Want to listen to the full episode and all our other episodes?
Hearsay allows you to fulfill your legal CPD requirements every year.
Our yearly subscription is only $299/year.
With a yearly subscription, you can access all of our episodes AND every episode we release over the next year.
Episode 158
Buy Episode
Practice Management and Business Skills Professional Skills
Staying Cyber Safe: Practical Cyber Security Tips for Law Firms
Law as stated: 10 February 2026
What is this?
This episode was published and is accurate as at this date.
Santana Stallberg, Founder of Legal Tech Consulting Inc., joins David to unpack how cybersecurity, eDiscovery and workflow optimisation intersect in modern legal practice, why law firms are becoming prime cyber targets, and how smarter systems and security practices can protect client data, strengthen compliance and build long-term trust.
Practice Management and Business Skills
Professional Skills| What area(s) of law does this episode consider? | Cybersecurity; current risks and trends, best practices and preventative measures, and cyber incident response. |
| Why is this topic relevant? | Law firms (both large and small) are increasingly reliant on technology to manage sensitive client information, which makes them prime targets for cybercriminals as other traditionally attractive targets like banks harden their security posture. Effective strategies to secure data, streamline processes and maintain compliance are no longer optional; they’re essential to building trust and protecting a firm’s reputation. |
| What are the main points? |
|
| What are the practical takeaways? |
|
| Show notes | Clyde & Co, Under the Hood, White Paper Report, 2024 |
DT = David Turner; SS = Santana Stallberg
| 00:00:00 | DT: | Hello and welcome to Hearsay the Legal Podcast, a CPD podcast that allows Australian lawyers to earn their CPD points on the go and at a time that suits them. I’m your host, David Turner. Hearsay the Legal Podcast is proudly supported by Lext Australia. Lext’s mission is to improve user experiences in the law and legal services and Hearsay the Legal Podcast is how we’re improving the experience of CPD. In today’s episode of Hearsay, we’re going to be exploring the intersection of legal practice and technology with a focus on cybersecurity, eDiscovery and workflow optimization, and we’re going to talk about how all these topics interact with one another as well. Law firms (both large and small) are increasingly reliant on technology to manage sensitive client information, which makes them prime targets for cybercriminals as other traditionally attractive targets like banks harden their security posture. Effective strategies to secure data, streamline processes and maintain compliance are no longer optional; they’re essential to building trust and protecting a firm’s reputation. Our guest today is Santana Stallberg, founder of Legal Tech Consulting Inc. Santana is an entrepreneur, ISO Lead Auditor and eDiscovery Specialist. Through Legal Tech Consulting Inc., she provides solutions to help law firms and legal businesses with services ranging from eDiscovery, information security consultations, workflow optimization and litigation support and legal document preparation and business development. Santana has hands-on legal-tech expertise and supports firms of all sizes in adapting to the fast-changing legal and cybersecurity landscape. Santana, welcome to Hearsay. |
| 00:01:47 | SS: | Thank you for having me. |
| 00:01:48 | DT: | Now, I’m excited to talk about this, and talk about what we were talking about just before we started recording, which is how eDiscovery and cybersecurity interact, because it’s not an obvious connection, but when you explain it to me, it makes so much sense. But before we do that, tell me a bit about how you came to start Legal Tech Consulting. |
| 00:02:02 | SS: | Yeah, so I have previous experience working in law firms, both small, medium and large law firms, and I needed a little bit of a switch from just working, doing eDiscovery and legal assistance work. And so I decided to apply for a job in cybersecurity. Got it – ended up working with cybersecurity firm, but I realised very quickly that my niche is still in law firms, and so what I did was actually intersect the two and started my own consulting firm where I was able to use my expertise in law firms, understanding the workflows, how things are secured, the data that it holds, and then apply the cybersecurity principles to helping firms be more secure, especially in today’s generation where everything is under attack all of the time. And so that’s how it started, and I’m really happy that I was able to branch out to both tech companies, law firms, and really focusing on, kind of, small-to-medium firms where cybersecurity’s not a main topic or a main concern, but something that’s absolutely essential. |
| 00:03:02 | DT: | Yeah. And we’re gonna talk about a bit later what it looks like for smaller firms to start to think about this a little bit more, maybe beyond just insurance and what a proportionate kind of implementation looks like. But before we get there, as we said at the top of the episode, you do both eDiscovery and cybersecurity consulting, and when I first heard that, I was like, “oh, separate service lines,” like completely separate. But before the show, you were explaining how they’re actually a lot more closely related than you would think. Can you just explain that for our listeners? |
| 00:03:29 | SS: | Yeah, absolutely. So, litigation, support, services and eDiscovery is the majority of where your documents are stored and where they lie. Confidential client information is there, information, for example, about mergers & acquisitions, all of your main evidence that’s important to a case lies in your litigation support or your eDiscovery services. And the reality of it is, is that’s the target. So your data is the target, and a lot of the time, firms will consider your main document management system, your email management system, remote access and your mobile management system services under their scope of cybersecurity. But they forget that litigation support services and eDiscovery are just as critical in regards to targets of cyber criminals. And so, because I have the expertise at actually working in eDiscovery, I know the ins and outs of potential risks associated with those systems, as well as the integrity, which I don’t think people consider as part of cybersecurity, but it is a main factor when you’re looking at that. All ISO standards revolve around risk-based assessments and looking at the CIA, which is confidentiality, integrity, and availability. So we’re looking at protecting all of those, making sure the data remains confidential, making sure it stays intact, and making sure that it’s available when needed. All things that are threats, for cyber criminals, that’s where they wanna attack, that’s how they do it. And so people don’t consider the fact that the data stored in eDiscovery systems are, if not more likely, the areas that cyber criminals will actually attack. |
