Confidentiality is the product. We make sure it stays that way.
Cybersecurity designed around legal practice: privilege, matter data, contractor access, and the partners who actually move the files.
A breach in legal is a breach of privilege.
Law firms hold the most sensitive data of every client they touch. The risk pattern is consistent, and so is the answer.
Client confidentiality at scale
Every matter file is a regulated obligation. Loss of confidentiality is a Law Society conduct issue, not just an IT problem.
Privilege and M&A data rooms
High-value deals concentrate sensitive material. Privileged communications and deal documents are the first thing an attacker looks for.
Contractor and secondee access
Counsel, paralegals and external experts come and go. Personal devices and unmanaged access points proliferate fast.
Generative AI in legal workflows
Junior staff pasting privileged drafts into public AI tools. The leak you do not see until it surfaces in the next prompt.
Privacy Act, NDB and Law Society practice obligations.
Legal practices sit under the Privacy Act, the Notifiable Data Breaches scheme, court-mandated security for sensitive filings, and Law Society conduct rules that treat client confidentiality as foundational. The Cornerstone program is built to those obligations from day one.
What we map to
The frameworks that matter in legal
- ✓Privacy Act 1988 and the Australian Privacy Principles (APPs)
- ✓Notifiable Data Breaches (NDB) scheme readiness
- ✓Law Society professional conduct rules on client confidentiality
- ✓Essential Eight Maturity Level 2 as a defensible baseline
The pressures landing on practices, in 2025 and 2026.
These are not abstract risks. They are the specific things Australian principals and managing partners are answering for, this year.
A statutory tort for serious invasions of privacy is moving through parliament.
When it lands, privileged client material is squarely in scope. The defence is demonstrable confidentiality controls, not a privacy policy.
The regulator is now pursuing the larger penalty range.
Recent Privacy Act amendments lifted the ceiling, and several Australian firms are in active proceedings. Notifiable Data Breach readiness is no longer paper-thin.
ALRC findings on AI in legal will shape conduct rules.
Junior staff using public AI to draft material is the most-reported emerging risk among Australian firms. Most have no inline guardrails. Yet.
Cyber renewals now audit MFA, immutable backup and contractor access.
Saying you do the right things is no longer enough. Underwriters want evidence before they price, and increasingly before they bind.
Larger firms have publicly notified breaches in the past 18 months.
Each one becomes the template the regulator measures peers against. The bar moves up, quietly, every quarter.
Inbound matter material from new partners is still an unmanaged channel at most firms.
It is also a clear audit and conflicts risk. The fix is procedural and technical, designed once, held over time.
A security program built around how legal practices actually work.
No theory, no generic stack. Six controls, mapped to the way matter files, contractors and partners move.
Phishing-resistant MFA, Conditional Access, no shared logins
Every partner, lawyer and contractor authenticates with phishing-resistant MFA. Conditional Access blocks risky sign-ins; just-in-time elevation for senior accounts via Delinea.
Sensitivity labels, DLP, controlled external sharing
Matter folders auto-labelled. Purview DLP stops privileged content moving to personal email or external services. Netskope inspects every outbound web and SaaS upload.
MAM, Enterprise Browser, no managed device required
Counsel, paralegals and external experts get app-protected access from their own devices. Work data stays in the container; nothing IT does not need to see ever leaves the personal side.
Visibility and control across every AI tool
Inline DLP on prompts and uploads to Copilot, ChatGPT, Gemini and Claude. Stop privileged drafts being pasted into public models, coach the user, log the attempt.
Immutable backups for matter management systems
iManage, NetDocuments, SharePoint, Exchange and the practice management database backed up to immutable storage. Tested recovery, not just nightly jobs.
Find the data before someone else does
Cyera DSPM maps where sensitive matter content lives across SaaS, file shares and shadow IT. Permissions are tightened before Copilot or any AI tool gets near it.
A practice that can confidently say privilege is protected.
- Privilege protected by design, not policy alone
- Board, partners and clients see a credible posture
- Contractor and secondee access without device hassle
- AI productivity without leaking privileged drafts
- Notifiable Data Breach readiness, documented
- Cyber insurance answers you can stand behind
Confidentiality, calmly delivered.
We have led security programs in regulated industries before stepping out to build Cornerstone. Senior advice, scoped engagements, no managed-service lock-in.
Questions law firms ask before they engage.
Straight answers, no hedging.
Are you familiar with iManage, NetDocuments and Aderant?
Yes. Most of the legal stacks we secure run on Microsoft 365 with iManage or NetDocuments for matters, plus a practice management database. We do not rewrite your stack; we secure the way it actually works.
How do you handle external counsel and secondees?
App protection policies on personal devices, Conditional Access tied to the matter, and Netskope Enterprise Browser for higher-risk profiles. They get access without your team owning the device.
Can we let lawyers use Copilot safely?
Yes, with discipline. Sensitivity labels first, permission cleanup second, DLP coaching third. Then a controlled rollout. We have a defined readiness assessment for legal.
What about lateral hires bringing matter material?
We design a controlled inbound process: matter scoping, sanctioned channels, and DLP on the way in as well as out. Senior counsel signs off, IT enforces.
Is Essential Eight ML2 the right target?
For most mid-sized firms, yes. Government and high-risk corporate clients increasingly require ML2 evidence, and it sits within reach of a typical M365 stack.
Do you work with smaller firms?
Yes. Scoped engagements suit boutique firms as well as national practices. The risk pattern is the same, the implementation scales down sensibly.