Institute of Free Speech &Democracy in Zimbabwe: PEOPLE WITH DISABILITIES, POLITICAL PARTICIPATION ...

Institute of Free Speech &Democracy in Zimbabwe: PEOPLE WITH DISABILITIES, POLITICAL PARTICIPATION ...: PEOPLE WITH DISABILITIES, POLITICAL PARTICIPATION AND ACCESS TO INFORMATION DURING THE 2018 ELECTION SEASON IN ZIMBABWE     By Lynd...

PEOPLE WITH DISABILITIES, POLITICAL PARTICIPATION AND ACCESS TO INFORMATION DURING THE 2018 ELECTION SEASON IN ZIMBABWE

PEOPLE WITH DISABILITIES, POLITICAL PARTICIPATION AND ACCESS TO INFORMATION DURING THE 2018 ELECTION SEASON IN ZIMBABWE 

 

By Lyndon T. Nkomo

Deaf Zimbabwe Trust

Founding Trustee

27 July, 2017

 

Background

Election season has dawned on Zimbabwe and the President has started campaigning in various provinces mainly targeting the youths. Many Deaf youths are unaware of the President’s campaign programme and why this time he has chosen to target the youths. Praise is a profoundly Deaf youth and by chance he saw a newspaper headline that says the President will be visiting Masvingo Province to meet the Youths. The next day there was a big headline from the Herald newspaper indicating that that 20 000 stands were going to be allotted to the youths in Masvingo. He thought to himself that the President will do the allocation of the stands at his rally. Regrettably, he did not have information as to where to submit his name since he also desired to acquire a stand. The people around him could not communicate with him because they had no knowledge of sign language neither were there any Sign Language Interpreters in his home area. He checked the news on Zimbabwe Broadcasting Corporation Television (ZBC-TV), the sole public service broadcaster in the country, but there was no sign language interpreter on the live programme that was running. The day for the President’s visit arrived and there was a big rally in Mucheke Stadium. Praise also rushed to the stadium hoping to hear the message which the President was going to deliver to the youths of Masvingo Province. He shoved through the masses of people to take a sit on the front role hoping that just may be, there was going to be a sign language interpreter in attendance but to his frustration there was none. He decided to go back home to follow the proceedings on ZBC-TV and again, to his frustration, there was no sign language interpreter neither were there any captions running on television during the live programme. This brief story highlights the frustration that Deaf people as well as other people with disabilities have to endure in order to access information even though their experiences may differ due to the differences in their disabilities.   

Introduction

Free and unhindered political participation sits at the core of the democratic societies. The human rights perspective affirms that every citizen regardless of sex, intellectual capacity, race or disability has a right, if they so wish, to take part in politics either as a member of a political party or in the exercise of the right to vote or to stand for election and hold public office when so elected subject to the provision of reasonable accommodations for people with disabilities.   

Issues Affecting People with Disabilities

Access to information for people with disabilities has been a huge perennial problem which has hindered the majority of people with disabilities from fully participating in direct politics in Zimbabwe. The problems start from political parties who are not conscious of the needs and interest of people with disabilities. Existing political parties have not seriously pursued an inclusive approach that embraces people with disabilities within their rank and file and to seek to address their needs. Politicians in Zimbabwe do not seem to place significant value to the disability vote even though ZANU PF has made marginal attempts to do that by appointing Joshua Malinga as a member representing persons with disabilities in their party. However, he has not been very effective in influencing policy changes needed to advance the rights and interests of people with disabilities because being a sole representative he lacks the critical mass needed to shift perceptions and the thinking of conservative politicians who care less about people with disabilities. Notwithstanding the foregoing, it does not mean that there are no people with disabilities within these political parties but sometimes those that have disabilities do not identify themselves as such. The refusal by some elite politicians to identify themselves as persons with the disability or with the disability movement has negatively affected the mainstreaming of disability issues in political parties. With negligible representation in the corridors of power, there are few people who will stand for the rights and interests of people with disabilities as well as push for programmes that are intended to advance their causes. 

Furthermore, political parties in Zimbabwe do not make their manifestos available in forms that are accessible to people with disabilities such as braille and videos with sign language interpretation neither do they provide sign language interpreters at their rallies. Whilst ZBC-TV, which is an agent of the State, sometimes provides Sign Language Interpreters during some of its news bulletins, this has not been the case for most of its pre-recorded and outside live broadcast programmes. ZBC-TV does not provide captions during any of its broadcast programming services and yet s22 (3) (c) of the Constitution of Zimbabwe creates an obligation on the part of the State and all its institutions and agencies to ‘…encourage the use and development of all forms of communication suitable for persons with physical or mental disabilities…’ The fact that ZBC-TV is not consistently providing broadcast services that take into account the needs of the Deaf is evidence that they are trammelling some of the basic rights of people with disabilities in Zimbabwe. It is common cause that most Deaf people cannot follow with precise understanding programmes that are shown on television without the assistance of captions or sign language interpreters. The information gap between hearing and Deaf people is, therefore, huge in Zimbabwe. This is the obtaining situation despite the fact that access to information by all citizens is critical in sustaining functioning democracies and it is paramount that all citizens including people with disabilities are able to make informed political decisions.