| 00:04:58 | DT: | Yeah, and it’s not obvious, I guess, because your kind of first, heuristic-based thought is, “okay, well what’s the data that I need to protect? It’s my client’s data, right? It’s like personal information in my practice management system, it’s information about the work that I’ve done for them, their personal financial affairs…” And because eDiscovery material, whether it’s transactional and it’s, you know, due diligence disclosed by the other side, or it’s litigious and it’s subpoena or discovery material because it’s produced by someone else who’s not your client, I guess you don’t think, “that’s the stuff I have to be protecting.” But not only do we have obligations to keep that material confidential, generally we are also under undertakings when it comes to material produced under subpoena or in discovery, it’s an attractive target for cyber criminals, but it’s also data that we have really specific obligations about keeping secure over the top of that general confidentiality obligation. |
| 00:05:46 | SS: | Yeah, exactly. Think about going into a case and finding out that the data was actually altered and you have no idea because you didn’t potentially secure that area when you thought about cybersecurity. It’s something that we have seen. |
| 00:05:57 | DT: | That’s a really good point actually. It’s not just exfiltration, is it? It’s also, yeah – the integrity of that data. I mean, if for no other reason than this self-interested reason, imagine going into your eDiscovery system to review discovery material and finding that three quarters of it is gone. That could be extremely harmful to your client’s case. So yeah – very interesting connection – and makes sense that you provide those services side by side. At the top of the episode, you mentioned that smaller firms don’t often think about cybersecurity as a priority. I think there is a perception that, “well, we have legal technology vendors to manage this. I’ve got a practice management system, I’ve got a document management system. They make all kinds of promises to me about the security and integrity of those systems. I use off the shelf integrations between those tools. I’m not a target, and if I am, isn’t it the responsibility of the vendors who supply me that these tools are secure and that my data is secure? Like why should I be looking after this as a personal, first-party risk of my firm?” |
| 00:06:56 | SS: | Yeah. So honestly, small to medium firms are actually targeted more. Cyber criminals know that it’s not top of mind. And the thing is, most of the time, small firms to medium firms will pay the ransomware requests because they want their data back, they want their information, they wanna move on. The reality of it is though, some of those payments will deplete a firm that size. And so the fact that they’re not considering it is the reason why they’re targeted. TIP: Santana has just mentioned that small to medium firms actually tend to be targeted more often, and this is supported in the data around cyber attacks in Australia. A 2024 Australian report called ‘Under the Hood’, published by Clyde & Co, looked at 100 real cyber incidents that happened over about a 15-month period. And what really stood out was where those incidents landed. Using the ATO’s definitions of small and medium businesses, the report found that around 93% of business email compromise incidents, and about 96% of ransomware incidents, affected small to medium organisations. So, overwhelmingly, this isn’t a “big firm only” problem. Professional services, including law firms, were among the most affected sectors, particularly when it came to business email compromise. That’s likely because of the sensitive data that fills our inboxes: personal client information, financial details, settlement timelines, and instructions that often need to move quickly. From a cyber criminal’s perspective, these inboxes can be real gold mines. The report also challenges the idea that attackers are always carefully choosing their targets. While large organisations do attract attention, many threat actors are opportunistic. They scan for weaknesses and see what they can get access to. Smaller firms often have fewer resources, less time to spend on cyber security, and lower overall cyber maturity, which can make them easier entry points. And then there’s the uncomfortable reality around ransom payments. The report notes that smaller organisations are more likely to pay, often because they just want their data back and need to keep operating. But for a small or mid-sized firm, even a single ransomware payment can be enough to cause serious financial strain. All of this sits in a broader Australian context. As Clyde & Co notes in the report, we are a country of small businesses; more than 90% of Australian businesses turn over less than $2 million a year. The report describes this as a genuine “small business problem” for cyber security, driven less by apathy and more by limited time, resources, and access to support. We always say in the cybersecurity world, “it’s a matter of when, and not if.” You’re honestly always a potential target, no matter the size of the firm. Just because you’re a larger firm doesn’t mean that you’re going to get attacked less or more. Essentially, the reality of it is smaller firms, because cyber criminals know that they don’t have anything in place, makes them easy targets, actually. |
| 00:09:31 | DT: | It’s a bit like anti-money laundering. |
| 00:09:33 | SS: | Exactly. |
| 00:09:33 | DT: | I mean, I think that’s a more obvious threat and one that’s a little more front of mind for small firms because there’s the threat of sanction – we’ve got new rules coming in in the middle of next year – but it is the smaller firms that are more likely to be targeted because they’re less likely to have the kind of rigorous controls in place and are more vulnerable to the consequences of an attack. |
| 00:09:52 | SS: | Yeah, exactly. I mean, AML is one thing, but also just the fact that a lot of these small firms, they’re hiring people who don’t have any training in cybersecurity, they don’t normally have an IT team – it’s outsourced – they don’t have anybody to ask those questions. So a lot of the time we’ll see them accidentally click on a link, put their information in just because it’s not top of mind. So when you don’t have anybody who’s there ingraining that cybersecurity is important and this is how to protect the firm, normally it’s small mistakes that actually end up causing bigger mistakes. |
