always fully responsible for any data stored in the cloud or produced by applications in the cloud. As such, organisations must develop a robust data security strategy for each Cloud service you use.
- 4.Ensure robust user credential management. The cloud customer is also completely responsible for defining user access rights and requiring key controls such as MFA. (If a CSP doesn't offer MFA as part of the service, that is a substantial risk to be examined in detail).
- 5.Get independent legal advice. Cloud security and liability issues are fundamentally different from securing on premises systems. Updating and adapting the cybersecurity strategy and legal agreements to address new cloud-based risks can be both overwhelming and complicated. It's important to know what legal risks you are taking before you take them. That includes before you simply agree to a Cloud-service subscriber agreement online.
In response to the growing complexity of the cyber and privacy regulatory landscape, AB's Cyber team have put together a broad range of services to help business of all sizes. You can learn more about our Cyber and Privacy Solutions here.
One key product to help businesses better understand their cyber risks is the Cyber Readiness Assessment - lean more about our Cyber Readiness Assessment here. This service is designed to:
- identify the gaps in your cyber risk management;
- build better understanding of your cyber and privacy obligations;
- help you establish and demonstrate regulatory compliance; and
- assist you in obtaining or renewing your cyber insurance coverage.
Want to chat?
Our Head of Cyber, James Cole, is only an email away.
Emotionally intelligent advice
While for the modern lawyer being able to manage relationships is par-for-the-course, our experience is that the impact that emotional factors can have on business outcomes is vastly underestimated. Human issues represent an entire spectrum of factors that can have very little to do with the legal merits of an issue, and can provide opportunities for leverage as well as unique avenues towards resolution. When managed well they can lead to exceptional outcomes that would not have seemed possible when assessing the matter on paper.
Testimonials
What sets AB apart is their flexible and pragmatic approach - they share our values, our DNA, and they think outside the box. The team are highly skilled commercial lawyers who possess unparalleled expertise in regulatory areas, a deep understanding of business, and exceptional negotiation skills."
Regan Carey
Head of Legal and Compliance
Craigs Investment Partners
AB offers exceptional legal advice delivered by highly skilled and brilliant lawyers who are fantastic to deal with; personable, easy to talk to and compassionate. The commerciality of their advice is matched only by their commitment to simplifying the law and finding practical, creative solutions!
Tas Demos
Managing Partner
BDH Leaders
Interested?
We'd love to work with you!
If you've decided now is the time, just get in touch and we can put a proposal together ASAP!
Also, while our rates are always competitive, they become even more so when the projects scale - so why not do a few things at once?
The sooner you get in touch, the sooner we can tick these issues off your list, leaving you free to focus on what's important.
All the best from the AB Cyber and Privacy Team!
Winner - Best Fintech Law Firm 2023 (Australia)
Winner - Best Emerging Fintech Law Firm 2022 (Australia)
AB is a modern law firm with a focus on advising in technically specialised areas. While strong technical expertise forms the foundation of our approach, we distinguish ourselves by combining it with a genuine focus on business objectives and risk, and a nuanced understanding of the emotional factors that underpin legal matters.
AB provides high-end legal expertise delivered with the commerciality and cost sensitivity expected by a start-up. With leading advisors in financial services, cyber & privacy, technology, litigation, and insurance, we pride ourselves on our ability to tackle the hard problems.
Assessment Solutions
A Privacy Capability Assessment provides a holistic snapshot of your organisation’s approach to handling personal information and assesses whether your capabilities align with your privacy objectives and legal obligations.
By contrast, a Privacy Impact Assessment (PIA) analyses an existing or proposed project, practice or technology and assesses it's level of compliance with the privacy laws - such as the Australian Privacy Principles (APPs). A PIA takes a deep dive into a particular initiative, examines its data flows, and ensures the initiative is compliant with relevant APPs and any other applicable privacy rules.
Yes.
You should revisit your PCA on at least an annual basis and see if anything has changed. You need to update the PCA if you have made changes to:
- your personal information handling practices;
- storage;
- vendors / suppliers;
- systems; or
- the types of personal information you collect, process, store, or disclose.
You should also update the PCA anytime the privacy laws change or your business practices change and you gain exposure to new privacy rules or foreign privacy laws.