There is need for the Broadcasting Authority of Zimbabwe (BAZ) to initiate regulations that compels all television broadcasters including print media houses that are running websites registered and hosted in Zimbabwe where they upload videos and sometimes live online broadcasts to provide live captions and sign language interpreters where appropriate. This will ensure that Deaf people and other people requiring similar services do not miss out on key public information. Freedom of expression when embraced by all key media stakeholders is capable of building up an inclusive society in which all people are treated as equal and have equal access to critical services of our nation including access to information. Access to information is critical in equipping citizens to actively engage in public interest discourse including standing for election into public office.      

Section 61 of the Constitution of Zimbabwe provides that ‘Every person has a right to freedom of expression which includes ‘freedom to seek, receive and communicate ideas and other information…’ This is an important right through which citizens are able to enjoy other fundamental rights. In In re Munhumeso and Others Gubbay CJ observed that:

The importance attaching to the exercise of the right to freedom of expression …must never be under-estimated. They lie at the foundation of a democratic society and are one of the basic conditions for its progress and for the development of every man…Freedom of expression, one of the most precious of all the guaranteed freedoms has four broad special purposes to serve;

(i) it helps an individual to obtain self-fulfilment;

(ii) assists in the discovery of truth;

(iii) it strengthens the capacity of the individual to participate in decision making; and

(iv), it provides a mechanism by which it would be possible to establish a reasonable balance between stability and change.

In light of what freedom of expression means as well as its purposes, the question that needs to be asked within the context of political participation by people with disabilities is ‘how are People With Disabilities in Zimbabwe expected to make informed political decisions and choices in the absence of political information as a result of restrictions to access to by political parties, election authorities and media houses?’ Access to information is critical particularly during an election season because it is that which enables citizens to be fully engaged in political debates and assist them in the exercise of the right to vote as guaranteed under s67 (3) (a) of the Constitution, which provides that:

Subject to this Constitution, every Zimbabwean citizen who is of or over eighteen years of age has the right- (a) to vote in all elections and referendums to which this Constitution or any other law applies, and to do so in secret;  

and such important decisions can only be exercised on the basis of adequate and correct information that is disseminated in languages and formats that can be easily understood by People with Disabilities. In the absence of information on what political parties are offering to the public in their manifestos, the ability of one to exercise the right to vote will be unduly restricted. It is also unfortunate that the Zimbabwe Election Commission (ZEC) practices, whether knowingly or unknowingly, voter discriminatory tactics which in effect suppresses the votes of People with Disabilities. ZEC does this by not embarking on voter education programmes which specifically target people with disabilities such as Deaf and Blind people and voter education information is not packaged in accessible communication formats such as sign language, braille and easy to read materials for those people with intellectual disabilities. In addition to that, ZEC does not provide suitable voting technologies for blind people and other people who may require such assistive devices which compromise their right to vote in secret as provided for in terms of the Constitution of Zimbabwe. Imagine, how a person without arms will be expected to vote in a polling booth that has not been adapted to accommodate such needs? How is a person who is blind expected to secretly vote in the presence of his or her assistant? If technological solutions are available which make it possible for people with disabilities to access information on voting as well as exercise their right to vote in secret,   why then should we not make such assistive devices available and accessible to the communities that need them? The lack of effort on the part of ZEC in ensuring that appropriate accommodations are extended to people with disabilities in order to pull down the barriers standing against them in terms of political participation and the right to vote and to do so in secret is discriminatory and it inadvertently amounts to voter suppression.    

As noted above, such discriminatory tactics whether being done deliberately or in ignorance weaken our democracy as they disenfranchise people with disabilities from political participation. Therefore, the guaranteed political rights under s67 of the Constitution of Zimbabwe will not be fully realised by people with disabilities. The provisions of the United Nations Convention on the Rights of People with Disabilities are more enlightening as to how people with disabilities ought to receive information that is of public interest. For instance, Article 21 of the UNCRPD which deals with Freedom of Expression and opinion, and access to information provides that:

States Parties shall take all appropriate measures to ensure that persons with disabilities can exercise the right to freedom of expression and opinion, including the freedom to seek, receive and impart information and ideas on an equal basis with others and through all forms of communication of their choice, as defined in article 2 of the present Convention, including by:

a.                Providing information intended for the general public to persons with disabilities in accessible formats and technologies appropriate to different kinds of disabilities in a timely manner and without additional cost;

b.               Accepting and facilitating the use of sign languages, Braille, augmentative and alternative communication, and all other accessible means, modes and formats of communication of their choice by persons with disabilities in official interactions;

c.                Urging private entities that provide services to the general public, including through the Internet, to provide information and services in accessible and usable formats for persons with disabilities;

d.               Encouraging the mass media, including providers of information through the Internet, to make their services accessible to persons with disabilities;    