| 00:10:22 | DT: | Yeah, and I would just say as someone who runs a small law firm and has worked in large ones, I would extend that to our colleagues in large law firms. I think even in large firms, often you have lawyers who are very much separate from IT or cybersecurity teams. There’s not a lot of cross-functional collaboration between the professional team and the IT team. There’s not a lot of training often that’s delivered on cybersecurity risks, social engineering, and the like. And yeah, I think this can happen, really, to any lawyer in any size of practice, but you’re less likely to have that dedicated team who can do some kind of education and training within the business in a small firm. |
| 00:11:00 | SS: | Yeah, exactly. You don’t have a team that does it. I mean, even IT teams, they fall victim as well, right? Because cybersecurity and IT are very different. There’s certain aspects of it that are relevant and apply to one another, but cybersecurity is its own beast essentially, and it happens to everybody, not just large firms. |
| 00:11:18 | DT: | Which kind of brings us onto the kinds of threats that law firms and small law firms in particular are exposed to, and we’ve hinted at it already. I think a lot of people think of cybersecurity risk in the way that lends itself to that misconception of, “well, it’s up to my vendors to be secure, right?” Because they think of it as black hat hacker exploiting a vulnerability in the underlying source code of the software that you use, green text on a black background, tap, tap, tap, sunglasses on, “I’m in,” and then exfiltrating data that way. But that’s not really how this happens for law firms or even many businesses at all. |
| 00:11:54 | SS: | Correct. No, it’s usually phishing actually in social engineering. So a lot of the time, the easiest way to do it is the fact that they know law firms are busy. And the reality of it is you sometimes will forget to take that extra step in reading an email or clicking a link. You’ll see it come from, you know, the CEO or a partner. And what do you do? “Oh, I have to answer this right away.” We’re seeing this more frequently, people will just click and put in information, or we’re seeing a lot of deep fakes come up in the legal industry. And so you’ll get that call being like, “hi, I am from HR,” or “hi, I am your CEO. Something seems not to be working. We need you to give us your credentials.” And people don’t think because they’re busy and unfortunately that’s when a lot of the mistakes happen, and that’s how they’re getting in more frequently is actually phishing emails like that. And it takes a few steps to just kinda step back and be like, “okay, maybe this isn’t what I think it is.” But if you’re not trained on it and you don’t know what to look for, it makes it easy. |
| 00:12:47 | DT: | A really common one I’ve seen as well is two-factor authentication phishing emails, the bogus verification link, that again, it’s this sort of task that we’re constantly asked to do throughout our day by trusted vendors. We just wanna get on with the work. You jump into your inbox and you’ve received a verification link or a something to click to confirm that you can log into your practice management system and maybe a phishing email lands at the top of your inbox at the same time, and you’re just not in a mindset to check the email address that it came from, or that the email template looks a little bit off. It can happen to anyone. And I think that’s the point, right? I think some people think phishing is something that happens to grandma who’s not au fait with the internet and with the kind of indicators of a phishing email, but there, I guess, is a difference between the obvious phishing attempt that lands in our spam anyway and we don’t really see, and the sophisticated phishing attempt that yeah, really anyone can fall for. What are some of the hallmarks that you’ve seen of sophisticated phishing attempts? |
| 00:13:47 | SS: | Yeah, I mean, you mentioned it yourself, but one of the things that cyber criminals are relying on is this false sense of security, and so you’ll get the email from your vendor, you’ll get the email from your CEO. A lot of the times too it’s that they’ll pretend to be clients sending you data and it’ll be, “click this link, I have more data,” or “I have more evidence to send you.” So we’re seeing a lot more emails come through and they’ll actually replicate how you will send an email or how you’ll receive an email. And so it’ll look like nothing is off, and then it’ll have the first name and it’s just one little small change in the email. So I’ve seen that a lot. I’ve seen it with some of the law societies I’ve worked with and actual attacks have happened where it’s just small things. It’s a small change. It’ll be that link and you won’t think about it or you’ll receive repeated emails, but it’ll be different each time. So those are some of the sophisticated ones as they look almost perfect and you just don’t realise it. |
| 00:14:46 | DT: | That point about clients providing information is a really good one because as lawyers, we’re often expected to just use unfamiliar tools because our clients wanna use them, right? So you have a technology stack that you vetted, and I think if you got an email from a partner in your firm and it’s a Dropbox link and you’re like, “well, we don’t use Dropbox,” your guard would be up. But when a client is sending you material, anything goes, right? We use the video conferencing tool they want to use, we use the document management tool they want to use, and so you might not be familiar with what legitimate email or a notification looks like or what a legitimate portal looks like either. So really important to independently verify with clients, “how are you gonna send me this?” |
| 00:15:26 | SS: | Yeah, exactly. |
| 00:15:27 | DT: | And just what you said about some of the tiny little things that can give away a phishing email. I think one of the misconceptions around phishing other than “it happens to other people,” and “it happens to dummies who aren’t me,” is that it’s a kind of spray and pray low effort tactic that is not tailored to target you. I’ve seen phishing links where a domain has been registered in the name of the target, replacing, for example, an ‘m’ in the name of the company with an ‘r’ and an ‘n’ next to one another. So it looks very similar, two ‘u’s’ next to one another in place for a ‘w’ so that you can register a really persuasive looking domain that I think most people would not be checking character by character, the links that they’re clicking on. |
