Episode Summary:

Victorian lawyers are now being held to a minimum cybersecurity standard, and failure can lead to professional misconduct findings. This episode examines cybersecurity professional misconduct risks, what regulators expect in practice and how new privacy and ransomware laws raise the stakes for every firm, big or small.

Guest:

• Simone Herbert-Lowe, founder, Law & Cyber

• Professional indemnity specialist with more than 30 years of legal experience

• Expert at the intersection of cyber risk and legal professional responsibility

• https://www.linkedin.com/in/simone-herbert-lowe/

• https://www.lawandcyber.com.au

Host:

• Jayne Gurton, Law Institute of Victoria

• podcasts@liv.asn.au | https://www.linkedin.com/company/law-institute-of-victoria

Episode Overview:

Cyber risk has moved from an abstract IT issue to a core professional responsibility for Victorian lawyers. In this episode, we examine cybersecurity professional misconduct through the lens of recent court decisions, regulatory guidance and real-world claims experience. Simone Herbert-Lowe explains how the “reasonable practitioner” standard is being applied in 2026, why human behaviour remains the weakest link in law firm security, and how small and mid-sized practices are often more exposed than large firms.

The discussion also unpacks the VLSB+C minimum cybersecurity expectations, the expanded reach of the Privacy Act through AML/CTF obligations, and the impact of new laws on ransomware reporting and serious invasions of privacy. Listeners will gain practical guidance on what compliance looks like in day-to-day legal practice and where to focus limited time and resources.

Topics & Timestamps:

• 00:12 Why cybersecurity failures can now amount to professional misconduct

• 01:25 Recent court cases shaping cyber risk expectations

• 04:44 Why small firms are attractive cyber targets

• 06:48 Behavioural breaches and human error in law firms

• 09:26 The “reasonable practitioner” standard in 2026

• 12:38 Cloud services, offshore data and Privacy Act obligations

• 14:21 Ransomware reporting and the statutory privacy tort

• 16:29 Practical actions firms should take this week

Key Takeaways:

• Cybersecurity failures can now trigger findings of unsatisfactory professional conduct or misconduct.

• Small and sole practices are as at risk as large firms.

• Human behaviour, not technology, is behind many serious breaches.

• The VLSB+C minimum cybersecurity expectations set a clear baseline for Victorian lawyers.

• Privacy Act obligations can apply regardless of firm size through AML/CTF requirements.

• Principals must be able to demonstrate practical, documented cyber controls.

Resources & Links:

• LIV Cybersecurity Hub – Practical guidance and resources for Victorian practitioners | https://www.liv.asn.au/cybersecurityhub

• VLSB Minimum Cybersecurity Expectations – Regulator guidance setting baseline standards | https://lsbc.vic.gov.au/sites/default/files/2024-02/VLSB%2BC_Minimum_Cybersecurity_Expectations.pdf

• Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224 – Federal Court decision on privacy and cyber breaches | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2025/1224.html

• ASIC v FIIG Securities Limited [2026] FCA 92 – Cybersecurity governance and regulatory enforcement | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2026/92.html

• Mobius Group Pty Ltd v Inoteq Pty Ltd** \[2024\] WADC 114 District Court of Western Australia, decided 20 December 2024 https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/wa/WADC/2024/114.html

• Ransomware payment reporting factsheet – Department of Home Affairs guidance | https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf

• OAIC guidance on statutory privacy tort – Overview of serious invasions of privacy | https://www.oaic.gov.au/privacy/your-privacy-rights/more-privacy-rights/statutory-tort-for-serious-invasions-of-privacy

• Australian Privacy Principles: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines

About This Podcast

Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.

This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.

Disclaimer

This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.

Production Information

• Produced by: The Law Institute of Victoria

• Producer and audio editor: Garreth Hanley

• Music: Garreth Hanley

• Copy and show notes: Louise Surette

Connect With Us

Email: podcasts@liv.asn.au

Website: https://liv.asn.au

LinkedIn: https://www.linkedin.com/company/law-institute-of-victoria

Apple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728

Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgV

Mentioned in this episode:

2026 Legal Forum advert

Legal Forum 2026: Discover the forum where lawyers come to connect, be inspired and stay ahead. The Law Institute of Victoria’s flagship, full-day conference brings ideas, leading experts and the profession together to learn, connect and shape the future of legal practice. Wednesday 10 June | Pullman Melbourne on the Park | https://www.liv.asn.au/legalforum

Welcome to Cross-Examined, a podcast by the Law Institute of Victoria.