 

These provisions make reference to ‘accessible formats and technologies appropriate to all kinds of disabilities’ as the most effective way of communicating public information to People with Disabilities. Therefore, for Deaf people the use of sign language and sign language interpreters during one on one engagements or mass engagements would be appropriate. In situations where information has to be published via television broadcasting services then the provision of sign language interpreters or the use of captions becomes relevant. With respect to people who are hard of hearing, the use of voice amplifiers, sign language and Sign Language Interpreters may also be used as suitable form of communication of public information to this group of citizens. The use of braille and voice amplifiers as well as voice to text conversion technologies would be suitable for communicating with visually impaired people. 

As the election season heats up and political parties are beginning to launch their manifestos as well as engaging into campaign modes, it will be important for them not to be exclusionary in their approach and to ensure that all forms of messages which they are going to disseminate are either published or broadcast in formats and modes that are suitable and accessible to all citizens including People with Disabilities. The PWD vote is crucial because there are as many as 1 million people with disabilities in Zimbabwe and that is a huge constituency that must have a significant say in the governance of the country.        

It also needs to be pointed out that political participation does not only relate to the right to vote. Political participation by people with disabilities in Zimbabwe has been very limited in that the quota that has been reserved for people with disabilities of two (2) Senate seats does not allow them to make significant impact in the Senate. Following the promulgation of the new Constitution of Zimbabwe, only two (2) seats were reserved for people with disabilities in the Senate under the provisions of s120 (1) (d) of the Constitution and it is unfortunate that there was no reservation of seats that was done for People with Disabilities in the National Assembly. This means that if they cannot compete with those people without disabilities then they can only participate in law making process in the Senate. The existing option may not be very effective in terms of ensuring that they influence laws to ensure that they take into cognisance the interests of people with disabilities. Practice has shown that the Senate house does not conduct robust debates as the National Assembly and without critical numbers in the Senate it may be very difficult for only two representatives of people with disabilities to force any legislative changes that takes into account the interests of their constituency.

The critical question is, if the makers of the new Constitution found it necessary to provide a quota for disability representatives why did they not make a similar concession targeted for the National Assembly where the law making process begins? This appears to have been a half-hearted measure to appease people with disabilities. It would appear that there was an over provision on the need to address gender diversity at the expense of other similarly critical groups of citizens within the country. The current circumstances do not facilitate the effective contribution by people with disabilities in the making of disability sensitive legislation as well as the participation of more persons with disabilities in civic and public decision making processes.  Therefore, the Constitution contradicts itself in that whilst the spirit behind it seeks to elevate people with disabilities to achieve their full potential as envisaged by s83 of the thereof, which provides that:

‘The State must take appropriate measures, within the limits of the resources available to it, to ensure that people with disabilities realise their full mental and physical potential, including measures-…’,

government policy in general as well as the conduct of a number of government agencies such as ZEC restrict the development of the potential of people with disabilities through in various ways some of which have been explained above to the detriment of the aspirations of people with disabilities. These are people who are already at a disadvantage in terms of their numbers, economic, social and educational standing due to barriers that have been imposed on them by the society. It is inconceivable within the current circumstances that people with disabilities in Zimbabwe can compete on equal footing with people without disabilities who have had many decades of participation in politics and public decision making processes. For instance, if one looks at the Deaf Community in Zimbabwe, there are very few people who are Deaf and have university degrees in Zimbabwe, more so occupying influential positions in the society. Furthermore, it must be noted that educational outcomes in the Deaf Community have been low due to over a century of miseducation or lack of it. It has been almost impossible to build capacity for intellectual, civic and public engagement within the Deaf community because of the challenges identified above.  A number of challenges faced by People with Disabilities also had to do with the inadequate legislative support especially with serious shortcomings from the Disabled Person Act and well as little fiscal support for disability issues from the national treasury. These have compromised the quality of life of a majority of People with Disabilities as well as their ability to engage the Government on serious matters affecting them.    

Therefore, for a very long time, disability issues and concerns have been treated as marginal issues in Zimbabwe and even after the promulgation of the new Constitution of Zimbabwe in 2013 whose spirit is to create a nation “…united in our diversity by our common desire for freedom, justice and equality…” the same Constitution makes marginal concessions to people with disabilities in terms political participation.  It will be difficult to bring people with disabilities into the main fray of civic and political engagement within the existing constitutional context.  As rightly noted in a paper presented by the Belgians to the Conference of State Parties in 2011, “Inclusion in our Societies also means participation in political and public life. It is a condition sine qua non for human rights minded citizenship”. Therefore, the unity in diversity referred to in the preamble to our Constitution will remain a pipe dream unless conducive conditions giving people with disabilities the right platform to enjoy their political rights on equal basis with others are created. This is a deliberate decision which politicians and the general citizenry have to make and pursue within the context of a vision of a nation built on “…freedom, justice and equality...”                  