| 00:16:08 | SS: | Oh, it’s very true. It’s also like this sense of urgency. I mean, in a law firm you’re dealing with multiple cases, multiple emails coming through. Everything always has a sense of urgency and it always seems to happen that cybercriminals will send something with urgency when you need something and you’re waiting for that and you’ll get that. It’s as if they kind of know, I mean, they’re used to this, and so when you get that sense of urgency or that email, “I need this done right away.” You don’t register. You just think, “oh man, I actually have to get this done.” We see it happen too, especially in small medium firms, larger firms that have new associates, when, you know, you get an email from a partner requesting something to be done ASAP. They’re not thinking, “oh, I need to check to make sure this is actually from them.” They’ll just go ahead and do whatever the link or the email tells them to do. Click on the link, put in this, et cetera. Pay this invoice. We see it will happen a lot, and it’s just, unfortunately it’s new associates, legal assistance, et cetera, trying to do what’s expected of them and show up, be professional and put in good work, but they don’t take that second to think. |
| 00:17:11 | DT: | Yeah, and in some ways that’s even the best case, which is, “I’m trying really hard to be vigilant, but I’m not familiar enough with our tech stack to know what’s wrong.” I think there are a lot of people who, even if you do implement cybersecurity controls, think well, “this is like a box I’ve gotta tick. It’s getting in the way.” Even if as an organization there’s an acknowledgement that there’s a risk on an individual level, that acknowledgement might not be as strong or might be absent. Have you got any tips around, and I guess this applies both at an organization level and at an individual level within an organization, how do you change that mindset of cybersecurity as like something that “we’ve gotta fill out on tenders, and so it’s a box we’ve gotta tick, we’ve got to have an accreditation, but it’s not that big a deal for us and at the end of the day, as long as we’ve ticked the box, we’re okay”? |
| 00:17:56 | SS: | Yeah, we do see this a lot. Some firms will get the certifications or implement a framework because they do wanna check that box. The other thing is, and I mean I was just at ALPMA, and I talked to a lot of firms and they didn’t realise that there are certain requirements for your cyber liability insurance that you have to meet certain requirements for that to actually come into play and for it to be used if you have a cyber breach. Client requirements is a new big thing where they’re expecting you to have some type of security in place to protect them. We’re seeing it as a competitive edge. I mean, in Canada and the US, all over the world, is something that if you wanna grow the business, if you wanna take on more clients, they wanna make sure that everything is secure and that you’re taking those steps. So it’s a little more than just a checkbox. You’re protecting yourself, you’re protecting your firm – and there are penalties associated – we’re seeing this change worldwide now. Everything is being more related to GDPR, which imposes fines on not meeting privacy and cybersecurity requirements, making sure that your firm is securing data that it has, and so we’re seeing this kind of worldwide changing, and so it becomes more than just a checkbox you need to do. You’re protecting yourself and you’re protecting your data, but also a cybersecurity incident could drastically impact your reputation as a whole, like the firm’s reputation and even potentially could shut the firm down. |
| 00:19:26 | DT: | Yeah, absolutely. The liability is potentially massive. You know, we were talking before about how there can sometimes be a perception that, “well, I buy from trusted vendors. It’s their responsibility to keep me secure.” It’s really your responsibility to make sure that your vendors are secure in some ways. I mean, everyone has a responsibility down the chain. Can you talk me through a little bit how vendor selection and putting together your tech stack comes into play as a law firm trying to be more cyber secure? |
| 00:19:51 | SS: | Yeah, absolutely. So one of the ways is you can automatically ask if your vendor has any type of certifications in place to ensure that they’re secure. But a lot of the time you’ll get the basic response, “oh, we have ISO,” or “we have this,” or “we have a cybersecurity framework in place. We use encryption. We use multifactor authentication.” What they don’t ever explain and what a lot of firms forget to realise is, what happens when you stop using that vendor? Have you verified what they do with your data? Do they have a deletion policy in place? Are they holding onto that data? Do you know where it’s being maintained? So I think that’s one of the things that firms need to start realising. I mean, you have legal obligations to hold data for a certain period of time, and that’s fine, but your vendor doesn’t have those same requirements. And if you are not asking the right questions and your vendor’s holding onto data and you’re not making sure that they’re being deleted, you’re also putting yourself still at risk because you need to be making sure cyber liability insurance does have a third party factor to it and a coverage. But the reality of it is it still starts with you that liability insurance is not going to come into play if you’re just like, “well, my vendor should have it.” You need to be taking the steps. Because it could be the cyber attack happens on the vendor side, but it also can happen on your side. And so just because your data is being stored in a vendor platform doesn’t mean that there’s no risk coming from your side. |
| 00:21:19 | DT: | And there’s like a liminal space in between those as well, right? There’s, “well, our vendor has ISO 27001 accreditation, they’re widely trusted, they’ve got a multifactor authentication setting,” but is it turned on? Like there’s an interaction between the two as well. And just on the point of asking these questions, I think that doesn’t have to be a difficult, time intensive task, and it’s actually really achievable for small firms now. |
| 00:21:46 | SS: | Absolutely. |
| 00:21:46 | DT: | They don’t pay us. It’s not a paid plug, but UpGuard is a great tool. We use it, a lot of our clients use it, and a tool like UpGuard, I’ll say, makes it easy to set up a questionnaire like that for your vendors. It also makes it very easy to answer them, so it’s not a lot of effort for either side of the transaction, and it just gives you a bit of an indication, comparatively speaking, of what the security posture is of the different vendors you might be choosing between. |
