The Victorian Legal Services Board and Commissioner (VLSB+C) has set out minimum cybersecurity expectations to help law practices protect client data and meet legal and ethical obligations. The guidance is directed at law practice principals and distinguishes between system controls, which are technical safeguards for information systems, and behavioural controls, which reduce risks arising from human conduct. The VLSB+C identifies critical controls such as installing security updates, using strong and unique passwords, avoiding password reuse and enabling multi-factor authentication where available.
The system controls section also addresses security software, access control, device encryption, secure handling of personal devices, backups and the retention of logs. The behavioural controls section covers staff training, client and bank verification procedures, and incident response and reporting. The VLSB+C states law practices should prioritise any critical controls that are not yet in place and consider whether additional measures are required based on the size, capability, work type and client profile of the practice.