Does a family law breach always trigger NDB notification obligations?

Not automatically, but the threshold is much lower than most practitioners expect. The NDB scheme requires notification when a breach is likely to result in serious harm to one or more affected individuals. Family law files routinely contain family violence disclosures, children's arrangements including address details for protected parties, financial affidavits with full income and asset positions, medical records tendered as exhibits, and documents related to debt, insolvency or criminal history. A reasonable assessment of whether that information in the hands of an unauthorised party creates serious harm risk will almost always reach the same conclusion. The assessment must be made promptly once a breach is known or suspected.

Can client confidentiality obligations prevent proper disclosure after a breach?

This tension arises in practice. The Privacy Act and the NDB scheme create obligations to notify the OAIC and affected individuals. Legal professional privilege does not override those obligations. But what can be disclosed about a breach in a family law context is genuinely constrained by confidentiality: the substance of client communications, the identity of protected parties, children's information, and information subject to court suppression orders each have their own limits. The practical question is what can be said to the affected client, and in what terms, without exposing other parties or breaching the orders in the matter. We can help structure the breach response and notification in a way that accounts for these constraints.

Are family law practices targeted specifically, or is it general legal sector exposure?

Both apply. General legal sector targeting, credential theft affecting LEAP and PracticeEvolve, phishing campaigns using court notification and DocuSign lures, ransomware, and business email compromise all affect family law practices in the same way they affect any law firm. But family law also has a specific threat vector that commercial practices generally do not: an opposing party in a contested custody or property matter may have both the motivation and the technical means to seek access to a family law file, either directly or through a third party. This is not hypothetical. The OAIC has received complaints involving family law matters where the concern was targeted access by an opposing party rather than a criminal group. Security controls that limit who can read which files within the practice are particularly relevant here.

What does role-based access control mean in practice for a family law firm?

It means that a staff member working on File A cannot see File B unless they have a reason to. In most family law practices, internal access controls are not configured at the file level. A paralegal working on one matter can open files for matters they have no role in, simply because shared folders have broad internal permissions. When an account is compromised, the attacker sees everything that account holder can see, which in an uncontrolled environment is the full client file list and every document within it. Configuring SharePoint folder permissions and Microsoft Purview sensitivity labels restricts this access without requiring staff to make manual decisions on each file.

What happens in the period between a breach and NDB notification?

The NDB scheme requires the assessment to be made as soon as practicable after the breach is known or suspected. If the assessment concludes that serious harm is likely, notification must follow promptly. In practice, the period between discovery and notification involves several simultaneous workstreams: containing the breach, assessing what was accessed, identifying affected individuals, drafting notifications, and notifying the PI insurer. For a family law practice, the notification to affected clients requires particular care given the sensitivity of the information and the potential for notifications to reach individuals in protected or vulnerable situations. We assist with breach response planning and, when an event occurs, with managing that process.

Industries · Legal · Family Lawyers

Cyber security for Australian family lawyers.

Family law files contain the most sensitive personal information in any professional context. A breach involving this material will almost always meet the threshold for mandatory NDB notification. The clients who provided it are often already in vulnerable circumstances.

IronSights helps family law practices protect client information, plan for breach notification, and demonstrate compliance with their Privacy Act and Legal Profession obligations. ISO 27001 certified, Sydney-based.

Book a cyber security review→Speak with an expert

Threat context

Why family law practices face distinct risk.

Family law practices share the general cyber security exposure of any law firm: credential theft, ransomware, business email compromise and inadequate Microsoft 365 configuration. But the nature of what a family law practice holds creates a distinct dimension to that exposure. These files contain information that is not just sensitive but that in the wrong hands has direct consequences for the safety and welfare of individuals who are often already in crisis.

Family violence disclosures, children's arrangements including the addresses of protected parties, financial affidavits, mental health assessments, school reports, and documents tendered as exhibits in Federal Circuit and Family Court proceedings are all routinely present in a family law file. Each of these, considered individually, would meet the NDB serious harm threshold if accessed without authorisation. In combination, the assessment is straightforward.

Family law practices also carry a specific risk that most commercial practices do not: the opposing party in an active contested matter may have a direct motivation to access a client's file. The OAIC has received complaints involving family law matters where the concern was targeted access by an opposing party rather than a criminal group seeking data for sale. Social engineering of administrative staff, phishing attempts directed at the firm, and attempts to compromise a client's own email account are all relevant threat vectors in a family law context.

