FOR LAW FIRMS & LEGAL PRACTICES

Confidentiality is the product. We make sure it stays that way.

Cybersecurity designed around legal practice: privilege, matter data, contractor access, and the partners who actually move the files.

Who this is forLaw firmsSole practitionersBoutique & mid-tier firmsTop-tier firmsIn-house legal teamsBarristers’ chambers
The pattern

A breach in legal is a breach of privilege.

Law firms hold the most sensitive data of every client they touch. The risk pattern is consistent, and so is the answer.

Client confidentiality at scale

Every matter file is a regulated obligation. Loss of confidentiality is a Law Society conduct issue, not just an IT problem.

Privilege and M&A data rooms

High-value deals concentrate sensitive material. Privileged communications and deal documents are the first thing an attacker looks for.

Contractor and secondee access

Counsel, paralegals and external experts come and go. Personal devices and unmanaged access points proliferate fast.

Generative AI in legal workflows

Junior staff pasting privileged drafts into public AI tools. The leak you do not see until it surfaces in the next prompt.

The obligation

Privacy Act, NDB and Law Society practice obligations.

Legal practices sit under the Privacy Act, the Notifiable Data Breaches scheme, court-mandated security for sensitive filings, and Law Society conduct rules that treat client confidentiality as foundational. The Cornerstone program is built to those obligations from day one.

What we map to

The frameworks that matter in legal

  • Privacy Act 1988 and the Australian Privacy Principles (APPs)
  • Notifiable Data Breaches (NDB) scheme readiness
  • Law Society professional conduct rules on client confidentiality
  • Essential Eight Maturity Level 2 as a defensible baseline
What is hitting law firms right now in Australia

The pressures landing on practices, in 2025 and 2026.

These are not abstract risks. They are the specific things Australian principals and managing partners are answering for, this year.

01Privacy Act

A statutory tort for serious invasions of privacy is moving through parliament.

When it lands, privileged client material is squarely in scope. The defence is demonstrable confidentiality controls, not a privacy policy.

02OAIC enforcement

The regulator is now pursuing the larger penalty range.

Recent Privacy Act amendments lifted the ceiling, and several Australian firms are in active proceedings. Notifiable Data Breach readiness is no longer paper-thin.

03AI in legal practice

ALRC findings on AI in legal will shape conduct rules.

Junior staff using public AI to draft material is the most-reported emerging risk among Australian firms. Most have no inline guardrails. Yet.

04Insurers

Cyber renewals now audit MFA, immutable backup and contractor access.

Saying you do the right things is no longer enough. Underwriters want evidence before they price, and increasingly before they bind.

05Notifiable breaches

Larger firms have publicly notified breaches in the past 18 months.

Each one becomes the template the regulator measures peers against. The bar moves up, quietly, every quarter.

06Lateral hires

Inbound matter material from new partners is still an unmanaged channel at most firms.

It is also a clear audit and conflicts risk. The fix is procedural and technical, designed once, held over time.

What we deliver

A security program built around how legal practices actually work.

No theory, no generic stack. Six controls, mapped to the way matter files, contractors and partners move.

Identity

Phishing-resistant MFA, Conditional Access, no shared logins

Every partner, lawyer and contractor authenticates with phishing-resistant MFA. Conditional Access blocks risky sign-ins; just-in-time elevation for senior accounts via Delinea.

Microsoft EntraConditional AccessDelinea PAM
Matter data

Sensitivity labels, DLP, controlled external sharing

Matter folders auto-labelled. Purview DLP stops privileged content moving to personal email or external services. Netskope inspects every outbound web and SaaS upload.

Purview labelsPurview DLPNetskope DLP
Contractors

MAM, Enterprise Browser, no managed device required

Counsel, paralegals and external experts get app-protected access from their own devices. Work data stays in the container; nothing IT does not need to see ever leaves the personal side.

Intune MAMNetskope Enterprise BrowserConditional Access
AI risk

Visibility and control across every AI tool

Inline DLP on prompts and uploads to Copilot, ChatGPT, Gemini and Claude. Stop privileged drafts being pasted into public models, coach the user, log the attempt.

Netskope Skope AIMicrosoft PurviewCopilot governance
Resilience

Immutable backups for matter management systems

iManage, NetDocuments, SharePoint, Exchange and the practice management database backed up to immutable storage. Tested recovery, not just nightly jobs.

VeeamImmutable storageTested recovery
Posture

Find the data before someone else does

Cyera DSPM maps where sensitive matter content lives across SaaS, file shares and shadow IT. Permissions are tightened before Copilot or any AI tool gets near it.

Cyera DSPMAccess reviewsPermission cleanup
The outcome

A practice that can confidently say privilege is protected.

  • Privilege protected by design, not policy alone
  • Board, partners and clients see a credible posture
  • Contractor and secondee access without device hassle
  • AI productivity without leaking privileged drafts
  • Notifiable Data Breach readiness, documented
  • Cyber insurance answers you can stand behind

Confidentiality, calmly delivered.

We have led security programs in regulated industries before stepping out to build Cornerstone. Senior advice, scoped engagements, no managed-service lock-in.

Common questions

Questions law firms ask before they engage.

Straight answers, no hedging.

Are you familiar with iManage, NetDocuments and Aderant?

Yes. Most of the legal stacks we secure run on Microsoft 365 with iManage or NetDocuments for matters, plus a practice management database. We do not rewrite your stack; we secure the way it actually works.

How do you handle external counsel and secondees?

App protection policies on personal devices, Conditional Access tied to the matter, and Netskope Enterprise Browser for higher-risk profiles. They get access without your team owning the device.

Can we let lawyers use Copilot safely?

Yes, with discipline. Sensitivity labels first, permission cleanup second, DLP coaching third. Then a controlled rollout. We have a defined readiness assessment for legal.

What about lateral hires bringing matter material?

We design a controlled inbound process: matter scoping, sanctioned channels, and DLP on the way in as well as out. Senior counsel signs off, IT enforces.

Is Essential Eight ML2 the right target?

For most mid-sized firms, yes. Government and high-risk corporate clients increasingly require ML2 evidence, and it sits within reach of a typical M365 stack.

Do you work with smaller firms?

Yes. Scoped engagements suit boutique firms as well as national practices. The risk pattern is the same, the implementation scales down sensibly.