Your privilege ends where your security does.
Client trust, matter files and trust-account access make legal practices a first-choice target — and the Privacy Act puts the liability on the principal, not just the firm. We map your defences to the obligations you actually carry, then prove they hold.
Dossier 01 / 10
Legal
Law firms hold the secrets attackers most want to monetise — and the privilege they most want to break.
- Privacy Act 1988 / APPs
- Legal Professional Privilege
- Notifiable Data Breaches scheme
What the obligation actually requires of you.
- 01
Privacy Act 1988 / APPs
The Australian Privacy Principles govern every piece of client and matter data your practice holds, and a serious breach exposes the principal personally, not only the firm's letterhead.
- 02
Legal Professional Privilege
Privilege protects what your clients tell you, but only if the systems holding it are genuinely secure. A breach can force disclosure the privilege was meant to prevent.
- 03
Notifiable Data Breaches scheme
A breach likely to cause serious harm must be assessed against a strict statutory clock, and reported to the OAIC and affected clients where the threshold is met.
For a practice, that figure understates the real exposure. A breach of privileged material costs more than the recovery bill — it costs the trust a client placed in your discretion.
Legal is among the top three most-targeted professional-services sectors in Australia.
The settlement transfer that never left the trust account.
The situation — A partner's mailbox credentials surfaced on a criminal marketplace. Within days, an attacker impersonating that partner emailed the practice's trust accountant with revised bank details for an imminent property settlement.
What we did — Enforced MFA had already locked the attacker out of the mailbox itself, but the fraudulent instruction still arrived through a lookalike domain. Our email security flagged the domain mismatch, and the practice's second-channel verification policy — a GMAN IT control, not an afterthought — caught the rest before any transfer was authorised.
The outcome — No funds moved. No client matter was compromised. The incident was assessed against the Notifiable Data Breaches scheme and closed as contained, with a written record the practice could show its insurer.
Anonymised and adapted from a GMAN IT engagement. Details generalised to protect client confidentiality.
Run it yourself, before we ever speak.
- MFA enforced for every login to matter-management and trust-accounting systems
- Trust-account payment changes verified through a second channel, every time, no exceptions
- A documented breach-response process mapped to the Notifiable Data Breaches scheme's assessment clock
- Client file access logged and reviewed for anomalies
- Privilege-bearing documents encrypted at rest and in transit
- Staff trained to recognise partner-impersonation and business-email-compromise attempts
- A retention and secure-destruction schedule for closed matters
The questions this vertical always asks.
Law firms hold what attackers most want to monetise: privileged client information and trust-account access. Size does not reduce the target; smaller practices often carry weaker controls, which makes them the easier one.
No. Our review examines your systems and access controls, not the content of privileged matters. Confidentiality terms are agreed before any engagement begins, and our scope never extends to reading client files.
We assess against the Notifiable Data Breaches scheme's statutory clock, contain the incident, and help you meet your reporting obligations to the OAIC and affected clients without guesswork.
Find out exactly where your practice’s privilege is exposed.
The Cyber Readiness Assessment is the forensic starting point — credited toward your first year of managed protection, backed by a 100% refund guarantee.
Melbourne VIC · Australia · gmanit.com.au