The practical consequence of all of this is that a family law practice needs to treat its file access controls, its breach notification planning, and its staff training differently from a commercial law firm handling similarly sized client lists. The information is different in kind, not just in quantity.

Common risks

What we find when we work with family law practices.

Files containing family violence disclosures

A family law file may contain police incident reports, AVO applications, statements from protected persons and details of safety arrangements for children and primary carers. If any of this information reaches an opposing party, the consequences can extend well beyond a privacy breach. The NDB serious harm threshold is met in every scenario where this material is accessed without authorisation. The assessment does not require proof of harm, only a reasonable conclusion that serious harm is likely.

Targeted access by opposing parties

Contested custody and property matters create adversarial dynamics that do not end at the courtroom door. Opposing parties and their associates occasionally attempt to access family law files through social engineering, phishing attacks on firm staff, or attempts to compromise client accounts. The motivation is specific: financial affidavits, correspondence about settlement positions, and documents related to parenting arrangements. Internal access controls that limit file visibility to staff working on each matter reduce the exposure from any single compromised account.

Broad sharing of sensitive exhibits

Family law matters frequently involve medical records, school reports, mental health assessments and documents from FACS or equivalent state agencies tendered as exhibits. These documents are provided by third parties in a professional capacity and may have their own handling obligations. When they are uploaded to shared SharePoint folders with broad access, the information is held in an environment that does not reflect the sensitivity of what it contains.

No NDB response plan

Most family law practices do not have a tested data breach response plan that accounts for the specific constraints of family law: protected parties, suppression orders, parenting plan details, and clients in crisis. Developing that plan under pressure after a breach is the wrong time. The plan should be written, tested and known to the person who will need to act on it.

Credential-based access to years of closed files

Matter management systems used in family law practices retain closed files for years. A compromised staff credential provides access not only to open matters but to the complete history of concluded matters that staff member could see. For a long-serving employee, that can represent years of highly sensitive client records from resolved proceedings.

How we help

Services for family law practices.

The security posture a family law practice needs is calibrated to the sensitivity of what it holds. We help you get there and demonstrate it to the people who will ask.

Microsoft 365 security

enforcement across all accounts, policies, sensitivity labelling for client documents including family violence and children's files, role-based permissions, and DMARC configuration. The configuration work is specific to the information types a family law practice holds.

Audit and assurance

An and a Privacy Act readiness review that specifically addresses the notification threshold as it applies to family law files. The output gives you a documented baseline for your PI insurer and a practical remediation roadmap.

Incident response

Available 24 hours a day. When a breach occurs in a family law context, the response has to account for client safety alongside regulatory obligations. We understand what can and cannot be disclosed in a notification involving protected parties, parenting matters and suppression orders. We support the assessment, notification and recovery process from start to finish.

Fortify — managed security

Around-the-clock monitoring across identities, email and endpoints. For family law practices that want ongoing detection capability rather than a one-off review, Fortify provides the monitoring and response coverage that an understaffed environment cannot sustain independently.

Compliance

Regulatory obligations for family law practices.

Privacy Act

APP obligations and the NDB serious harm threshold

Family law practices with annual turnover above $3 million are covered entities under the Privacy Act and the Australian Privacy Principles. The NDB scheme requires notification when a breach is likely to result in serious harm. For family law files, that threshold is almost always met. The information held, family violence disclosures, children's arrangements, financial affidavits and medical records, is among the most sensitive personal information in any professional context.

Legal Profession

Confidentiality and the Uniform Law

The Legal Profession Uniform Law in NSW and Victoria imposes ongoing obligations on practitioners to protect client confidentiality. A cyber failure that exposes family law files, including correspondence between solicitors or documents filed in Federal Circuit and Family Court proceedings, may constitute unsatisfactory professional conduct before the Legal Profession Conduct Commissioner. The Law Societies in NSW and Victoria have both published cyber guidance citing the Essential Eight as the relevant baseline.

Court Orders

Suppression orders and handling obligations

Family law proceedings routinely produce orders restricting the publication of identifying information about parties and children. Files subject to suppression orders require handling controls that go beyond standard information security. If a breach results in the publication of information subject to a court order, the consequence may be contempt in addition to the breach notification and disciplinary matters.