| 00:22:11 | SS: | Yeah, absolutely. A questionnaire is a great thing, and if you’re ever struggling with a questionnaire or something like cybersecurity consultants can easily set that up for you, right? Making sure that you’re meeting the requirements that you need for your cyber liability insurance from your client requirements, et cetera. So it’s just taking that step and it’s really not time consuming. I mean, answering a 240-questionnaire from your client about the cybersecurity that you have in place, that’s time consuming. |
| 00:22:36 | DT: | Yes. |
| 00:22:37 | SS: | So if you’re already taking those steps and you’re putting in place the right protocols and the right practices, those questionnaires become easy to answer. |
| 00:22:45 | DT: | Yeah. I want to come back to something we were talking about before, because we have talked a little bit about the frameworks that can apply in this area. I think for some of our listeners who might be unfamiliar with those frameworks, we should probably explain what they are and even some people who have heard those terms a few times before might be kind of unfamiliar with what they are, right? So let’s, let’s talk about. ISO 27001. It’s an international standard. Santana, tell me a bit about what it actually is. |
| 00:23:08 | SS: | Yeah, so ISO 27001 is a risk-based standard. It’s focused on information security. So what it does is it looks at what controls you have in place to mitigate risks. And so you need to conduct a risk assessment, you need to determine what risks come into play for the confidentiality, integrity, and availability of data. So coming from that standard, it helps you look at what risks are potentially relevant to your firm, what controls you have in place to mitigate those, and you actually get a certification deeming that you’ve met those requirements and that your firm has an information security management system in place – for people who may not know, that means cybersecurity, it’s just a nice little way to phrase it – but there’s other things you can do too. There’s other standards that you can look at. There’s SOC, which we see a lot with tech companies. They’ll put a SOC in place, but again, that’s an attestation. So it’s just making sure that you have controls in place and you do compliance audits against those. There’s a variety of different standards based on what’s needed for security. There’s privacy standards in place, there’s cloud-based standards as well. So ISO 27017 is also one. That one doesn’t take long. It’s an add-on to 27001. So these are all standards that have been implemented internationally that indicate that you have the right cybersecurity in place. I know for Australia specifically, they look at the Essential eight. Those are the bare minimum that you need to have in place, and honestly, it’s a small portion, but it’s a starting point for sure. TIP: You might have just heard Santana mention the Essential Eight. That’s an Australian cyber security framework, developed by the Australian Signals Directorate through the Australian Cyber Security Centre, and it’s probably one of the most practical benchmarks we have in this space. At its core, the Essential Eight is eight basic cyber security strategies that the ACSC says are the most effective at stopping common, high-volume attacks: things like ransomware, phishing, and credential theft. It’s carved out of a much larger list of controls, but these eight are considered the minimum baseline that really moves the needle. Importantly, the Essential Eight focuses on practical, technical controls; including patching applications and operating systems, using multi-factor authentication, restricting admin privileges, locking down Microsoft Office macros, and making sure backups are done properly and can actually be restored. The ACSC also publishes what’s called the Essential Eight Maturity Model. That runs from Level 0 to Level 3, with each level reflecting how consistently and rigorously those controls are implemented. For example, higher maturity levels mean tighter patching timeframes and stronger enforcement of access controls. For many Australian government agencies, reaching at least Maturity Level 2 is mandatory. For private organisations, including law firms, the Essential Eight generally isn’t legally required. But in practice, it’s become the de facto benchmark for what “reasonable” cyber security looks like in Australia. It’s commonly used in government procurement, panel tenders, cyber insurance discussions, and board-level risk reporting. For smaller firms, the Essential Eight can actually be a helpful place to start. It gives you a clear checklist, helps prioritise effort, and lets you work out where you are now, and what the shortest path is to a defensible, Australian-recognised baseline. |
| 00:26:12 | DT: | I guess an important misconception I think that people need to be aware of with ISO accreditation, especially when we’re talking about vendor selection is what it is and what it isn’t, right? So it’s an accreditation that you have an ISMS (an information security management system). It’s not a deep dive into the implementation of those security controls at a source code or technical level, correct? |
| 00:26:35 | SS: | Yes. So, it’s a compliance audit, that you have listed out that you have these in place. But no, it is not a deep dive into your source code. It’s not a deep dive into particular aspects of the engineering part. It’s looking at, do you have a policy and a procedure in place? Do you have evidence to demonstrate that you have it in place and that you are following that policy and procedure? And in that regard, it’s like a security framework that they’re looking at, but it is not a deep dive into the code specifically, or testing that, looking at it. It’s just making sure that you’re doing the right things from a compliance perspective. |
| 00:27:09 | DT: | Just staying with vendor selection and this idea of being responsible for the risks that your own tech stack presents, if I see that my document management system, my practice management system, whatever myriad of AI tools I’m buying now all have ISO 27001, is that kind of the end of my due diligence or are there other questions that I should be asking? |
| 00:27:29 | SS: | It’s a good starting point. It does give you a little bit of confidence that at least there’s security aspects in place when you’re picking that vendor, but nothing is completed once you have an ISO certification, right? A lot of the times you need to be doing regular cybersecurity audits. You need to be ensuring that you’re asking the right questions just because the standards are always changing. Threats are always changing. So just because they have an ISO certification, it means they have the framework in place, they are doing things to mitigate risk. But there’s other questions you can always be asking, including things like how they are managing any bugs or potential changes or new threats in their source code, what type of training they’re providing and looking at, is it updated yearly? A lot of the time we see a regurgitation of the same training. There’s really no update to that. There’s obviously a starting point of having an ISO certification and it is great, but you constantly also have to be willing to ask the questions about what they’re doing with their data. And I mean, Microsoft’s ISO certified but they’ve had breaches. It doesn’t stop you from getting a breach. |
