Sign up to save your podcasts
Or
Share Cybersecurity misconduct risks for Victorian lawyers
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cybersecurity misconduct risks for Victorian lawyers
Episode Summary:
Victorian lawyers are now being held to a minimum cybersecurity standard, and failure can lead to professional misconduct findings. This episode examines cybersecurity professional misconduct risks, what regulators expect in practice and how new privacy and ransomware laws raise the stakes for every firm, big or small.
Guest:
• Simone Herbert-Lowe, founder, Law & Cyber
• Professional indemnity specialist with more than 30 years of legal experience
• Expert at the intersection of cyber risk and legal professional responsibility
• https://www.linkedin.com/in/simone-herbert-lowe/
• https://www.lawandcyber.com.au
Host:
• Jayne Gurton, Law Institute of Victoria
• [email protected] | https://www.linkedin.com/company/law-institute-of-victoria
Episode Overview:
Cyber risk has moved from an abstract IT issue to a core professional responsibility for Victorian lawyers. In this episode, we examine cybersecurity professional misconduct through the lens of recent court decisions, regulatory guidance and real-world claims experience. Simone Herbert-Lowe explains how the “reasonable practitioner” standard is being applied in 2026, why human behaviour remains the weakest link in law firm security, and how small and mid-sized practices are often more exposed than large firms.
The discussion also unpacks the VLSB+C minimum cybersecurity expectations, the expanded reach of the Privacy Act through AML/CTF obligations, and the impact of new laws on ransomware reporting and serious invasions of privacy. Listeners will gain practical guidance on what compliance looks like in day-to-day legal practice and where to focus limited time and resources.
Topics & Timestamps:
• 00:12 Why cybersecurity failures can now amount to professional misconduct
• 01:25 Recent court cases shaping cyber risk expectations
• 04:44 Why small firms are attractive cyber targets
• 06:48 Behavioural breaches and human error in law firms
• 09:26 The “reasonable practitioner” standard in 2026
• 12:38 Cloud services, offshore data and Privacy Act obligations
• 14:21 Ransomware reporting and the statutory privacy tort
• 16:29 Practical actions firms should take this week
Key Takeaways:
• Cybersecurity failures can now trigger findings of unsatisfactory professional conduct or misconduct.
• Small and sole practices are as at risk as large firms.
• Human behaviour, not technology, is behind many serious breaches.
• The VLSB+C minimum cybersecurity expectations set a clear baseline for Victorian lawyers.
• Privacy Act obligations can apply regardless of firm size through AML/CTF requirements.
• Principals must be able to demonstrate practical, documented cyber controls.
Resources & Links:
• LIV Cybersecurity Hub – Practical guidance and resources for Victorian practitioners | https://www.liv.asn.au/cybersecurityhub
• VLSB Minimum Cybersecurity Expectations – Regulator guidance setting baseline standards | https://lsbc.vic.gov.au/sites/default/files/2024-02/VLSB%2BC_Minimum_Cybersecurity_Expectations.pdf
• Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224 – Federal Court decision on privacy and cyber breaches | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2025/1224.html
• ASIC v FIIG Securities Limited [2026] FCA 92 – Cybersecurity governance and regulatory enforcement | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2026/92.html
• Mobius Group Pty Ltd v Inoteq Pty Ltd** \[2024\] WADC 114 District Court of Western Australia, decided 20 December 2024 https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/wa/WADC/2024/114.html
• Ransomware payment reporting factsheet – Department of Home Affairs guidance | https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf
• OAIC guidance on statutory privacy tort – Overview of serious invasions of privacy | https://www.oaic.gov.au/privacy/your-privacy-rights/more-privacy-rights/statutory-tort-for-serious-invasions-of-privacy
• Australian Privacy Principles: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines
About This Podcast
Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.
This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.
Disclaimer
This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.
Production Information
• Produced by: The Law Institute of Victoria
• Producer and audio editor: Garreth Hanley
• Music: Garreth Hanley
• Copy and show notes: Louise Surette
Connect With Us
Email: [email protected]
Website: https://liv.asn.au
LinkedIn: https://www.linkedin.com/company/law-institute-of-victoria
Apple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728
Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgV
View all episodes
By The Law Institute of VictoriaEpisode Summary:
Victorian lawyers are now being held to a minimum cybersecurity standard, and failure can lead to professional misconduct findings. This episode examines cybersecurity professional misconduct risks, what regulators expect in practice and how new privacy and ransomware laws raise the stakes for every firm, big or small.