Victorian lawyers are being held to a new standard. The regulator has published exactly what cybersecurity compliance looks like, and failing to meet it is no longer just a risk management issue. It can now result in a finding of professional misconduct.

I'm Jayne Gurton, and in this episode of Cross-Examined, we explore what that standard actually requires, why small firms are often more attractive targets than large ones, and what the new statutory privacy tort and ransomware reporting laws mean for any firm that suffers a breach.

Our guest today is Simone Herbert-Lowe, founder of Law & Cyber and one of Australia's most recognised voices at the intersection of cyber risk and legal professional responsibility.

Simone has more than 30 years of experience as a lawyer and has personally handled more than 2,000 professional indemnity claims against Australian law firms.

Simone, welcome to Cross-Examined.

Thank you so much, Jayne. Lovely to be here.

Let's get into it. I'm excited to cover things with you. So, cyber breaches affect every sector and profession in Australia. From a legal perspective, Simone, are there recent cases that stand out that people should be aware of?

Yes, absolutely. So, there was a decision by the Federal Court in October last year called the Australian Information Commissioner and Australian Clinical Labs, where the privacy commissioner took civil penalty proceedings against Australian Clinical Labs in relation to a data breach. And ACL was ordered to pay a fine of $5.8 million as a result of a cyber incident and the way it was managed.

So, the key message there is that taking reasonable steps to protect personal information under the Privacy Act means having adequate cybersecurity, and also that a slow incident response is also itself a separate liability. And, of course, we've actually got litigation against Medibank and Optus still to be decided in relation to privacy litigation in terms of what the Commission is doing, but also class actions in relation to those matters.

The second really important case is one of ASIC and FIIG Securities. If you are a bank or an insurance company, you must have an Australian Financial Services license. So, in this case, FIIG Securities was an AFSL, and it was found not to have had adequate cybersecurity protections in place, and it was ordered to pay $2.5 million plus $500,000 in costs.

So, the critical point in that one is, the FIIG actually did have a cybersecurity policy on paper, but failed to implement it in the way that was expected and failed to take other protections. And when you read these cases, what you see is that cybersecurity was never just an IT problem. But when you really drill down into the findings from the courts in these cases, the human factor and things like governance are really, really important parts of a cyber resilience policy.

Another important case, and this was actually at the end of ‘24, was a case of Mobius Group and InnoTech, which is a District Court decision in Western Australia. But what was interesting about that was that it was a civil matter between two parties as to who should bear the loss in a business email compromise case.

So, in that case, the Court found that the payer had to bear the loss because they were in the best place to verify whether a payment instruction was genuine or not. And that's interesting, because business email compromise is a really big issue for law firms, because law firms have trust accounts they manage. Even if you don't operate a trust account, you are directing where payments are going to go in litigation and things like that.

Clients, generally of businesses, don't expect to receive an email saying you need to pay half a million dollars or a million dollars into this particular bank account. But they are not surprised if they get an email like that from their lawyers if they are acting in a property transaction or sale of a business or an estate that's being wound up.

So, business email compromise is really important and so, that is an interesting case that shows the expectations also on everybody now to actually verify whether an email is genuine or not.

So, Simone, what can small firms or sole practitioners do to protect their business and client information? Or are cyber criminals only targeting large firms?

I think, if anything, you can be a much more attractive target as a small firm than a large firm. Large firms have very detailed processes in place. They can have very large, dedicated security teams, incident response plans and all of that, and smaller firms typically do not.

The largest fraud that I know of, having been working in this area for many years, involved quite a small firm, where the amount scammed was in the tens of millions of dollars. And I think there can be a tendency in small firms to think, I'll never be a target, but that is just about the most dangerous assumption that you can make.

And look, another thing that's not commonly known or appreciated is the limited liability legislation that solicitors are often a part of to cap their own liability does not apply to actions for breach of trust. So, if you think that your liability is capped under a scheme like that, it may not protect you or may not cap your liability if the action against you is for breach of trust.

And then, just circling back to that matter I mentioned earlier where someone was deceived into paying tens of millions of dollars out of a trust account – it wasn't a cyber hack as such. Nobody hacked anybody. It's what's known as social engineering or the manipulation of people's natural tendency to trust. It's what used to be called a confidence trick.