A Privacy Impact Assessment (PIA) is a process used to protect privacy-by-design when an you start or acquire a new business, implement a new process, starting working with a new supplier or Cloud service or Processor, or launch a new product or technology. The PIA is focused on your activity's compliance to the privacy rules and laws.
A Data Protection Impact Assessment (DPIA) is an ongoing process, regularly applied to personal data processing, identifying, and mitigating data protection risks. The DPIA is focused on the risks to privacy associated with the activity.
Yes it is. A PIA can be conducted against existing projects, practices and systems.
However, it is best practice to carry out a PIA during the planning stages of an project or system and throughout the implementation phases. This way, privacy issues can be addressed early rather than being treated as an afterthought and the resutling PIA is updated as the project matures resulting in a privacy compliant initiative at go-live.
Yes you do. Privacy Impact Assessments are living documents. They need to be revisited every time a trigger event occurs.
Trigger events to refresh your PIA include:
- The privacy laws change;
- You make a material change to the previously assessed initiative or system such as technology upgrades, deploying a new system, change the data flows, changing the data storage, or changing suppliers / vendors;
- You make a change to the purpose of the personal information processing or you change what personal information you collect, or what processing you are doing on the personal information.
The easy way to think of it is: if something about your system or process changes, update the PIA.
Policy and Process
Every organisation that is covered by the Privacy Act, or any foreign privacy laws, must have a compliant Privacy Policy that is written in plain language, is freely accessible, and provides details about your collection, processing, storage, and disclosure of personal information.
It's important to note that a Privacy Policy is a living document that needs to be regularly reviewed and updated - especially when your privacy practices or business activities change or the law changes.
A comprehensive Privacy Policy lets you demonstrate that your organisation takes it's privacy obligations seriously. Consumers expect an organisation to take reasonable steps to protect the personal information they entrust to the company and to be transparent in how that information is handled. This is demonstrated through the Privacy Policy.
Recent high-profile privacy breaches have increased consumer focuses on privacy protections and demonstrated the devastating impact a privacy breach can have on affected individuals and the organisation. Affected individuals can suffer substantial harms ranging from financial loss and identity theft to psychological harms. A privacy breach can also expose mishandling of personal information resulting in regulatory investigations and penalties.
There are also substantial risks in not keeping a Privacy Policy up-to-date and accurate. False or misleading statements made in a Privacy Policy can constitute misleading and deceptive conduct under the Australian Consumer Law resulting in substantial penalties and costly legal proceedings.
Complaints
Privacy laws grant express Rights and Freedoms to individuals. Some laws, such as the EU General Data Protection Regulation (GDPR) - that has been adopted in some form by more than half the world - include rights ranging from access, correction, and objection, to the right to be forgotten.
A significant part of the Australian Government proposal to amend the Privacy Act includes expansion of the existing rights under the Australian Privacy Principles. As of the start of 2024, Australians already have the right to request access and correction. Failing to respond within set time limits can result in an interference with privacy and a regulatory complaint. The proposed legislative amendments would introduce new rights, such as the Right to be Forgotten. Additionally, the proposals include a new penalty regime and a tort - the right to bring a legal action, for interference with privacy.
Your organisation should take any privacy complaints seriously. All privacy complaints need to be thoroughly investigated and any legal issues identified and addressed in a timely manner. This can be complex, as you need to respond to the complainant while not interfering with the privacy of anyone else.
Failing to respond to a privacy complaint, or simply dismissing it, could result in escalation of complaints to the Privacy Commissioner, regulatory action, and adverse media. This can lead to reputational harm and lost customers and opportunity.
Breach Prevention and Response
Privacy breaches can enliven a wide range of regulatory notification obligations. A lack of preparedness can also drive up the response costs. During a privacy breach, it is important to be able to quickly assess what personal information is impacted and who it relates to in order to conduct risk of serious harm assessments and comply with regulatory notification obligations.
With proper preparedness and planning, you can ensure your response is timely, efficient, and aligned to your legal obligations. This helps to minimise potential harms to impacted individuals and reduce the potential reputational harm to your organisation. Additionally, the more prepared you are, the lower the response costs. eDiscovery, the process to determine what personal information is impacted and to whom it relates, is one of the most expensive components of incident response activities. Access to a quality, up-to-date, and accurate data map allows you to rapidly exclude irrelevant data sources from eDiscovery activities increasing efficiency and reducing cost.
