LIV Compliance IT Requirements: What Melbourne Law Firms Actually Need

“LIV IT compliance” is a phrase that gets used frequently in conversations with Melbourne law firms, but rarely with precision. Partners and practice managers know there are obligations — they’ve seen the LIV’s cybersecurity guidance documents, their PI insurer has asked pointed questions at renewal time, and there may have been a trust account audit question that touched on technology.

What’s less clear is exactly what the obligations are, which ones have legal teeth, and what an IT environment that satisfies them actually looks like.

This article provides a plain-English answer to those questions, specifically for Victorian law firms regulated by the LIV.

The Legal Framework

Legal Profession Uniform Law (LPUL)

The Legal Profession Uniform Law, in force in Victoria since 2015, is the primary legislative instrument governing legal practice in the state. It establishes obligations around:

• Trust account management: Protection, record-keeping, and audit trail requirements for trust funds
• Client confidentiality: Obligations to protect client information from unauthorised disclosure
• Practice management: Requirements for competent management of a legal practice, which courts and the LIV have interpreted to include technology risk management

There is no section of the LPUL that says “install endpoint detection and response software.” The IT obligations are expressed as outcomes — protect trust funds, maintain confidentiality, manage practice risks — and firms must determine what technology controls satisfy those outcomes.

Privacy Act 1988

Victorian law firms handling personal information (which is all of them) are subject to the Privacy Act 1988 and the Australian Privacy Principles (APPs). Relevant obligations include:

• APP 11: Taking reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure
• Notifiable Data Breaches (NDB) scheme: Mandatory notification to the OAIC and affected individuals if a data breach is likely to result in serious harm

A law firm that suffers a ransomware attack encrypting client files, or a BEC attack disclosing client communications, is likely to have NDB obligations. The notification timeline is 30 days from becoming aware of the breach.

LIV Cybersecurity Guidance

The LIV has published cybersecurity guidance referencing the ACSC Essential Eight as a recommended baseline for Victorian law firms. This guidance is not legislation — it cannot result in direct disciplinary action on its own. However:

• LIV trust account auditors reference it when asking about IT controls
• The LIV’s professional standards committee references it in investigations involving technology-related breaches
• Professional indemnity insurers use it as a benchmark for their questions about law firm cybersecurity

Treating the LIV’s Essential Eight guidance as advisory is technically correct but practically unwise.

What the Essential Eight Means for Law Firms

The ACSC Essential Eight is a prioritised set of mitigation strategies. At Maturity Level 1 (ML1) — the baseline most Melbourne law firms should target — the practical requirements are:

1. Application Control

Only approved software can run on workstations. At ML1, this means you have a defined list of approved applications and a mechanism to prevent unapproved software from executing. In practice, this is most commonly implemented via Windows Defender Application Control or a managed endpoint security product.

For most law firms, the practical implication is that trust account workstations and file servers should have application control configured. General user workstations at ML1 can be addressed through endpoint security and monitoring rather than strict allowlisting.

2. Patch Applications

Critical patches to internet-facing applications (browsers, email clients, PDF readers, Office) applied within 48 hours. Non-critical patches within two weeks. This requires a managed patching process — not manual Windows Update — because it needs to be consistent, logged, and demonstrable.

3. Configure Microsoft Office Macro Settings

Macros from the internet are blocked. Only macros from trusted locations or digitally signed by a trusted publisher can run. Most law firms can achieve this via Microsoft 365 policy without disrupting any legitimate workflows — legal practice doesn’t require arbitrary internet macros.

4. User Application Hardening

Disable or configure browser settings, plug-ins, and features that present attack surface. At ML1 this means blocking Java, Flash (now defunct), and disabling unnecessary browser extensions. This is largely a one-time configuration exercise.

5. Restrict Administrative Privileges

Staff accounts used for daily work should not have local administrator rights. A separate account — used only for administration, never for browsing or email — should be used for IT management tasks. Administrative accounts should not access email or browse the internet.