Whereas the Constitution makes marginal concessions to people with disabilities, It is important to note that it makes huge provisions for gender diversity in the National Assembly intended to promote the participation of women in politics by virtue of the provisions of s124 (1) (b) which provides that:

 For the life of the first two Parliaments after the effective date, an additional sixty women members, six from each provinces into which Zimbabwe is divided, elected under a party-list system of proportional representation based on votes cast for candidates representing political parties in a general election for constituency members in the provinces. 

Therefore, a deliberate attempt to build the capacity of women to participate in politics as well as public decision making systems found expression in our Constitution in 2013. The rationale being that it was noted that in the past fewer women were taking part in politics and public decision making processes because of centuries male domination in the public governance sector. Women were perceived to be unjustly forced to take a back seat role in governance issues by their more powerful male counterparts and in the end, they were put in the same category as vulnerable groups which included children and people with disabilities. Our contention is that if the law can recognise women and give them such a generous dispensation, being part of the group of people once recognised as vulnerable, then there is no justification as to why people with disabilities should not be given a similar legislative dispensation.

Consequently, there is need for the quota for disability representation to be increased to at least 7% each in both the National Assembly and the Senate since people with disabilities represent 7% of the total population of Zimbabwe. Political parties must seriously consider giving value to the disability vote as well as including people with disabilities on their election party lists as candidates. A political party that is seen to be building the capacity of people with disabilities for political and public engagements on various issues is likely to win a significant number of votes from people with disabilities than a political party that discriminates them.       

Conclusion

The ability of one to contribute towards the governance of his country affirms a sense of citizenship. In this regard, therefore, political participation by people with disabilities becomes critical in light of the fact that they were regarded as second class citizens for many years who did not have voting rights. Now that the right to political participation has found constitutional expression in the new Constitution of Zimbabwe, all stakeholders including the Government and its agencies must invest resources that will ensure that People with Disabilities have access to information including the establishment of platforms for communication that will facilitate their full engagement in public discourse on issues of national interest. Political parties and the Government must ensure that opportunities are created for those that have the capacity to hold public office to do so without the rigours of competing with people without disabilities including the enactment of supportive legislation to ensure that people with disabilities who have political aspirations are given appropriate accommodations to fulfil their dreams. The interests of people with disabilities will always be different from those of people without disabilities and this is the case in those countries where the rights and interests of people with disabilities have been progressively improved. In such countries, there has not been a convergence of common interests as they relate to the needs of people with disabilities and those without disabilities. Therefore, an inclusive political participation is a national imperative to ensure that every individual has a right to participate in the selection of those who should govern their country and it must be noted that incorporated in an individual’s political choice is an implied determination by the individual as to how their choice would make them realise their personal aspirations.                              

Cybersecurity for law firms: A Note to Zimbabwean Law Firms

By Lyndon T. Nkomo

Introduction

Cyber attacks are a reality, and most law firms are unaware that when a breach occurs, they would have been compromised. A single attack is able to have a global reach in its impact and that signifies the gravity of cyber terrorism.  The Internet’s strength is actually its weakest link. The interconnection of networked computers that create the information superhighway makes it possible for a single release of software viral attack to rapidly spread around the digital world through billions of unsecured computer-related devices. A recent report on the BBC website indicates how a single cyber-attack infected billions of computers worldwide. It also raised the need to ensure that cybersecurity breaches are regarded as national s
security threats. The BBC reported that: 

“A cyber-attack that has hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says. It blamed governments for storing data on software vulnerabilities which could then be accessed by hackers.”[1] These attacks amount to global terrorism and can no longer be ignored. The viral press attack which affected the UK earlier in the year targeted a huge number of law firms as well.

Issues

Whilst the majority of law firms in Zimbabwe may not be using sophisticated cyber defence systems, it is important to note that law firms elsewhere, are not spared from cyber attacks. Cyber criminals are targeting law firms for the sensitive data which they hold on behalf of their clients. It is reported that:

…at least 80 of the 100 biggest law firms in the country, by revenue, have been hacked since 2011 and the 2015 Legal Technology Survey Report from the American Bar Association found that 15% of firms have been the victims of a breach.[2]

In the same article published by Law Technology Today, it is reported that:

There are over 4,000 cyber attacks every day. That’s 170 attacks every hour, or nearly three attacks every minute. That alone is a scary thought for anyone running a business, but for law firms whose currency is built on the inherent trust they receive from clients, it is especially troubling. Yet, most firms do not even know they have been compromised when an attack occurs. By the time firms have realized a breach has happened, significant damage has already been done and most are not sure where to turn to for help.[3]

