The Victorian Legal Services Board, has published an article on Cybercrime, for law practices (in the Commissioner’s March 2024 email update) – covering its requirements for firms and outlining the resources they provide. Tax agent, accounting bodies and other professional associations are likely to have equivalent requirements and resources. You might like to find them, read them, and compare them with these requirements, and resources, for lawyers (if this article prompts you to do so).

[Retaining its ‘first person’ text, it says that] this is a real and major risk, for practices, no matter what their size. The large sums of money, and sensitive information that your clients entrust to you, makes you a prime target for cybercriminals. Putting in place robust cybersecurity controls is a non-negotiable requirement for good practice management. However, for law practices without established IT supports, we know it can be challenging to navigate implementing these controls, and to know where to start.

Our new cybersecurity resources walk you through the practical steps you need to take to ensure you meet your professional obligations to protect your clients’ information, safeguard your law practice from financial loss and reputational damage, and prevent harm to the wider legal system.

Minimum Cybersecurity Expectations 
This resource unpacks important controls for your practice that reduce your exposure to cyberattacks, including:

  • critical controls to act on immediately – we expect all law practices to implement these as soon as possible, including:
    • enabling multi-factor authentication
    • having strong and unique passwords
    • turning on regular security and software updates
  • system controls, such as security software and backups, which are technical safeguards that protect your information systems against external threats and vulnerabilities
  • behavioural controls, such as training and client verification, that influence and regulate human behaviour in order to minimise security risks.

This resource also lists examples of conduct that could constitute unsatisfactory professional conduct or professional misconduct.

It’s imperative that you review all the minimum expectations thoroughly, as we expect any controls relevant to your practice to be adopted as soon as practicable.

Red Flags and Good Practices 
This resource will help individual lawyers and law practice staff to:

  • recognise key warning signs for potential cybersecurity incidents – from phishing attempts and physical threats through to unusual network activity
  • act quickly to mitigate the impact of a cyberattack, limiting further harm to your clients and business
  • adopt more cybersecure ways of working by being careful about what you share on social media, avoiding unknown USBs and unsecured Wi-Fi, and making sure you keep your personal devices secure and up-to-date
  • meet our expectations for client verification by directly checking with the client when handling financial transactions and sensitive instructions.

Implementing cybersecurity controls may take time, but they are important to make sure you, your practice, and the profession are cybersecure.

Read more on our website about why cybersecurity matters and what you need to do, and where you can find more information

[I’ve read, in the financial press, about the different approaches firms take, when their systems have been hacked and sensitive information has been taken. Some refuse to pay the ransom (not trusting the hackers or for moral reasons). However that usually precipitates adverse publicity, leave clients or others, at ‘hacker’s mercy (however, the traditional view is that paying the ransom does not prevent those things happening, anyway). Instead, they work with Government agencies, to minimise harm and remediate the loss of information. Medibank and Optus were in this category. One law firm (Ebsworths, I think), did not pay the ransom and got a court order (injunction) restraining anyone publishing or using the information. Others, however, pay the ransom. I thought this was grubby, and probably ineffective. The article I read, however, painted this as a rational, and perhaps astute approach – let me tell you why. If this article is right, the hacker does return the information (it would be bad for their business, if they didn’t). Instead, they give the ‘hackee’ a report on how they breached the firm’s cybersecurity systems (so the firm could do to improve their systems) and return the information. For this they charge a ‘fee’ (don’t call it a ‘ransom’ – ha ha). If this was how it worked (and the fee was not extortionate), it could be seen as an ‘involuntary stress test’ of the firm’s cyber security systems, with the benefit that the firm will not suffer any reputational damage, and the people who’s information was taken, would not suffer harm. It would take a lot of faith in the hacker, and more than a bit of courage, to take this approach. Additionally, I’m not sure what the relevant professional associations, would say about this approach (if they ever found out).]



[Square brackets] text is my editorial comment.

FJM 22.3.24