Minimum Cybersecurity Expectations

In this resource, we describe system and behavioural controls that law practices should implement. We also define conduct that is capable of constituting unsatisfactory professional conduct or professional misconduct.

Not every law practice requires the same set of cybersecurity measures. Some actions we specify may not be relevant to your practice. For instance, controls related to the handling of trust money won’t apply to barristers or community legal centres, unless they operate a trust account.

However, it’s imperative that you review all the minimum expectations thoroughly, as we expect any controls relevant to your practice to be adopted as soon as is feasible.

Critical controls – act now

All law practices should make it a priority to implement as soon as possible what we call “critical controls”:

1. Multi-factor authentication
2. Appropriate passwords
3. Security updates

These controls are easy to put in place and increase your protection significantly, reducing the risk of a cyberattack.

Access Minimum Cybersecurity Expectations online or download below.

Cybersecurity Red Flags and Good Practices

This resource is designed to help lawyers identify warning signs of possible cyber-incidents. We explain good cyber practices and make clear our regulatory expectations regarding verifying client instructions. We encourage principals to share the resource with their staff.

Access Red Flags and Good Practices online or download below.

Further information

The LIV, the LPLC, and the Law Council of Australia all provide information on cybersecurity for lawyers. Community legal centres can also contact the FCLC for support in understanding and implementing the minimum expectations.

We understand that implementing these expectations may take time. However, by taking these basic steps, you can do your part to make sure you, your practice, and the profession are cyber-secure.