The figures are alarming and it is a clarion call for law firms to be more vigilant as the digital era advances. With more technological innovations taking place, the risk of attacks increases as more avenues for cyberattack are opening up due to the emergence of the Internet of Things (IoT). The cyber defence mechanisms no longer have to be left in the hands of IT specialists as such matters are now issues of strategic importance. The knowledge of how cyber attacks occur and their potential impact on the business become serious matters on the risk matrix of a law firm. A law firm can potentially shut down business in the event of data security breaches and the potential liability arising therefrom. The data security breaches at Mossack and Fonseca in the Panama papers scandal is a warning to what might possibly happen to a law firm whose data security has been breached. The judgment of the Eastern Cape Local Division High Court in John Andre Lochner vs Schaeffer Incorporated and Monae Schaefer and Tania Schaefer Case no. 3518/16 is a case in point in which a law firm was sued for negligence arising from a cyber-fraud. The key success factors in any law firm’s business are client confidence and trust. As a result, any loss of sensitive information to cybercriminals is likely to violate these cardinal values. 

There are three key areas in cybersecurity which are: (i) The Legal Concepts of Cybersecurity (ii) Technical Concepts of Cybersecurity and (iii) Business Impact of Cybersecurity. Whilst most lawyers are interested in the legal concepts of cybersecurity, it is also interesting to note that they are equally not concerned by the technical concepts of cybersecurity because they think that it is an area for Information Technology technicians. Other lawyers are not worried about the potential impact of cybersecurity breaches on their businesses as some effects of cyber attacks do not appear immediately until after some time. It is important for law firms to begin to be wary of such cases just like many other businesses which deal with sensitive and valuable information. They must realize that they are also potential targets for cyber attacks. A report from the Legal Technology Survey shows that in 2015 about 15% of law firms in the US were victims of cybersecurity breaches. David G. Ries notes that:

According to the 2015 Survey, about 15% of respondents overall reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” A breach includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 14% in 2014, 15% in 2013, and 10% in 2012.[4]

These numbers indicate that there is a need for lawyers to be more vigilant in this area and it must be emphasised that this is not a remote risk for law firms in Zimbabwe. The knowledge limitation about the Zimbabwean market arises from lack of empirical evidence because no surveys have been done to establish the risk levels faced by Zimbabwean law firms in relation to cybersecurity, and no major breaches have been reported as yet in this regard. However, it does not mean that they have not yet occurred. It only means that when such breaches occurred some lawyers may not have appreciated the gravity of the potential impact of the breaches. One article suggests that in some cases the full effects are felt a year or two after the incident. This means that the Law Society of Zimbabwe must begin to consider ways and means of establishing and implementing ethical rules that would ensure that law firms that are using cyber technologies have adequate security to protect their client’s information. For instance, the American Bar Association have ethical rules that put obligations on lawyers to take competent and reasonable measures to secure their clients’ information. David G. Ries notes that:

The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. These duties present a challenge to attorneys using technology because they are not technologists and often lack training and experience in security. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information, or to get qualified assistance if necessary…[5]

We can never overemphasize the need for information security especially in the digital era and to help law firms to consider this issue. David Myers, a cybersecurity expert suggests that lawyers must ask themselves the following three key questions in relation to cybersecurity:

1. How safe are your firm’s operations?
2. How do I identify cybersecurity issues?
3. Can we use cloud computing in the practice of law?[6]

It would be interesting to know whether there are any law firms in Zimbabwe that are sure about the security of the data they hold on behalf of their clients. It must be pointed out that for as long as a law firm has access to the internet, there is always a door for a possible cyber attack. Thus, it is always important to ensure that the law firm’s operations are run on the basis of competent and reasonably secure cybersecurity systems which do not give cyber intruders easy access to the firm’s database.

In order to achieve this degree of security, it would, therefore, be prudent for the law firm to be able to identify potential cybersecurity risk issues within its network. This exercise would entail the law firm developing a cybersecurity risk matrix which would help them to identify potential breaches, the likelihood of the breach happening, potential impact on both the business and the firm’s operations should it happen and the mitigating factors which the firm must take in order to reduce the likelihood of the breach as well as the associated impact on both the business and operations of the firm. The risk matrix should always be on the agenda of the meetings of the executive partners of the law firm.