| 00:28:37 | DT: | Yeah. |
| 00:28:38 | SS: | It does indicate that you’ve looked at risks that are potentially relevant to your organisation and you have some controls in place. Cybersecurity isn’t a one and done, you just get a certification automatically. It isn’t a force field. It doesn’t mean you’re protected 100% of the time. |
| 00:28:56 | DT: | And I guess it’s also possible to obtain a certification and still have practices that won’t work for your firm. Absolutely. |
| 00:29:03 | SS: | Absolutely. |
| 00:29:03 | DT: | So if you have a practice, for example, that does a lot of government work and you’re under obligations in your engagement around data sovereignty, the information that you’re given by your client does not leave Australia, then there will be plenty of ISO 27001 accredited providers who are storing data in the US or in the EU or in Singapore, who will not meet your requirements. |
| 00:29:25 | SS: | Absolutely. Yeah. It’s very much looking at that and for instance, ISO specifically doesn’t really have any privacy controls. So I mean, if you’re looking at something that kind of meets everything, you’re not gonna find that currently. You’d have to get multiple different standards and certifications on that level, but it’s really asking the particular questions that are relevant to you. Privacy for some companies is absolutely necessary in terms of having certain controls, having a privacy policy, knowing what client data you’re collecting, where it’s being stored, ISO, specifically ISO 27001, doesn’t ask those questions. SOC doesn’t ask those questions. NIST doesn’t ask those questions. So you know, looking at it from a holistic approach of cybersecurity is what’s needed and what your firm specifically needs. |
| 00:30:10 | DT: | It’s one of those questions in the security questionnaire. It’s not the whole questionnaire. |
| 00:30:13 | SS: | Exactly. |
| 00:30:14 | DT: | Yeah. TIP: You might have just heard Santana mention ISO, NIST and SOC, and if those sound like a bit of alphabet soup, you’re not alone. At a high level, all three are ways organisations show that they take information security seriously and manage cyber risk against recognised standards. Let’s start with ISO. When people talk about ISO in a cyber context, they usually mean ISO 27001. This is an international standard focused on having a proper Information Security Management System, or ISMS. In plain terms, that means documented policies, risk assessments, security controls, and a process for continually improving how information is protected. ISO 27001 is certifiable, which means an independent auditor can assess an organisation and, if it meets the requirements, certify it. That certification isn’t forever. It’s reviewed regularly and fully re-certified every few years. NIST is a bit different. NIST refers to cyber security frameworks published by the U.S. National Institute of Standards and Technology. These are detailed guides and control libraries that help organisations think through cyber risk and security controls. There isn’t a global “NIST certification” available. Instead, organisations will usually describe themselves as being aligned with or compliant with NIST frameworks. SOC is different again. SOC reports are independent audit reports, most commonly SOC 2, that assess how a specific service environment is controlled. A SOC 2 report looks at areas like security, availability and confidentiality and produces a detailed report that clients can review. You’ll often hear people talk about SOC 2 Type I or Type II, which simply reflect whether the controls were assessed at a point in time or over a longer period. In practice, many organisations use all three together: NIST to design their controls, ISO 27001 to manage them day-to-day, and SOC reports to show clients how those controls actually operate. And it strikes me that ISO accreditation is, paradoxically, it can be like too much and not enough. So, as we’ve just said, when you’re looking at selecting a vendor, it might not be the answer to every question you have about their security posture or where their data’s stored or what their privacy practices are. At the same time, there might be a perspective among law firms that like, “well, that’s for tech companies. Like, why would I get 27001 accreditation? I can’t get that. It’s gonna be too onerous. It’s gonna be really hard for me to get, and then hard for me to maintain. There’s so many controls that I need to deal with. I’ll have to completely change the way I operate.” But it’s actually a proportionate assessment, isn’t it? |
| 00:32:44 | SS: | Absolutely. Yeah. So when you’re looking at it, you see 93 controls and you’re like, “that is a lot.” A lot of them are interrelated. A lot of them are actually out of scope for law firms. I don’t think they realise that, but a lot of the time, law firms are not doing software development. So all of those become out of scope, per se. A lot of these are actually things you might already have in place in terms of controls, and it’s just updating for the ones that you don’t have. So it seems like it’s larger, and I won’t lie, an ISO certification is expensive for some of the certification bodies. It’s less expensive for others. I mean, I work with some certification bodies where it’s $3,000 to get ISO certified. To go through your certification process really depends, but it’s not the be all, end all. It doesn’t mean you have to go for an ISO certification to ensure that you have cybersecurity at your firm. Sometimes it’s setting up the framework and not going for that certification. And that’s what I love about my job and what I like to do, because I do like working with small to medium sized firms and offering an affordable solution to protect themselves. It makes it easier because we can look at what you currently are doing and find the gaps, and so it’s looking at it from the perspective of what works for your firm. I think that’s what a lot of firms don’t recognise is that it doesn’t have to be this large, huge project that takes up time and resources and money and effort. It can be a lot smaller. It’s just considering cybersecurity and putting certain things in place that you may not already have. |
| 00:34:10 | DT: | I think a lot of the time it’s about collecting evidence of what you are doing, right? |
| 00:34:14 | SS: | Yeah. |
