Herbert-Lowe delineated that the minimum expectations introduced by the VLSB+C centre on three fundamental areas that require the focused attention of law firm leaders.

As elucidated by Herbert-Lowe, critical controls is the first area highlighted by VLSB+C that necessitates education for the Victorian legal profession.

She explained how this encompasses aspects such as “security, making sure you have security updates, strong passwords and login credentials, and multifactor authentication”.

Herbert-Lowe explained that the second area VLSB+C outlines for law firms to be aware of is the need for robust system controls.

She noted that systems controls regard the “technical safeguards implemented in your [law firm] information systems to protect against external threats”.

Given the sensitive nature of the information entrusted to law firms, which includes client details, case information, and sensitive financial documents, VLSB+C expects law firms to allocate resources towards implementing advanced system control.

The final aspect that VLSB+C addresses in its minimum standard is the implementation of behavioural controls, which is crucial because human behaviour is often the weakest link in cyber security.

VIEW ALL

Herbert-Lowe entailed how this aspect focuses on “influencing and regulating human behaviour” within the firm.

To ensure compliance, she explained how firms are expected to deliver continuous “training and education” to all lawyers to ensure they are all familiar with cyber security best practices and the evolving nature of cyber threats.

Herbert-Lowe elaborated on how the newly established standards by VLSB+C are not mere recommendations for law firms but rather carry significant repercussions for those who fail to adhere to such requirements.

“They have very clearly said that certain conduct is capable of constituting unprofessional conduct or professional misconduct under the legislation,” she said.

“[VLSB+C] very clearly set out their expectations, and then they say, which of those, if you breach some of these, could be unprofessional conduct or professional misconduct.”

Victoria has set a new standard for cyber security expectations and requirements for law firms in Australia, with no other state or territory having established such comprehensive guidelines for their legal sectors.

Herbert-Lowe elucidated how the Victorian professional association for lawyers and the regulatory body have diligently enforced the new standards for lawyers to comply with.

“What’s different here is that Victoria has a very clear demarcation between the membership body, being the Law Institute of Victoria, and the regulatory body, and it’s been very clear saying this is what we expect you as lawyers to have,” she said.

In contrast, she revealed that other states in Australia have adopted a more advisory approach, encouraging law firms to improve their cyber security measures through guidelines and recommendations rather than strict mandates.

“Whereas I think in the other states, there’s certainly been lots of information produced over the last few years in the form of guidance that we recommend you do this, you should do these things.

“But it’s more in that nature of guidance and encouragement rather than a black and white thing saying you could be guilty of unprofessional conduct or professional misconduct if you don’t do these things,” she said.