Common questions

Asked by family lawyers like you.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

Does a family law breach always trigger NDB notification obligations?
Not automatically, but the threshold is much lower than most practitioners expect. The NDB scheme requires notification when a breach is likely to result in serious harm to one or more affected individuals. Family law files routinely contain family violence disclosures, children's arrangements including address details for protected parties, financial affidavits with full income and asset positions, medical records tendered as exhibits, and documents related to debt, insolvency or criminal history. A reasonable assessment of whether that information in the hands of an unauthorised party creates serious harm risk will almost always reach the same conclusion. The assessment must be made promptly once a breach is known or suspected.
Can client confidentiality obligations prevent proper disclosure after a breach?
This tension arises in practice. The Privacy Act and the NDB scheme create obligations to notify the OAIC and affected individuals. Legal professional privilege does not override those obligations. But what can be disclosed about a breach in a family law context is genuinely constrained by confidentiality: the substance of client communications, the identity of protected parties, children's information, and information subject to court suppression orders each have their own limits. The practical question is what can be said to the affected client, and in what terms, without exposing other parties or breaching the orders in the matter. We can help structure the breach response and notification in a way that accounts for these constraints.
Are family law practices targeted specifically, or is it general legal sector exposure?
Both apply. General legal sector targeting, credential theft affecting LEAP and PracticeEvolve, phishing campaigns using court notification and DocuSign lures, ransomware, and business email compromise all affect family law practices in the same way they affect any law firm. But family law also has a specific threat vector that commercial practices generally do not: an opposing party in a contested custody or property matter may have both the motivation and the technical means to seek access to a family law file, either directly or through a third party. This is not hypothetical. The OAIC has received complaints involving family law matters where the concern was targeted access by an opposing party rather than a criminal group. Security controls that limit who can read which files within the practice are particularly relevant here.
What does role-based access control mean in practice for a family law firm?
It means that a staff member working on File A cannot see File B unless they have a reason to. In most family law practices, internal access controls are not configured at the file level. A paralegal working on one matter can open files for matters they have no role in, simply because shared folders have broad internal permissions. When an account is compromised, the attacker sees everything that account holder can see, which in an uncontrolled environment is the full client file list and every document within it. Configuring SharePoint folder permissions and Microsoft Purview sensitivity labels restricts this access without requiring staff to make manual decisions on each file.
What happens in the period between a breach and NDB notification?
The NDB scheme requires the assessment to be made as soon as practicable after the breach is known or suspected. If the assessment concludes that serious harm is likely, notification must follow promptly. In practice, the period between discovery and notification involves several simultaneous workstreams: containing the breach, assessing what was accessed, identifying affected individuals, drafting notifications, and notifying the PI insurer. For a family law practice, the notification to affected clients requires particular care given the sensitivity of the information and the potential for notifications to reach individuals in protected or vulnerable situations. We assist with breach response planning and, when an event occurs, with managing that process.

Related insights.

Compliance

Cyber security obligations for Australian legal practices

Privacy Act, Legal Profession Uniform Law and AML/CTF Tranche 2 reforms. What each framework requires and who it applies to.

Data breach response in Australian family law

Why family law breaches almost always meet the NDB serious harm threshold, and how to structure a response that accounts for client safety.

Ransomware in Australian law firms

Legal practices are consistent ransomware targets. What the NDB obligations look like when it happens, and how firms recover.

The Essential Eight for Australian legal practices

Law Societies in NSW and Victoria have cited the Essential Eight as the relevant baseline. What each control means for a family law practice.

Also in legal

IronSights works across the legal sector.

Law Firms →Microsoft 365 and LEAP hardening, ransomware readiness, Privacy Act compliance.Conveyancers →Settlement fraud prevention, DMARC configuration, AML/CTF Tranche 2 readiness.Criminal Defence →Privilege protection, informant file security, phishing simulation and MFA enforcement.

Start with a review

A structured security review tells you exactly where your practice stands.

We assess your Microsoft 365 environment, file access controls, breach notification readiness and alignment with your Privacy Act and Legal Profession obligations. The output accounts for the specific nature of family law information.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766