| 00:34:14 | DT: | Rather than changing a lot about your practices, and I guess if you are changing a lot, then whether the accreditation matters or not, it’s probably good that you’re changing those things. |
| 00:34:22 | SS: | Absolutely. |
| 00:34:23 | DT: | Multifactor authentication, for example, you should be using MFA on your work emails and on your practice management system. And if you’re not doing that well, it’s great to be doing that now, even if it’s got nothing to do with obtaining a ticket or not. |
| 00:34:36 | SS: | Exactly, so collecting the evidence is an onerous task because you know, it involves potentially going into the systems that collect the evidence, like your logging and monitoring systems. You might have to talk to a SIEM, for example, if you have one. You might not have a designated team to do all the evidence collection, but certain things can be done. Like you said, MFA multifactor authentication could be added. So a simple change, and that’s a small change, but it’s one of the best steps moving forward, right? It’s also required by the Essential Eight, so things that you need to meet your cyber liability insurance, you might not even have. An incident response plan doesn’t have to be this giant plan, and it doesn’t have to take up a lot of effort, but if you were to get hacked, do you know what you would do? A lot of firms, you ask them that and they say, “we don’t know. We don’t have a plan in place.” “Well, how would you make sure that you restored operations? How would you fix the operations if they were attacked?” It’s simple questions like that that gets the minds of people thinking, but then they don’t know what to do after that. |
| 00:35:37 | DT: | Let’s talk about that, actually. We mentioned phishing and email compromise before, you mentioned ransomware in passing. These attacks can result in data exfiltration, but they can also lock you out of your systems. What does an incident response plan for that kind of attack that has resulted in your systems being impaired or completely unusable, look like? |
| 00:35:55 | SS: | So a lot of the time it’s setting up a communications plan. So looking at who we would contact in this event, right? So it’s setting up providers that you’d want to reach out to to do digital forensics and to then eradicate your systems, contain your systems, make sure that then we can get you back on. If you’re using vendors, how they’re managing that, so if there’s ever an outage on their side, are you going to be out for four hours? Or are you going to be out for four days? Looking at key things like that when you’re looking at contract review for your vendors. So those are small parts of an incident response. It’s also looking at how long it’s going to take to bring back up your system. So a little bit of business continuity as well there. So it’s about also, the process of, “okay, we’ve identified this happens. What do we do now?” |
| 00:36:44 | DT: | Yeah. |
| 00:36:44 | SS: | “Who do we contact if you don’t have an IT team?” You’re a small firm. Who are you reaching out to? Who’s then taking the steps to contact a forensics team if needed? |
| 00:36:53 | DT: | Yeah. |
| 00:36:54 | SS: | So it’s a chain of, “this is what we would do in the event.” I mean, we have firms and everyone’s going digital, but there’s also firms that have a large amount of paper. An incident could be a fire. “What would you do then, with all that data that you had? Is there a plan to move it to a digital format? Do you have a backup of it?” So certain questions, constantly looking at how you can maintain operations of the firm is important. |
| 00:37:20 | DT: | And speaking of paper files, some of the controls in your ISO accreditation include your physical security, so not keeping client files on your desk, keeping your doors locked. It’s more than just your IT security posture. In terms of incident response as well, I think our listeners should know sometimes you have some resources around incident response at your disposal that you’re not even aware of. I can’t speak for every jurisdiction in Australia, but I know that solicitors insured by Lawcover’s professional indemnity insurance policy have access to a limited level of cyber insurance cover. They have a $50,000 cover limit to cover the cost of engaging consultants to help with remediation and response. So you’ve got that for free with your statutory – well, not for free – you’ve got it bundled in with your statutory required professional indemnity insurance. A lot of firms don’t know they have that, and in the wake of an incident, they’re trying to manage it themselves, they’re trying to educate themselves on what they could or should be doing. There are professionals available, you’ve got a pot of money to go and engage them. You should go and do that if an incident happens. I think also beyond that kind of bundled in, relatively basic level of cyber insurance cover, cyber insurance is a pretty mainstream insurance category now. I remember even six years ago, it was a pretty small category. Not many firms had it unless they were large, sophisticated operations holding a lot of personal data. It’s pretty common, even amongst smaller businesses to hold cyber risk insurance. What does a policy like that look like and what does it cover? |
| 00:38:48 | SS: | Yeah, so it definitely can range on where you’re getting it from and some of the things you wanna look for is, for instance, does it cover any third party coverage? So for example, if your vendor were to have a breach, or a client, how would you be covered in that regard? It covers your firm itself, so if your firm had a data breach, you would get coverage there. You wanna look at things such as, does it have an incident response coverage? Those are kind of the main things you really wanna look for because data forensic companies are expensive. And so if you are looking for this and making sure that your coverage has at least those three things, you’re setting your firm up for protection as well as, like we said, we’ve talked a lot about third party attacks. If you are making sure that your coverage has that in place, it’s another layer of protection. |
| 00:39:37 | DT: | And as you said. These policies can also contain some like base level expectations of you, the insured, around your own cybersecurity practices, right? |
| 00:39:48 | SS: | Yes, absolutely. A lot of the time, specifically for Australia, it’s the essential eight – so multifactor authentication, patching requirements, updates to your operational systems, application control, access control of admin administrator accounts – so your main controls. But a lot of the time too, it’s, for example, having an incident response plan, and a lot of firms, you ask them and they’re like, “oh, I think I read something about that in my cyber liability insurance.” “Do you have it?” “No.” So making sure that you have the requirements, because unfortunately we have seen this where you’ll have the coverage and you go to use it and you haven’t implemented the controls or don’t have the requirements from a firm perspective, and you don’t get covered. |
