fbpx

Closed Files, Open Risks: The 30‑Minute Check Every Australian Law Firm Needs Now

Closed Files, Open Risks: The 30‑Minute Check Every Australian Law Firm Needs Now

Australia is tightening privacy expectations and cyber resilience for professional services. For law firms, this isn’t just ethics—APP 11 under the Privacy Act 1988 (Cth), the Australian Solicitors’ Conduct Rules, and new peak‑body guidance demand secure digitisation, disciplined retention, and defensible deletion. Here’s what’s changing, why it matters, and exactly what to do this week.

1) The Situation: Confidentiality Under a Spotlight

Client confidentiality is now a board‑level risk. APP 11 requires “reasonable steps” to secure personal information; the Australian Solicitors’ Conduct Rules enshrine a duty of confidentiality; and Notifiable Data Breach (NDB) obligations add time‑critical response duties. Peak bodies are urging firms to modernise digitisation and records governance so “closed” really means closed.

  • Why it matters: Insurer questionnaires, client audit clauses, and hybrid work expose weak file controls.
  • Bottom line: This is a cyber, data privacy, and operational risk with new compliance expectations—also a trend reshaping client buying criteria.

2) How Gaps Appear Overnight: A Short Story

A mid‑size practice migrates “closed matters” to a new cloud archive. Legacy permissions are copied, retention tags aren’t applied, and public links to “closed matters – general” remain active. A routine phishing event compromises one mailbox. Suddenly, documents that should have been destroyed years ago are exposed.

  • Immediate fallout: Urgent NDB assessment, client notifications, insurer engagement, regulator scrutiny.
  • Hidden cost: Days of disrupted fee‑earning and reputational stress.
  • Avoidable? Yes—with permission hygiene, retention controls, and a simple access check.

3) Do This in 30 Minutes: The Closed‑File Access Check

Fast, focused, and high‑impact

  1. Locate repositories: DMS, cloud drives, legacy shares, email archives, practice management exports.
  2. Enforce MFA everywhere: All accounts with access to closed files, including shared mailboxes and admin accounts.
  3. Revoke stale sharing: Kill public/anonymous links; remove ex‑staff, contractors, and non‑matter groups.
  4. Validate retention: Compare to your Law Society guidance. Apply retention labels/tags; ensure legal hold exceptions are ready.
  5. Turn on alerts: Enable anomaly detection, link‑sharing alerts, and audit logs for “closed matters” locations.

Result: A materially lower breach likelihood—and proof you’re taking “reasonable steps” under APP 11.

4) Retention, Digitisation, and Defensible Deletion

From “keep forever” to “prove why you kept it”
  • Follow authoritative guidance: Implement Law Society digitisation and retention recommendations; keep digital records secure until permitted to destroy under Rule 14.
  • Automate at matter close: Apply retention categories by matter type and jurisdiction; schedule defensible deletion with auditable logs.
  • Respect client preferences: Document client instructions on retention or destruction and honour them unless legal obligations override.
  • Preserve what you must: Use legal holds to pause deletion for litigation, investigations, or statutory requirements.

Principle: If you can’t explain why you’re retaining it—and for how long—you probably shouldn’t be.

5) Permission Hygiene for Hybrid Teams

Least privilege, by design

  • Design access by role, not person: Use groups; avoid ad‑hoc individual permissions.
  • Break inheritance for “closed” libraries: Separate access from active matters; require matter‑owner approval.
  • Kill dormant pathways: Remove “general” libraries; block external sharing; expire links automatically.
  • Control remote access: Enforce device compliance and conditional access for WFH; review contractor access monthly.
  • Test regularly: Quarterly permission recertification for all closed‑matter stores.

Tip: Add a short “Access Control Standard” to your policy suite that mandates MFA, recertification cadence, and logging requirements.

6) Make It Stick: Documentation, Change, and a Single Source of Truth

Document your business or get out
  • Single source of truth (SSOT): One living repository for policies, SOPs, and checklists—linked inside your DMS and practice management system.
  • Remote workers win when instructions are clear: Publish step‑by‑step SOPs for closing a matter, applying retention, and destroying records.
  • Govern change: Use a change calendar, owner sign‑offs, and post‑implementation checks whenever you migrate or re‑permission content.
  • Prove compliance: Keep decision logs for retention, holds, and deletions; store NDB playbooks and incident run‑sheets.

What breaks systems isn’t technology—it’s undocumented exceptions.

7) Strategy: Turn Compliance Into a Client and Insurer Advantage

From checkbox to differentiator
  • Client audits: Map your controls to APP 11 and ASCR confidentiality; share a one‑page control summary and evidence pack.
  • Insurer confidence: Answer questionnaires with concrete controls (MFA coverage %, quarterly recertification, time‑to‑remove leavers).
  • Data minimisation matters: Balance identity/age verification requirements with least‑data collection; store only what you must, for as long as you must.
  • Metrics to report to partners: % closed‑file repositories with active retention labels; # stale links revoked; time‑to‑close incidents; deletions executed vs scheduled.

8) Your Next Week: A Practical Plan

  • Today (30 minutes): Run the closed‑file access check; record findings and owners.
  • This week: Apply retention labels to closed libraries; disable anonymous links; enforce MFA; brief partners on APP 11 exposure.
  • This month: Approve an Access Control Standard; implement quarterly permission recertification; enable legal holds; test the NDB playbook with a tabletop.
  • 90 days: Complete defensible deletion of out‑of‑retention files; publish SSOT SOPs for matter closure and deletion; evidence controls for insurers and top clients.

Final thought: Confidentiality isn’t just a value—it’s a system. Build the system, document it, and test it before attackers test it for you.

Related Links:

Recent Posts:

Consent, Cookies, Consequences: The Small Business Privacy PlaybookConsent, Cookies, Consequences: The Small Business Privacy Playbook
IR Reforms Meet WHS: Your 30-Day Alignment PlanIR Reforms Meet WHS: Your 30-Day Alignment Plan
Digitise, Don’t Compromise: Legal Records Under APP 11Digitise, Don’t Compromise: Legal Records Under APP 11