It is important to emphasise that privacy and confidentiality of data are fundamental ethical values to the practice of law without which the practice of law will lose public trust and confidence. At the RSA Conference 2016, the Hubbard Decision Research[7] presentation made a very important remark to the question “What is your single biggest risk in cybersecurity?” and the response they gave to that question was “How you measure cybersecurity risk.”[8] This is a very critical observation as it determines what measures if any, should be put in place to respond to cyber risks. However, for some law firms particularly those in Zimbabwe, that question may sound pre-mature in the sense that one must first ask how many law firms are using the internet in the practice of law and whether those lawyers appreciate the possible cybersecurity breaches and how they occur. In fact, the assumption made in the Hubbard Decision Research presentation is that one already knows the potential cybersecurity risks and how to identify them. That question is more applicable to law firms in the developed world. Nevertheless, it should not be assumed that there are no potential cybersecurity issues that can arise in an environment like Zimbabwe. The recent ransomware attack which affected over 4000 computers in 152 countries around the world did not spare Zimbabwe. Therefore, there is a need for lawyers, to make conscious decisions about how to deal with the risk of potential cybersecurity beaches.      

General Misconceptions by Lawyers

According to David Myers, there are some general misconceptions made by lawyers which end up making them easy targets of cybercrimes.[9] The first misconception is that they say “I am not the target; It’s the big law firm.” The size of the law firm does not matter but the value of the transaction matters.[10] This point is best illustrated with what was reported in the Financial Times of 30 December 2016 wherein Brooke Masters wrote that:

Willie Sutton, the notorious US outlaw, famously said he robbed banks “because that’s where the money was.” Now hackers are going after law firms for exactly the same reasons…US prosecutors charged Chinese traders with securities fraud, saying they made more than US$4m trading on information stolen from two of US’s best-known law firms’[11]

In the digital world, the motivation to commit cybercrimes is found in many cases in the nature of the data held by the potential victim and its potential monetary value both to the data subject and the would-be perpetrator.

The South African case of John Andre Lochner vs Schaeffer Incorporated and Monae Schaefer and Tania Schaefer Case no. 3518/16 (Eastern Cape Local Division) illustrates this point. The cyber criminals, in this case, forged an email address of the client in order to get its lawyers to remit funds which were associated with some conveyancing work they were doing on behalf of their client into a wrong account. An amount in the sum of R512 720.13 was stolen and this created a potential liability on the part of the lawyers concerned and later became the cause of action for the dispute. This matter shows that it is not the size of the firm that matters but the value of the business or data which the law firm is handling on behalf of some data subjects that attract illicit cyber intrusions.

David Myers also notes that it is not only the value of the data but the value of your client’s business partners or the people that are doing business with the lawyers’ clients that may also attract potential cybersecurity breaches. In an article which appeared in the Financial Times, it was noted that:

The US Securities and Exchange Commission said the hackers targeted seven firms known for their mergers and acquisitions work, hitting them with more than 100,000 attacks over a three-month period. They then struck gold with two organisations. After installing malware on each law firm’s computer network, they gained access to their IT departments and from there broke into the files and emails of senior M&A lawyers. They ended up stealing nearly 60 gigabytes of data related to at least 10 potential deals.[12]

What is clear in these cases is that the attacks were not necessarily targeting the size of the law firms but the nature of the business they transacted and the parties involved in those business transactions. Whilst the breaches may have happened in the US, it does not mean that they cannot be targeted on Zimbabwean law firms. As long as some of them are holding valuable data, the possibility of cyber attacks will always exist. 

Some lawyers erroneously think that if they have antivirus software, they have adequate protection against cyberattack. Hackers are not deterred from attacking any subject because of antivirus software. If antivirus software were able to deter attacks then few data sources would be subjects of potential cyber attacks. Neill Feathers argues that:

Enterprise solutions do not work for smaller firms and existing solutions are expensive, complicated and require high technical skill. These options may be ideal for large firms, but small firms need solutions that fit within their means. In this void, consumer antivirus is pervasive. Often, firms assume server protections for data centres and endpoint security provide sufficient protection. While they do protect parts of the IT infrastructure, their scope is limited.[13]

This quote indicates that antivirus software does not provide 100% protection but that the scope of protection will be limited. As rightly submitted by David Myers,[14] there is not a single technology that provides 100% defence against cyber attacks. Thomas J. Holt et al’s[15] explanation on the limitations of antivirus software reveals why it is important for anyone not to fully rely on antivirus software alone as a source of protection. They submit that:

The benefit of antivirus software is that it can help to reduce the risk of malware being able to actively infect a protected system… The definitions that the software has on file run the risk of being outdated every day, as new variants of malicious codes are being produced all the time.[16] 

Thus, for as long as the targeted variant of the malicious codes keeps changing there will always be limitations on the scope of protection which an antivirus software offers and that raises an obligation on potential victims to remain up to date with the software updates that the manufacturers of the antivirus software will regularly offer. It will also be important for the law firm to have a backup storage system for its data that is also regularly updated to ensure that the law firm will be able to fall back on its backed up data if its live data sources are corrupted by software viral attacks. A layered approach to cyber protection will be important as there is no single solution that will be able to thwart potential cyber attacks on the firm’s network.       