This is one of the most impactful controls for Melbourne law firms and one of the most commonly misconfigured. Many firms have staff running as local administrators because it was convenient when the machine was set up. This single misconfiguration enables most malware to install and persist without any user interaction beyond opening an email attachment.

6. Patch Operating Systems

Windows, macOS, and server operating systems on supported and current versions, with security patches applied within two weeks. End-of-life operating systems (Windows 10, which reaches end of life in October 2025) should be on an upgrade roadmap.

7. Multi-Factor Authentication

MFA required for all internet-facing services — at minimum, Microsoft 365 email and remote access. At ML1, any MFA method (authenticator app, SMS) is acceptable. At ML2, phishing-resistant MFA (FIDO2, Windows Hello) is required.

MFA is the single control that has the highest impact on account compromise. A law firm with MFA enforced on Microsoft 365 is dramatically harder to attack via credential theft than one without it.

8. Regular Backups

Three copies of data, on two different media types, with one off-site. Backups encrypted, tested for restoration, and retained for the required period. The “three copies” model in practice typically means: the live data, a local backup (NAS or on-premises server), and a cloud backup (Azure Backup, Veeam Cloud Connect, or similar).

For trust account data specifically, the seven-year LPUL record-keeping requirement applies — backup retention needs to be configured to match.

The PI Insurance Angle

Professional indemnity insurers for law firms are now asking detailed IT questions at renewal — and the questions have real consequences. Firms that cannot demonstrate basic controls are seeing premium increases, coverage restrictions, and in some cases, difficulty obtaining cover at all.

The questions typically mirror the Essential Eight and add BEC-specific items:

• Do you have MFA on email and remote access?
• Is your operating system current and patched?
• Do you have endpoint security (EDR or managed antivirus) on all devices?
• What email authentication controls (DMARC, SPF, DKIM) do you have?
• Do you have a documented incident response procedure?
• When was your backup last tested?

The firms that answer these questions confidently and with documented evidence get better outcomes at renewal than those who say “I think so” or “I’d need to check with our IT person.”

Cyber Insurance

Cyber insurance for law firms is a separate policy from PI insurance and covers different loss categories — direct costs of a cyber incident (forensic investigation, notification, ransom, data recovery) rather than the professional liability claim that might follow.

Cyber insurance underwriters have become significantly more prescriptive about security requirements since 2021. Most Melbourne law firm cyber insurance applications now require:

• MFA on email and remote access (often a coverage condition, not just a question)
• EDR or managed endpoint security on all devices
• Backup separated from the production network
• Documented incident response procedure
• Email authentication (DMARC, SPF, DKIM)

A law firm that cannot meet these requirements will struggle to obtain cyber coverage, or will obtain it with exclusions that significantly reduce its value.

What “Compliance” Actually Looks Like

For most Melbourne law firms — say, 5 to 30 staff, running LEAP or Smokeball on a Microsoft 365 environment — the gap between current state and LIV-compliant IT is not typically about missing controls. It’s about:

Configuration: MFA is available in Microsoft 365 but not enforced on all accounts. Audit logging is enabled but retention isn’t configured. Backups run but restores have never been tested. Macros aren’t blocked by policy.

Documentation: The controls that are in place can’t be demonstrated to an auditor because there’s no record of them. “We think we do that” is not an auditable answer.

Consistency: Patching happens for most machines, most of the time, but there are a few devices that haven’t been updated in a year. One staff member is still running Windows 10 on a laptop that never got upgraded.

A structured assessment of your environment — mapping current controls against Essential Eight ML1 requirements — will typically identify a remediation list that can be addressed in a few weeks of focused effort.

CX IT Services provides LIV compliance IT assessments and Essential Eight gap analysis for Melbourne law firms, with documentation suitable for LIV auditors and PI/cyber insurance applications. Visit our IT support for law firms hub to see how compliance documentation fits into our full managed IT service, or learn more about our cybersecurity for law firms controls. Book a Right Fit Call to discuss your firm’s current position.