Cyber Security for Law Firms: What Your Professional Conduct Obligations Actually Require

Law firms are one of the most attractive targets for cybercriminals. They hold large volumes of confidential client information, often including financial records, sensitive personal details, commercially valuable documents, and communications protected by legal professional privilege. They handle trust account funds. And they are trusted, which makes impersonation effective.

Major Australian firms including HWL Ebsworth have experienced significant breaches. But the risk isn't concentrated at the top end — smaller practices are actively targeted precisely because their defences tend to be weaker. Business email compromise attacks designed to redirect trust account disbursements are common across sole practices and boutique firms, and a successful attack doesn't need to involve sophisticated malware. A convincing phishing email is often enough.

The question for principals is not whether cyber risk is real — it clearly is — but what the professional conduct framework actually requires them to do about it.

The Confidentiality Duty as a Cyber Security Obligation

Rule 9.1 of the Legal Profession Uniform Law Australian Solicitors' Conduct Rules 2015 is the foundation. It requires that a solicitor must not disclose any information which is confidential to a client and acquired during the client's engagement — with limited exceptions. This duty exists independently of the Privacy Act and applies to all client information, not just personal information as defined in privacy legislation.

The connection to cyber security is direct: if a ransomware attack encrypts your client files and the attacker exfiltrates them, or if a phishing attack gives an unauthorised third party access to your email correspondence with clients, confidential information has been disclosed. The fact that the disclosure resulted from a cyber attack rather than a deliberate choice by the solicitor does not automatically extinguish the professional conduct dimension — the question regulators will ask is whether adequate steps were taken to prevent it.

The Law Council of Australia published updated commentary on the confidentiality rules in March 2024, reinforcing that the duty extends to how information is stored and transmitted, not just what is said in client meetings. In the Victorian Legal Services Board and Commissioner's 2024 Risk Outlook, cyber security failures were explicitly identified as a persistent regulatory concern capable of attracting disciplinary consequences.

What Regulators Explicitly Require

The Victorian Legal Services Board and Commissioner has gone further than any other state body by publishing specific Minimum Cybersecurity Expectations for Victorian legal practitioners — a framework that sets out both critical system controls and behavioural controls, and explicitly identifies unacceptable cybersecurity practices that are capable of constituting unsatisfactory professional conduct or professional misconduct.

While formally a Victorian instrument, this guidance is consistent with the positions of Law Societies in other states and reflects the direction of practice management expectations nationally. Law Societies in NSW, SA, and other jurisdictions have published similar guidance, and the Law Council of Australia continues to develop cyber security resources for the profession.

The Trust Account Risk — Why Small Firms Are Targeted

Business email compromise targeting trust account disbursements is the most common and immediately damaging cyber attack against small law practices. The attack pattern is consistent: an attacker compromises a firm's email account (or creates a convincing lookalike), then intercepts or redirects a legitimate settlement or property transaction email to substitute their own bank account details. By the time the substitution is discovered, funds have been transferred and are often unrecoverable.

This same attack targets every party in the property transaction chain. Real estate agents and mortgage brokers face identical risks — and all are now captured by the AML/CTF tranche-two reforms commencing 1 July 2026.

The VLSB+C guidance specifically addresses this risk. Practices are expected to independently verify payment instructions received by email — even from known clients or counterparts — before disbursing trust funds. A firm that transfers client funds without verification, relying solely on an email that turns out to be compromised, faces exposure both to the client for the loss and to the regulator for inadequate practice management.

What "Reasonable Steps" Looks Like for a Law Practice

The Privacy Act requires APP entities — which includes most law firms — to take reasonable steps to protect personal information. The 2024 reforms clarified that this includes both technical and organisational measures. What constitutes reasonable steps depends on the size of the practice, the nature of work performed, and the sensitivity of client information handled. A boutique firm doing family law or criminal defence work is handling some of the most sensitive personal information that exists; the reasonable steps expectation is correspondingly high.

The VLSB+C Minimum Cybersecurity Expectations set out a practical baseline. Critical system controls that should be treated as non-negotiable for any practice include:

• Multi-factor authentication on all accounts — email, practice management software, cloud storage, and any system accessible from outside the office
• Automatic software updates for operating systems, browsers, and practice management software — unpatched software is the most common entry point for ransomware
• Secure, tested backups stored separately from primary systems — a ransomware attack that also encrypts your backup is unrecoverable without an offline or isolated copy
• Access controls — staff should access only the information they need for their role; departing staff accounts must be disabled immediately
• Endpoint protection — antivirus and anti-malware software, maintained and updated, on all firm devices
• Device management — firm policies for personal devices that access firm systems, including encryption requirements for laptops

Behavioural controls are equally important and equally part of the regulatory expectation. Staff training on phishing recognition, clear procedures for verifying payment instructions, and a documented process for responding to suspected incidents are all expected components of a well-managed practice.

Legal Professional Privilege and Incident Response

When a law firm suffers a cyber incident, there is an added dimension that most other small businesses don't face: the interaction between incident response activities and legal professional privilege. The Law Council of Australia has specifically advocated for statutory safeguards to preserve legal professional privilege in documents produced following a ransomware attack — including ensuring that materials provided to the ASD or National Cyber Security Coordinator are not shareable with other regulators without consent.

In practice, this means that when a firm engages forensic investigators or cyber incident response providers after a breach, the engagement structure matters. Engaging those providers through the firm's legal counsel — or ensuring the work product is created for the dominant purpose of actual or anticipated litigation — can help preserve privilege over the investigation findings. This is worth planning before an incident occurs rather than after.

The New Ransomware Reporting Obligation

The Cyber Security Act 2024 introduced a mandatory ransomware payment reporting regime that commenced on 30 May 2025. Any law firm with annual turnover above $3 million that makes a ransomware or cyber extortion payment — or is aware that a payment has been made on its behalf, for example by a third-party incident response provider — must report that payment to the Australian Signals Directorate within 72 hours.

The obligation applies whether or not the payment resolves the incident, and regardless of whether a notifiable data breach has occurred. Failure to report attracts civil penalties. Law firms that engage third parties to handle ransom negotiations or payments should ensure their engagement agreements address who bears the reporting obligation and that the timeline is understood.

Where to Start — A Practical Sequence

For a principal who has not yet conducted a structured assessment of the practice's cyber security posture, the immediate priorities are:

1. Enable MFA on everything — email accounts and practice management software first; this single control prevents the majority of credential-based attacks
2. Verify your backup regime — confirm backups are running, that they include all client files and matter management data, and that at least one copy is not accessible from the main network
3. Review access controls — who has access to what, whether former staff accounts have been deactivated, and whether your practice management system enforces role-based access
4. Establish a payment verification procedure — a written policy requiring phone verification before any trust account disbursement based on emailed instructions
5. Check your cyber insurance — confirm you have coverage, understand what controls it requires, and verify that your actual practices match what was stated in the application
6. Conduct a structured assessment — a documented assessment that identifies gaps and produces a written record of your current posture is both a compliance step and a defence if a breach occurs