Another misconception emanates from the trust that we accord without question to IT technicians who are given access to maintain internal networks. It is possible for some delinquent and unethical computer technicians to plant malicious bugs into computers causing them to be inefficient or act as launch pads for attacks on other people’s computers by secretly repurposing a firm’s computers for criminal activities. This is not a farfetched possibility and having worked for a mobile telecommunications company in Zimbabwe, whose prepaid platform was maintained and serviced by a service provider based in Dubai, I have first-hand experience of this possibility. The service provider had the ability to access the prepaid platform remotely by dialling into the network and could correct some technical issues on many occasions through this method. However, we came to experience that whenever, they had not received their maintenance and support fees on time, they would find a way of slowing down the efficiency of the system through the same method and as soon as they were paid the prepaid platform would begin to run efficiently again. This is a matter that raises ethical issues about how computer maintenance technicians who have access to sensitive corporate information or networks should behave during and after attending to an incident, fault or as they carry out their regular maintenance routines.

There are some computer technicians who are engaged to undertake maintenance works that do not belong to any professional association which regulates their conduct. Regrettably, it also appears that there are no regulatory bodies that deal with ethical and disciplinary issues involving computer technicians in Zimbabwe and yet they pose risks which may be dangerous to business. Furthermore, it may also be difficult to trace the attacks back to them. 

Some law firms also have the misconception that they are a small firm and therefore no one will have the desire to hack into their system. That is wrong. Hackers do not always hack for data, but they also look for easy targets which they can use to attack other data subjects to avoid being quickly traced. This is more like guerrilla warfare against potential data subjects.

The case of Cates Machine and Welding provides an example of hackers who used their victim’s old computer to hack into a:

…Silicon Valley food delivery start-up, a major Manhattan law firm, one of the world’s biggest airlines, a prominent Southern University and a smattering of targets across Thailand and Malaysia.[17]

The hackers are able to use a law firm’s computer to launch cyber attacks on other victims making it difficult for them to be detected. This is a tactic similar to a thief who hijacks a motor vehicle and then uses it as a tool to commit a criminal offence and thereafter, dumps it by the roadside. The Cates Machine and Welding’s computer was repurposed by hackers and used to attack the victims identified above. Another interesting example is that of the Internet of Things gadgets which were repurposed to webcams connected to the internet. CBS news reported in 2014, that a Russian website was able to hack into webcams that were connected to the internet and most of these cameras belonged to people who had not changed their default passwords and it was indicated that over 4000 webcams in 152 countries fell victim to this type of hacking.[18]  

It is important for law firms in Zimbabwe to get rid of the false sense of security that they may not be targeted because they may be running small law practices. It could also be that they may not have noticed or may not be aware that their computers are being used as launch pads for virtual attacks of unsuspecting victims. Anyone anywhere can be a victim and the recent attack by the WannaCry ransomware virus in over 104 countries did not spare Zimbabwe.[19] Information security issues in the digital age have caused the elevation of cyber risk to be a permanent agenda item in boardrooms across the world. Therefore, it is important for organisations to formulate key strategic performance indices on the minimisation or exclusion of cyber risks because of the serious ramifications which cybersecurity breaches may have on the business. It will be useful to examine the validity of this assertion by looking closely at the business impact of cybersecurity breaches as noted below.      

Business Impact of Information Breaches 

First, it was the interconnection between humans and machines and now it is a machine to machine interconnection via the internet to establish what is known as the Internet of Things (IoT). A policy options paper prepared by Joshua Meltzer notes that:

The internet is transforming how goods and services are used and delivered, as businesses offer online services (such as monitoring of equipment or data analysis of product use) in combination with goods, such that the services component is an increasingly significant share of the overall product value. Businesses are using the Internet to reach consumers globally, which is also driving international trade.[20] 

He further noted that the e-commerce global market had a value of US$16.5 trillion in 2016 when the paper was released and that “the World Bank has found that a 10% increase in broadband penetration results in a 1.38% rise in economic growth in developing countries and 1.21% in developed countries.”[21] These are big numbers and what would be interesting to establish is the potential loss of business in the event of cybersecurity breaches. In December 2016 Yahoo reported that almost 500 million email addresses were hacked and stolen from them and this was in addition to another hacking incident that occurred in September 2016.[22] Wired magazine further reported that Verizon which was in the process of acquiring Yahoo asked for a billion dollar discount of US$4.8 billion deal and that the transaction was likely to be affected by the recent disclosure. For law firms, any data security breach is likely to affect a firm’s reputation. Tim Lince in his piece outlines how some law firms’ in the UK fell victim of cyber attacks following the WordPress hacking which targeted a number of law firms. The impact of the hackings in these cases was construed as follows:

