Key facts: IT and cybersecurity for Perth law firms

Primary regulation: Privacy Act 1988 (Cth) — applies to firms with $3M+ turnover; penalties up to $50M under 2024 amendments
Notifiable Data Breaches: 30-day notification window to OAIC and affected clients after a qualifying breach
Mandatory ransomware reporting: 72 hours to report payments to the ASD if turnover exceeds $3M (Cyber Security Act 2024)
Legal Profession Uniform Law (WA): Governs client file management, confidentiality, and trust account data handling
Recommended cybersecurity framework: SMB1001 Gold as a starting point; Essential Eight ML1–ML2 for government-facing firms
Practice management systems: LEAP, Actionstep, Smokeball, FilePro — your IT provider needs direct experience with these
Typical IT cost: $100–$150 per user/month fully managed; $180–$220 with cybersecurity controls

Law firms handle some of the most sensitive information in any industry — privileged communications, client financial data, confidential strategy documents, and court-bound materials. That makes IT a compliance issue, not just an operational one. When something goes wrong with IT in a legal practice, the consequences go beyond downtime — they can affect client privilege, professional obligations, and your firm’s reputation.

This guide covers what Perth law firms specifically need from their IT support provider in 2026, what compliance obligations apply, and how to assess whether your current IT setup is actually fit for legal practice.

What makes IT for law firms different

Most businesses need reliable IT. Law firms need reliable IT with specific controls that most general IT providers do not implement by default. The key differences are:

Legal professional privilege. IT systems must be configured so that privileged communications between lawyers and clients cannot be inadvertently disclosed — to other staff, to IT providers, or through insecure systems. This affects how email archiving, document management, access controls, and cloud storage are configured.

Matter-based access control. Not everyone in the firm should be able to access all matters. Junior associates, paralegals, and support staff should only see files relevant to their assigned matters. This requires role-based access policies in your document management system and Microsoft 365 environment — not just folder permissions.

Court deadlines. Downtime is not just a productivity issue for law firms — a system failure that prevents filing by a court deadline has direct consequences for clients. This makes business continuity planning and backup reliability more critical than in most industries.

Remote and mobile access. Barristers and solicitors work across offices, courts, client sites, and from home. Every access point needs to be secured consistently — not just the office network.

Regulatory and compliance obligations for Perth law firms

Key compliance obligations affecting IT

Privacy Act 1988 (Cth) — applies to firms turning over $3M+; governs collection, storage, and disclosure of client personal information. The 2024 amendments increased penalties to up to $50M for serious breaches
Notifiable Data Breaches scheme — requires notification to the OAIC and affected individuals within 30 days of a qualifying data breach
Legal Profession Uniform Law (WA) — obligations around client file management, confidentiality, and trust account handling that have direct IT implications
Law Society of WA guidance — cybersecurity recommendations for WA legal practices, including multi-factor authentication, secure email, and staff training
Trust account obligations — financial data handling requirements that affect how accounting systems are secured and backed up
Mandatory ransomware reporting — firms turning over $3M+ must report ransomware payments to the ASD within 72 hours under the Cyber Security Act 2024

The IT controls Perth law firms need in 2026

Multi-factor authentication — everywhere

MFA on Microsoft 365 alone is not enough. Every system that a fee-earner accesses — practice management software, document management, client portals, accounting systems — needs MFA enforced. A compromised email account is often the entry point for business email compromise attacks, which are particularly devastating for law firms given trust account access and wire transfer instructions.

Conditional Access policies

Conditional Access in Microsoft 365 (available on Business Premium) allows you to define rules about who can access your systems, from which devices, and from which locations. For law firms, this means you can require that access to client files only occurs from managed, compliant devices — blocking personal devices or unknown locations from accessing sensitive matter files.

Practice management system integration and security

Most Perth law firms use LEAP, Actionstep, Smokeball, or similar practice management platforms. Your IT provider needs to understand how these systems integrate with Microsoft 365, where data is stored, how backups work, and how access controls are configured. A generic IT provider who has never managed a legal practice management system will not know to ask these questions.

Email security

Business email compromise targeting law firms typically involves impersonating partners, clients, or counterparties to redirect trust account payments or obtain sensitive documents. Proper email security includes Defender for Office 365, anti-spoofing controls (SPF, DKIM, DMARC), phishing simulation training, and policies around wire transfer and payment instruction verification.

Document management and retention

Client files have retention obligations under the Legal Profession Uniform Law. Your document management system — whether SharePoint, NetDocuments, or a dedicated legal DMS — needs to be configured with retention policies, version history, and access logging. Deleting or losing client files is not just an IT problem; it is a professional conduct issue.

Tested backups with legal-grade recovery

Backups need to include your practice management database, email archives, document management system, and accounting data. They need to be tested — not just monitored — at least quarterly. And recovery time objectives need to be defined: how long can your firm operate if your server goes down the morning of a hearing?

What to look for in an IT provider for your law firm

Capability	Why it matters for law firms
Experience with legal practice management systems	LEAP, Actionstep, Smokeball integration knowledge is essential
Matter-based access control implementation	Generic file permissions are not sufficient for privilege protection
Privacy Act and NDB compliance knowledge	Your IT provider should understand your notification obligations
Business email compromise prevention	Anti-spoofing, phishing simulation, payment verification policies
Tested backup and recovery with defined RTOs	Court deadlines make recovery time critical
Confidentiality obligations for IT staff	Engineers accessing your systems are exposed to privileged information

Frequently asked questions

What cybersecurity framework should Perth law firms follow?: The Law Society of WA recommends implementing controls aligned to the ASD Essential Eight as a cybersecurity baseline. SMB1001 Gold certification provides a broader governance framework including policies, training, and incident response that the Essential Eight alone does not cover. Most Perth law firms benefit from starting with SMB1001 Bronze or Silver and building toward Gold. See our Essential Eight vs SMB1001 comparison for guidance.
Does the Privacy Act apply to my law firm?: If your firm turns over more than $3 million annually, the Privacy Act 1988 applies and you are subject to the Notifiable Data Breaches scheme. The 2024 Privacy Act amendments significantly increased penalties — up to $50 million for serious or repeated breaches. Law firms handling sensitive client personal information are high-risk targets and should treat Privacy Act compliance as a board-level priority. Read our guide to the new Privacy Act obligations.
What practice management systems do you support?: Epic IT has experience with LEAP, Actionstep, Smokeball, and FilePro, as well as integration with Microsoft 365 document management via SharePoint. We understand how these systems handle data, where backups sit, and how to configure access controls that align with matter-level privilege requirements.
How fast should IT support respond for a law firm?: For a firm with court deadlines, any critical system failure needs a response within minutes, not hours. Epic IT answers helpdesk calls in an average of 36 seconds and commits to 15-minute first response for critical issues. We escalate to onsite support when remote resolution is not possible.
How do you protect client privilege when your engineers access our systems?: Our engineers operate under strict confidentiality agreements and access controls. We implement least-privilege access for IT management — engineers see what they need to resolve a specific issue, not your entire matter database. We can also implement privileged access workstations and audit logging so that all IT access to sensitive systems is recorded.

IT support designed for Perth law firms

Epic IT has supported Perth legal practices since 2003. We understand privilege, deadlines, and the compliance obligations that generic IT providers miss.

Book a Free IT Assessment

Or call 1300 EPIC IT (1300 374 248)

IT Support for Perth Law Firms: What Your Practice Actually Needs in 2026

By Greg Markowski / Apr 16, 2026 / Cybersecurity & Compliance