Changes to the Privacy Act 1988 (Cth) from February 2018 require mandatory reporting of eligible data breaches for many law practices.

Regardless of size, all law practices should be aware of the privacy legislation because:

Larger practices with annual turnover in excess of $3 million are subject to the legislation by default
Practices holding tax file numbers are subject to the legislation for the purposes of those records
Many law practices hold health records, which fall within the legislation (for example practices acting in personal injury litigation and holding medical information or practices holding medical certificates in relation to individuals’ legal capacity for the purposes of powers of attorney)
If your law practice falls into any of these categories it is required to comply with the new privacy regime.

Even if your law practice does not fall within this regime, protection of clients’ sensitive information is required under Solicitors’ Rules. Adequate cyber security protection is therefore an important component of modern legal practice.