So, in that case, nobody hacked anybody. It was just that there was a dishonest client who fabricated emails from the other party authorising payment out of a trust account, and the solicitor involved just accepted that they were genuine when they weren't.

Technical controls like multi-factor authentication, software updates and encryption are pretty easy to implement, but the data does show us that most breaches are a result of human behaviour. Do you have any examples of what a behavioural breach actually looks like?

Sure. So, in the matter I mentioned earlier about a partner that was deceived by his client, that matter involved fraudulent emails and letters. And what we see now is that technology has enabled fraud and deception on a scale that's completely unprecedented. I mean, I've thought that for quite a number of years, but since then, we now even have deepfakes, deepfake videos and voice cloning.

So, let's say somebody does a short video on LinkedIn or on their firm website. That means your voice file is available for somebody to use using AI, to have you say something completely different, for example.

Apparently they, cyber criminals, only need something like 30 seconds worth of audio file to create a conversation using your voice that sounds so much like you, your family wouldn't even know that it wasn't you.

So, we have that kind of technology. There was a case in, I think it was either Singapore or Hong Kong, where a finance officer paid $25 million US into the wrong bank account because he had been on a call with other people that he believed were his colleagues – a video call – but were actually deepfake characters.

Phishing is still the most common entry point. So, emails that appear to be from someone you trust, but really have a malicious intent. It could be to get you to click on a link and take you to a fraudulent website that then collects your login credentials. So, they have those to log in.

Another issue with human behaviour is sharing your credentials. So, if you've got a whole bunch of people using the one email address, and they've got the one password, you don't have an audit trail of who did what. So, another thing is off-boarding failures, like if staff who have left retain active credentials after they leave. And then also think about personal devices. If people are using their phones and they don't have a strong password on them or they don't lock after a couple of seconds and family members can use them.

One thing that you just said that stood out incredibly for me was that tech has enabled fraud and deception on a scale that's completely unprecedented. So, let's talk about what that means for our legal professionals and the concept of the “reasonable practitioner”. Can you explain what that means in this context and what expectations are placed upon legal professionals in 2026?

Sure. So as solicitors, we've always had a duty of care, and we have an obligation to take reasonable care and to meet a peer standard – so, what would our colleagues think is reasonable in all the circumstances?

Now, from the time that I was working at a professional indemnity insurer eight or nine years ago, there were warnings to people to always check instructions received by email using another method, such as a phone call or whatever. There were lots of emails about email fraud. This is not a new thing. It's going back eight, nine, almost 10 years now.

So, it would be very difficult to argue, for example, that if you didn't have multi-factor authentication in place on your email, and there was a loss as a result of that, or that if you accepted payment instructions received by email without verifying it in a different way, that you weren't liable – because professional bodies and insurers have been talking about this stuff for a long time now.

So, “reasonable” doesn't mean what everyone does. It means in your particular circumstances and the circumstances of the work you do, what is a client entitled to expect?

So, around two years ago, the Victorian Legal Services Board and Commissioner published minimum cybersecurity expectations for Victorian legal practitioners. So, in the document, it says that there are really three categories of controls.

First of all, there are critical system controls, which are non-negotiables – things like multi-factor authentication on all remote access and email, including shared mailboxes, up-to-date security software and patching, and regular tested backups.

There are then also broader system controls, which are access controls, such as only relevant staff can see certain things and staff can only see what they need. So, not everyone in your office can see everything. And also, that there's an incident response plan that's in place and has been tested.

The third category of control is behavioural controls. So, that's annual cybersecurity training for all staff and new staff as part of their induction training, and verification of client identity before acting on email instructions involving money or sensitive matters. So, the list is quite detailed, but that's a summary of the key issues. And what's particularly important, I think, is that a breach of any of those by the principle of a law practice can amount to unsatisfactory conduct or even professional misconduct, if those things aren't in place.

Simone, let's talk about cloud storage and cloud software, like practice management software, or maybe even IT support from offshore vendors. What due diligence is required when using these services? And is the Privacy Act relevant to law firms, and if so, which firms does it apply to?

So, the Privacy Act applies to any organisation with annual turnover of more than $3 million. There are exceptions to that where organisations with less revenue still come under the Privacy Act.