If you don't know what personal information is on a particular system, you may have to waste a lot of time and money ingesting that data source into eDiscovery just to find it wasn't relevant.
Efficiency in breach response is even more critical as the notification time requirements in data breach notification regulations are getting narrowed to as low as 72 hours. Preparation helps you avoid a late notification penalty.
Awareness and Culture
Every member of your staff should receive at least some training on protecting personal information. However, any staff involved in the collection, handling, storage, or disclosure of personal information need to have regular training on recognising privacy protected information, what their obligations are at law and according to your Privacy Policy, and what they can do to appropriately safeguard personal information.
Staff members that have privacy related job roles, such as a Privacy Officer, your in-house legal team, your risk management staff, and your senior managers and executives may need to have a more in-depth understanding of your privacy policies, legal obligations, and privacy practices. This may also apply to staff that handle large volumes of personal information, such as your marketing team. These groups often require specialist training in handling privacy risks and complaints. You incident response team should also receive more in-depth privacy training.
Privacy training should occur regularly. Annual training is an absolute minimum. More frequent training is often needed and more effective.
Terms and Conditions
We are required by the Legal Profession Uniform Law (NSW) (Uniform Law) to set out the following terms of our engagement for your acceptance or further negotiation.
In these Terms, references to Albrecht Burrows, "we", "us", "our" refer to Alliance Legal Pty Ltd (ABN ) trading as Albrecht Burrows of Level 12, 111 Elizabeth Street, Sydney NSW 2000.
This document, together with our General Terms of Business, sets out the terms of our offer to provide legal services to you and constitutes our costs agreement and disclosure pursuant to the Uniform Law. The Terms and the Accepted Options in this Proposal form the entire agreement between You and Us during our engagement and any references to the "Proposal" in this document refers to both the Terms and the Accepted Option.
By accepting this Proposal as set out herein and below in the Terms, you agree that this Proposal serves as a binding Costs Agreement and Disclosure under Schedule 1 of the Legal Profession Uniform Law (NSW) between Albrecht Burrows and You for the provision of legal services and may be enforced in the same way as any other contract.
The prices quoted in the attached proposal are indicative prices only unless specified as fixed price.
Some services are on a recurring basis and will be charged on an ongoing basis in accordance with the selected billing frequency until cancelled in writing with one month notice. By selecting a recurring service you agree to be charged for the selected service amount, plus GST, until cancelled.
You will be proportionately charged for work involving shorter periods less than an hour. Our charges are structured in 6 minute units. For example, the time charged for an attendance of up to 6 minutes will be 1 unit and the time charged for an attendance between 6 and 12 minutes will be 2 units.
The agreed scope of work may include a fixed price. Where a fixed price is agreed, the following standard hourly rates charged by our professional staff will only apply to out of scope work. Where we have quoted a discounted hourly rate in the scope of work, the lesser of the quoted hourly rate or the following rates will apply:
(a) $650 plus GST for a Director, or Principal;
(b) $580 plus GST for a Partner, or Special Counsel;
(c) $450 plus GST for a Senior Associate;
(d) $380 plus GST for an Associate;
(e) $350 plus GST for a Solicitor; and
(f) $150 plus GST for a Paralegal.
Our rates are reviewed on a regular basis and may change during the course of a matter. In relation to lengthy matters this may impact upon our cost estimates (which may be revised accordingly). You will be given 30 days' notice in writing of any changes to our charge out rates.
Where you have been referred by a third-party such as your insurance broker, IT provider, or accountant, we may pay them referral fee. This fee is paid by us and is not an additional cost to you.
2.1 We may incur disbursements (being money which we pay or are liable to pay to others on your behalf). Disbursements may include search fees, court filing fees, process server fees, expert fees, witness expenses, travel expenses, transcript expenses and barrister's fees.
2.2 Where you instruct us to brief a barrister or other expert and they provide a disclosure and costs agreement we will provide this to you.
