Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Unpacking Victoria’s minimum cyber security standards

With the Victorian Legal Services Board + Commissioner having imposed new minimum cyber security standards, one cyber lawyer has outlined the standards that practitioners in the Garden State must abide by to prevent unprofessional or professional misconduct.

user iconGrace Robbie 18 September 2024 Big Law
expand image

Speaking on a recent episode of The Lawyers Weekly Show, Simone Herbert-Lowe, the founder and the legal practitioner director of Law & Cyber and the recipient of the Innovator of the Year for the Women in Law Awards in 2022, delved into the new minimum cyber security standards mandated by the Victorian Legal Services Board + Commissioner (VLSB+C), which are obligatory for all legal practitioners operating in the Garden State.

Herbert-Lowe delineated that the minimum expectations introduced by the VLSB+C centre on three fundamental areas that require the focused attention of law firm leaders.

As elucidated by Herbert-Lowe, critical controls is the first area highlighted by VLSB+C that necessitates education for the Victorian legal profession.

She explained how this encompasses aspects such as “security, making sure you have security updates, strong passwords and login credentials, and multifactor authentication”.

Herbert-Lowe explained that the second area VLSB+C outlines for law firms to be aware of is the need for robust system controls.

She noted that systems controls regard the “technical safeguards implemented in your [law firm] information systems to protect against external threats”.

Given the sensitive nature of the information entrusted to law firms, which includes client details, case information, and sensitive financial documents, VLSB+C expects law firms to allocate resources towards implementing advanced system control.

The final aspect that VLSB+C addresses in its minimum standard is the implementation of behavioural controls, which is crucial because human behaviour is often the weakest link in cyber security.

Herbert-Lowe entailed how this aspect focuses on “influencing and regulating human behaviour” within the firm.

To ensure compliance, she explained how firms are expected to deliver continuous “training and education” to all lawyers to ensure they are all familiar with cyber security best practices and the evolving nature of cyber threats.

Herbert-Lowe elaborated on how the newly established standards by VLSB+C are not mere recommendations for law firms but rather carry significant repercussions for those who fail to adhere to such requirements.

“They have very clearly said that certain conduct is capable of constituting unprofessional conduct or professional misconduct under the legislation,” she said.

“[VLSB+C] very clearly set out their expectations, and then they say, which of those, if you breach some of these, could be unprofessional conduct or professional misconduct.”

Victoria has set a new standard for cyber security expectations and requirements for law firms in Australia, with no other state or territory having established such comprehensive guidelines for their legal sectors.

Herbert-Lowe elucidated how the Victorian professional association for lawyers and the regulatory body have diligently enforced the new standards for lawyers to comply with.

“What’s different here is that Victoria has a very clear demarcation between the membership body, being the Law Institute of Victoria, and the regulatory body, and it’s been very clear saying this is what we expect you as lawyers to have,” she said.

In contrast, she revealed that other states in Australia have adopted a more advisory approach, encouraging law firms to improve their cyber security measures through guidelines and recommendations rather than strict mandates.

“Whereas I think in the other states, there’s certainly been lots of information produced over the last few years in the form of guidance that we recommend you do this, you should do these things.

“But it’s more in that nature of guidance and encouragement rather than a black and white thing saying you could be guilty of unprofessional conduct or professional misconduct if you don’t do these things,” she said.

You need to be a member to post comments. Become a member for free today!