Guest:
• Simone Herbert-Lowe, founder, Law & Cyber
• Professional indemnity specialist with more than 30 years of legal experience
• Expert at the intersection of cyber risk and legal professional responsibility
• https://www.linkedin.com/in/simone-herbert-lowe/
• https://www.lawandcyber.com.au
Host:
• Jayne Gurton, Law Institute of Victoria
• [email protected] | https://www.linkedin.com/company/law-institute-of-victoria
Episode Overview:
Cyber risk has moved from an abstract IT issue to a core professional responsibility for Victorian lawyers. In this episode, we examine cybersecurity professional misconduct through the lens of recent court decisions, regulatory guidance and real-world claims experience. Simone Herbert-Lowe explains how the “reasonable practitioner” standard is being applied in 2026, why human behaviour remains the weakest link in law firm security, and how small and mid-sized practices are often more exposed than large firms.
The discussion also unpacks the VLSB+C minimum cybersecurity expectations, the expanded reach of the Privacy Act through AML/CTF obligations, and the impact of new laws on ransomware reporting and serious invasions of privacy. Listeners will gain practical guidance on what compliance looks like in day-to-day legal practice and where to focus limited time and resources.
Topics & Timestamps:
• 00:12 Why cybersecurity failures can now amount to professional misconduct
• 01:25 Recent court cases shaping cyber risk expectations
• 04:44 Why small firms are attractive cyber targets
• 06:48 Behavioural breaches and human error in law firms
• 09:26 The “reasonable practitioner” standard in 2026
• 12:38 Cloud services, offshore data and Privacy Act obligations
• 14:21 Ransomware reporting and the statutory privacy tort
• 16:29 Practical actions firms should take this week
Key Takeaways:
• Cybersecurity failures can now trigger findings of unsatisfactory professional conduct or misconduct.
• Small and sole practices are as at risk as large firms.
• Human behaviour, not technology, is behind many serious breaches.
• The VLSB+C minimum cybersecurity expectations set a clear baseline for Victorian lawyers.
• Privacy Act obligations can apply regardless of firm size through AML/CTF requirements.
• Principals must be able to demonstrate practical, documented cyber controls.
Resources & Links:
• LIV Cybersecurity Hub – Practical guidance and resources for Victorian practitioners | https://www.liv.asn.au/cybersecurityhub
• VLSB Minimum Cybersecurity Expectations – Regulator guidance setting baseline standards | https://lsbc.vic.gov.au/sites/default/files/2024-02/VLSB%2BC_Minimum_Cybersecurity_Expectations.pdf
• Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224 – Federal Court decision on privacy and cyber breaches | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2025/1224.html
• ASIC v FIIG Securities Limited [2026] FCA 92 – Cybersecurity governance and regulatory enforcement | https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2026/92.html
• Mobius Group Pty Ltd v Inoteq Pty Ltd** \[2024\] WADC 114 District Court of Western Australia, decided 20 December 2024 https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/wa/WADC/2024/114.html
• Ransomware payment reporting factsheet – Department of Home Affairs guidance | https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf
• OAIC guidance on statutory privacy tort – Overview of serious invasions of privacy | https://www.oaic.gov.au/privacy/your-privacy-rights/more-privacy-rights/statutory-tort-for-serious-invasions-of-privacy
• Australian Privacy Principles: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines
About This Podcast
Cross-Examined is a new podcast from the Law Institute of Victoria. Tune in to hear experts discuss hot topics in the law and the changes shaping the legal profession. Regular episodes will cover everything from AI and cyber threats to ethical dilemmas, workplace taboos and practice management insights.
This podcast is recorded on the traditional lands of the Wurundjeri people of the Kulin Nation. The Law Institute of Victoria acknowledges the Traditional Custodians of Country across Australia. We pay our respects to Elders past and present.
Disclaimer
This podcast is for informational purposes only and is not intended to replace professional legal advice. The views expressed in this podcast do not necessarily reflect the views of the Law Institute of Victoria (LIV). The LIV is not responsible for any losses, damages or liabilities that may arise from the use of this podcast. Listeners should seek independent legal advice for their matters.
Production Information
• Produced by: The Law Institute of Victoria
• Producer and audio editor: Garreth Hanley
• Music: Garreth Hanley
• Copy and show notes: Louise Surette
Connect With Us
Email: [email protected]
Website: https://liv.asn.au
LinkedIn: https://www.linkedin.com/company/law-institute-of-victoria
Apple Podcasts: https://podcasts.apple.com/au/podcast/cross-examined/id1858765728
Spotify: https://open.spotify.com/show/0zvyk5xia4wYv9YWcXphgV