Our usual policy is to issue a tax invoice on a monthly basis or upon completion of a specific task or tasks. All tax invoices are due and payable 14 days from the date of the tax invoice. You consent to us sending our tax invoices to you electronically at your usual email address or mobile phone number as specified by you.
You may accept the Costs Disclosure and Costs Agreement by:
(a) signing and returning this document to us; or
(b) continuing to instruct us.
Upon acceptance you agree to pay for our services on these terms.
Interest at the maximum rate prescribed in Rule 75 of the Legal Profession Uniform General Rules 2015 (Uniform General Rules) (being the Cash Rate Target set by the Reserve Bank of Australia plus 2%) will be charged on any amounts unpaid after the expiry of 30 days after a tax invoice is given to you. Our tax invoices will specify the interest rate to be charged.
The Legal Profession Uniform Law (NSW) (the Uniform Law) provides that we cannot take action for recovery of legal costs until 30 days after a tax invoice (which complies with the Uniform Law) has been given to you.
It is your right to:
(a) negotiate a costs agreement with us;
(b) negotiate the method of billing (e.g. task based or time based);
(c) request and receive an itemised bill within 30 days after a lump sum bill or partially itemised bill is payable;
(d) seek the assistance of the designated local regulatory authority (the NSW Commissioner) in the event of a dispute about legal costs;
(e) be notified as soon as is reasonably practicable of any significant change to any matter affecting costs;
(f) accept or reject any offer we make for an interstate costs law to apply to your matter; and
(g) notify us that you require an interstate costs law to apply to your matter.
If you request an itemised bill and the total amount of the legal costs specified in it exceeds the amount previously specified in the lump sum bill for the same matter, the additional costs may be recovered by us only if:
(a) when the lump sum bill is given, we inform you in writing that the total amount of the legal costs specified in any itemised bill may be higher than the amount specified in the lump sum bill, and
(b) the costs are determined to be payable after a costs assessment or after a binding determination under section 292 of the Uniform Law.
Nothing in these terms affects your rights under the Australian Consumer Law.
If you have a dispute in relation to any aspect of our legal costs you have the following avenues of redress:
(a) in the first instance we encourage you to discuss your concerns with us so that any issue can be identified and we can have the opportunity of resolving the matter promptly and without it adversely impacting on our business relationship; and
(b) you may apply to the Manager, Costs Assessment located at the Supreme Court of NSW for an assessment of our costs. An application for assessment must be made within 12 months after the final bill in this matter was provided or request for payment made or after the costs were paid.
It is our policy that, when acting for new clients, we do one or more of the following:
(a) ask the client to pay monies into our trust account;
(b) ask the client for their credit card details.
Unless otherwise agreed with you, we may determine not to incur fees or expenses in excess of the amount that we hold in trust on your behalf.
You authorise us to receive directly into our trust account any judgment or settlement amount, or money received from any source in furtherance of your work, and to pay our professional fees, internal expenses and disbursements in accordance with the provisions of Rule 42 of the Uniform General Rules. A trust statement will be forwarded to you upon completion of the matter.
On completion of your work, or following termination (by either party) of our services, we will retain your documents for 7 years. Your agreement to these terms constitutes your authority for us to destroy the file after those 7 years. The authority does not relate to any documents which are deposited in safe custody which will, subject to agreement, be retained on your behalf indefinitely. We are entitled to retain your documents while there is money owing to us for our costs.
You will be liable for the cost of storing and retrieving documents in storage and our professional fees in connection with this.
We may cease to act for you or refuse to perform further work, including:
(a) while any of our tax invoices remain unpaid;
(b) if you do not within 7 days comply with any request to pay an amount in respect of disbursements or future costs;
(c) if you fail to provide us with clear and timely instructions to enable us to advance your matter, for example, compromising our ability to comply with Court directions, orders or practice notes;
(d) if you refuse to accept our advice;
(e) if you indicate to us or we form the view that you have lost confidence in us;
(f) if there are any ethical grounds which we consider require us to cease acting for you, for example a conflict of interest;
(g) for any other reason outside our control which has the effect of compromising our ability to perform the work required within the required timeframe;
(h) if in our sole discretion we consider it is no longer appropriate to act for you; or
(i) for just cause.
We will give you reasonable written notice of termination of our services. You will be required to pay our costs incurred up to the date of termination.