Interestingly, what has sort of flown under the radar a little bit, I think, is that law firms who are under AML will now be under the Privacy Act as well. And so, it doesn't matter what your annual revenue is. If you are acting in matters caught under AML, then the Privacy Act applies to you as well.

So, what's the significance of the Privacy Act?

It means there's a notifiable data breaches regime. You become an APP entity. APP entities must apply the Australian Privacy Principles, and that's where you get rules about whether data can go offshore and things like that.

So, big companies, like some of the big tech companies, we know have data centres in Australia, but you might be using backups with a different organisation that is in a different overseas jurisdiction. Under the Privacy Act, under APP8, I think it is, if you send data offshore, you are responsible for whether or not your contractor complies with the Privacy Act.

So, the issue about knowing whether data is going offshore or not is important.

Simone, on top of what you've just mentioned, the statutory privacy tort commenced in June 2025, and the ransomware reporting obligation is now live. So, how does this change the risk calculus for a firm that suffers a breach?

In terms of the ransomware reporting obligation, so that also applies to organisations with turnover of more than $3 million, and you must report any ransomware payments to the Australian Signals Directorate. The ASD is part of the Department of Defence that just deals with cyber issues, and you must report that within 72 hours. So, you are not required to report a cyber extortion claim, but you are required to report if you have paid.

There's a civil penalty of $19,800 if you don't. If you pay a ransom and you come under that regime, you need to report it to the government.

In terms of the statutory tort for serious invasions of privacy, that's a bit different to the issue of data breaches, although it overlaps. So, this new tort of serious breach of privacy applies if there has been an invasion of privacy which involves intrusion. So, let's say a typical thing of intrusion might be misuse of data. If this has happened where there's a reasonable expectation of privacy and there has been intentional or reckless conduct, you can be ordered to pay damages for breach of privacy.

It's different to obligations under the Privacy Act, because a lot of Privacy Act obligations are – there's an exemption that applies to employees, but that's not the case for the serious invasion of privacy, for the tort of serious invasion of privacy.

So, an employee could bring an action for a serious invasion of privacy, for example, and there can be significant damages. So, there's a damages cap of, I think, around $480,000.

Simone, we are looking at a world that is incredibly busy. Things are changing. Everyone's in demand all the time. If a Victorian firm principal, for example, is listening to this on their commute right now, and they want to actually do something this week, what would you recommend?

First thing I would say is make sure you have multi-factor authentication turned on for any of your firm systems, whether it's email, practice management software, remote access. That would be the first thing. Don't assume just because it's on one thing that it's on everything.

So, don't forget shared inboxes as well, like we were talking about with reception@ or info@ type email addresses. Test your bank verification process. Make sure you have a written process, and that everyone's been trained in it, and that you can document that they have been.

So, it's also really important that you only get instructions from people who are authorised to give those instructions. So, that sounds obvious, but if you tell everyone in your firm, you must ring the client to check, right, it may not be the client whose job it is to authorise the payment. Usually it will be, but in that case I mentioned before where the tens of millions of dollars were lost, the principal's EA did actually telephone the client, but it wasn't the client's money in the trust account, and it wasn't the client who should have given instructions to release the money from the trust account. So, you also have to do it in a thoughtful, considered way. Is this the person I'm supposed to get instructions from? Do I believe this is the actual person? How do I go about confirming that?

And then the third point I would raise is that, make sure you have read the minimum cybersecurity expectations. They've been published by the regulator in Victoria. They are on the VLSB+C's website, and Jayne, I'm sure we can link to that in the podcast notes. And it tells you exactly what's expected and what failure looks like as well. You can be guilty now of unsatisfactory professional conduct or professional misconduct if you don't meet those expectations. They are very clearly set out, so really make sure that you've read those, and that will give you a roadmap for how to start remediating some issues if you can't tick them all off.

Amazing. Thank you so much, Simone, for all of your expertise and all of your stories that brought life to this topic.

My pleasure. Thank you so much for having me, Jayne, it's lovely to be here.

And thank you to everyone listening today to Cross-Examined. Please check the show notes for links to the cases Simone discussed or the Law Institute of Victoria's Cybersecurity Hub, where we do have the VLSB+C minimum cybersecurity expectations featured, and Simone's firm Law & Cyber for any further informational resources that you might want out of this discussion.

Until next time, thanks for listening to Cross-Examined.