David Gibson, VP of strategy and market development at security firm Varonis, tells us, the appearance of being insecure could be enough to scare off clients. “Having your website defaced isn’t going to make clients feel any better about your data security practices,” he explains. “We don’t need to look past the Panama Papers to remember what happens to client trust when their data is stolen. So everyone needs to be worried about security these days, including the small businesses running WordPress sites. Law firm clients will likely go elsewhere if their firm suffers a data breach or they feel their information is vulnerable, and a website defacement isn’t going to help anyone’s confidence.[23]

The reputational damage suffered by Mossack and Fonseca law firm in Panama and the subsequent arrest of its founding partners will make it hard for their law firm to regain the trust and confidence of its clients as it is going to remain in the spotlight for a very long time for the wrong reasons. The Panama Papers scandal literally killed their thriving business and this scandal among many other issues underscore the importance of ensuring that data security is not tampered with. The values of trust, privacy and confidence are critical to the success of any law firm.

Conclusion

It is therefore important for law firms to begin to take issues pertaining to data security seriously and make all such steps as may be necessary to implement measures that will enhance cybersecurity within their practices. As the Internet of Things continues to grow, the risk of cybersecurity breaches will also continue to rise. The Law Society of Zimbabwe may need to review the adequacy of its ethical rules pertaining to data security, privacy and confidentiality by accordingly increasing the weight of the obligations of the law firms in this regard.

---

[1]     “Microsoft warns ransomware cyber-attack is a wake-up call”, 15 May 2017, Available at http://www.bbc.com/news/technology-39915440# accessed on 15 May 2017.

[2]     Neill Feather, “Don’t Let Your Law Firm Get Served with Cyber Attacks”, July 18, 2016, available at http://www.lawtechnologytoday.org/2016/07/dont-let-law-firm-get-served-cyber-attacks/ accessed on 9 May 2017.

[3]     Ibid

[4]     David G. Ries, Security, ABA Techreport 2015, Available at http://www.americanbar.org/publications/techreport/2015/Security.html Accessed on 12 May 2017

[5]     Ibid

[6]     David Myers, Cybersecurity for law practices, available at https://www.youtube.com/watch?v=DEwzzNnuzBU Accessed 12 May 2017.

[7]     Richard Tiersen and Douglas Hubbard, ‘How to measure anything in cybersecurity risk’ Available at https://www.rsaconference.com/writable/presentations/file_upload/grc-w05-how_to_measure_anything_in_cybersecurity_risk.pdf Accessed on 12 May 2017.

[8]     Ibid, Slide 4.

[9]     David Myers, Cybersecurity for law practices, available at https://www.youtube.com/watch?v=DEwzzNnuzBU Accessed 12 May 2017.

[10]    Brooke Masters, “Lawyers and accountants are prime targets for cyber-attacks”, DECEMBER 30, 2016, Available at, https://www.ft.com/content/f52f6fee-ccf4-11e6-864f-20dcb35cede2 Accessed on 9 May 2017.

[11]    Ibid

[12]    Note 10 above.

[13]    Note 2 above.

[14]    Note 6 above.

[15]    Thomas J Holt, Adam M Bossler, Kathryn C Seigfried-Spellar, Cybercrime and Digital Forensics: An Introduction, Routledge, 11 Feb 2015.

[16]    Ibid, page 107.

[17]    Nicole Perlroth, “The Chinese Hackers in the back Office”, June 11, 2016, Available at https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html?_r=0 Accessed on 15 May 2017.

[18]    Charlie D'Agata, “Is someone spying on you through your webcam?” November 20, 2014, Available at http://www.cbsnews.com/news/russia-webcam-hacking/ Accessed on 16 May 2017.

[19]    L.S.M Kabweza, “WannaCry Ransomware: Zimbabwe among countries hit by latest massive cyber-attack” Available at http://www.techzim.co.zw/2017/05/wannacry-ransomware-zimbabwe-amoung-countries-targeted/ Accessed on 16 May 2017.

[20]    Joshua P. Meltzer, “Maximizing the Opportunities of the Internet for International Trade”. E15 Expert Group on the Digital Economy – Policy Options Paper. E15Initiative. Geneva: International Centre for Trade and Sustainable Development (ICTSD) and World Economic Forum, Available at http://www3.weforum.org/docs/E15/WEF_Digital_Trade_report_2015_1401.pdf, Accessed on 16 May 2017 Pg 6

[21]    Ibid.

[22]    Lily Hay Newman, “Hack brief: Hackers Breach a Billion Yahoo Accounts. A Billion.” 14 December 2016 Available at https://www.wired.com/2016/12/yahoo-hack-billion-users/ Accessed on 16 May 2016

[23]    Tim Lince, Law firm websites hacked due to WordPress exploit; expert warns of reputational risk of cyber security incidents, 15 February 2017 Available at http://www.worldtrademarkreview.com/blog/detail.aspx?g=e1a097c7-1a26-4534-9ad0-516cce0dc2ce Accessed on 15 May 2017.