You may terminate our services by written notice at any time. However, if you do so you will be required to pay our costs incurred up to the date of termination (including if the matter is litigious, any cancellation fees or other fees such as hearing allocation fees for which we remain responsible).
Without affecting any lien to which we are otherwise entitled at law over funds, papers and other property of yours:
(a) we shall be entitled to retain by way of lien any funds, property or papers of yours, which are from time to time in our possession or control, until all costs, disbursements, interest and other moneys due to the firm have been paid; and
(b) our lien will continue notwithstanding that we cease to act for you.
We may in any manner we regard appropriate disclose the fact that we act or have acted for you, and the type of work but in doing so we will not disclose other confidential information.
Also, we may place an advertisement in an appropriate financial journal or industry journal at our cost after completion of the work, but only after obtaining your prior approval that you must not unreasonably withhold.
However, if you request it now, we will make sure we do not disclose details of the work or your name to anyone except as necessary in the course of doing the work.
We share office space with BDH Leaders Pty Limited, a financial consultancy. Where We are providing legal services to you concurrently to you receiving services from BDHL Leaders Pty Limited, services provided by BDH Leaders Pty Limited are not provided by Us and should not be relied upon as such. Our services are not, and should not be relied upon, as being provided by BDH Leaders Pty Limited. Our services are distinct and separate despite the use of shared office space. We take all reasonable steps to ensure the confidentiality of your information and legal matter.
You agree that we may use your logo on our website in the “Trusted by” section (or equivalent), and that we may refer to our engagement with you when speaking with external parties including potential clients. In addition, you agree that any testimonial(s) you give us can be used on our website and reproduced for other marketing and business development purposes including social media platforms and award applications.
These authorisations can be withdrawn by you in writing at any time.
We will collect personal information from you in the course of providing our legal services. We may also obtain personal information from third party searches, other investigations and, sometimes, from adverse parties.
We are required to collect the full name and address of our clients by Rule 93 of the Uniform General Rules. Accurate name and address information must also be collected in order to comply with the trust account record keeping requirements of Rule 47 of the Uniform General Rules and to comply with our duty to the courts.
Your personal information will only be used for the purposes for which it is collected or in accordance with the Privacy Act 1988 (Cth). For example, we may use your personal information to provide advice and recommendations that take into account your personal circumstances.
If you do not provide us with the full name and address information required by law we cannot act for you. If you do not provide us with the other personal information that we request our advice may be wrong for you or misleading.
Depending on the nature of your matter the types of bodies to whom we may disclose your personal information include the courts, the other party or parties to litigation, experts and barristers, the Office of State Revenue, PEXA Limited, the Land and Property Information Division of the Department of Lands, the Registrar General and third parties involved in the completion or processing of a transaction.
We do not disclose your information overseas unless your instructions involve dealing with parties located overseas. If your matter involves parties overseas we may disclose select personal information to overseas recipients associated with that matter in order to carry out your instructions.
We manage and protect your personal information in accordance with our privacy policy (which can be found on our firm website or a copy of which we shall provide at your request). Our privacy policy contains information about how you can access and correct the personal information we hold about you and how you can raise any concerns about our personal information handling practices. For more information, please contact us in writing.
We are able to send and receive documents electronically. However, as such transmission is not secure and it may be copied, recorded, read or interfered with by third parties while in transit. If you ask us to transmit any document electronically, you release us from any claim you may have as a result of any unauthorised copying, recording, reading or interference with that document, for any delay or non-delivery of any document and for any damage caused to your system or any files.
Where applicable, GST is payable on our professional fees and expenses and will be clearly shown on our tax invoices.
By accepting these terms you agree to pay us an amount equivalent to the GST imposed on these charges.
The law of New South Wales governs these terms and legal costs in relation to any matter upon which we are instructed to act.
Smart Commercial Lawyers
Delivering emotionally intelligent legal solutions
ablaw.com.au | [email protected]
Reception 02 8014 2511
Level 12, 111 Elizabeth Street
Sydney NSW 2000
Level 11, 456 Lonsdale Street
Melbourne VIC 3000
Rahiri Chambers
Level 10, Britomart Place
Auckland CBD