| 00:40:27 | DT: | Yeah. This is a bit of a theme, right? Buying the cyber risk insurance policy is not a force field, right? It doesn’t prevent the breach and it doesn’t inoculate you against all of the consequences of a breach. |
| 00:40:37 | SS: | Absolutely. And so a lot of the time, I mean I have seen, and I’ve talked to firms, they have no clue where to even look for the requirements that they have. And so some cyber consultants will offer that to help you to make sure that you’re on the right track. But it’s doing your due diligence on a contract perspective as well. You have to read the fine print in a sense. |
| 00:40:56 | DT: | Yeah, look, lawyers, sometimes plumbers with leaky taps don’t review their own contracts. Yeah, I mean, I think we’ve said on this show before that if you read every set of terms and conditions you were presented with in daily life, it’ll take you something like eight weeks. So I’m certainly guilty as a lawyer myself, of not reading everything that I click wrapped to sign. But your cyber risk insurance, definitely something you should be reading. You said before, it’s not a matter of if, but when. And even with the most responsible security posture possible, even with a great cyber risk insurance policy, even with trusted vendors, even with essential aid and more controls implemented in your firm, you could suffer a cyber attack. When that happens – because as you said, it’s not if, it’s when – how do you rebuild trust with the clients whose data has been lost, whose sensitive information that they expected was safest with you, who’s told them all about privilege and your confidentiality obligations, how do you reassure them and build that relationship back up? |
| 00:41:59 | SS: | Yeah, I mean, we look at multiple companies and that’s what they’re going through right now. Qantas, it’s a big one. A lot of people are feeling that kind of, “oh, well, I trusted you with my data, you’re a big company…” But you have to take the steps to actually communicate with your clients. So a lot of the times you’ll see, “oh, this company had a giant breach,” and it comes from the perspective of the news. You don’t hear it unfortunately in advance. So one of the things is having that open and honest communication with your clients indicating, “we have had a breach, here’s what was breached, and we have moved forward by implementing X, Y, and Z to protect in the future.” TIP: Santana has just mentioned the Qantas cyber attack, pointing to a really good example of how cyber incidents can have consequences well beyond IT systems. In mid-2025, Qantas confirmed a major cyber attack that potentially exposed the personal details of around six million customers. Attackers gained access to a third-party customer service platform used by an offshore call centre. Reports suggest social-engineering tactics were involved, essentially tricking staff or systems into granting access. The data exposed included things like names, email addresses, phone numbers, dates of birth and frequent flyer numbers. Qantas has said that more sensitive data, like credit card details, passwords, PINs and passport numbers, was not part of the compromised dataset. Even so, the scale of the incident meant millions of customers were affected, and the reputational and regulatory fallout was significant. That incident is often compared to the Optus breach in 2022, which remains one of Australia’s largest data breaches. In that case, attackers accessed Optus customer data through an internet-facing API that didn’t require authentication. About 9.8 to 10 million current and former Optus customers were affected, roughly one-third of Australia’s population. For millions of people, personal details like names, dates of birth, phone numbers and addresses were exposed. For around two million, government ID numbers such as driver licences and passports were also compromised. Optus initially described the breach as sophisticated, but later investigations characterised it as a preventable security failure. Since then, there have been regulatory investigations, court proceedings, and multiple class actions. Together, these incidents show that cyber attacks can trigger regulatory scrutiny, litigation, reputational damage and long-term trust issues, even for some of Australia’s biggest and most resourced organisations. You can’t go back in time, unfortunately, but if you start to proactively manage the potential risks, you’re putting yourself in a better position, and that’s really what you can do. And so hopefully you don’t get breached, but the reality of it is, is at some point, even a small breach will impact a firm. And so if you have the right security controls in place and you’re actively working with clients to meet the requirements as well, it’s also putting that boundary. Some clients will say, “yeah, let’s use Google Drive or Dropbox.“ If you set up that you’re going to use a secure file transfer system, maintain those boundaries and those security requirements as well, and explain to a client, “this is why I’m doing this, because it protects both of us.” So being honest with your clients as well as starting to implement or even having a plan to implement controls. After a breach, I mean, it’s putting a bandaid on it. I’d say proactively do it rather than reactively do it. But making sure that you’re constantly thinking about cybersecurity is one of the ways you can definitely prepare that relationship. |
| 00:45:27 | DT: | Yeah, I think a lot of the time it is a breach that starts people on the journey of implementing these controls. Right? |
| 00:45:34 | SS: | Yeah. |
| 00:45:35 | DT: | Yeah. It starts with remediation and then goes to prevention, right? You’d think as a profession that’s used to advising its own clients to take preventative measures rather than ending up with the cost and heartache of litigation, we’d be better at taking the advice ourselves, but we’re all learning. I wanted to ask you about some examples – de-identified appropriately, of course – about some of the firms that you’ve helped to improve how they’ve prepared for dealing with a breach and maybe even some examples of how you’ve helped with recovering from a breach. |
| 00:46:07 | SS: | Yeah, absolutely. A lot of the clients I have had, it’s been a client requirement that’s pushed them to implement security features or a competitive edge requirement. We’re seeing the need for cybersecurity and the need to make sure that we have these in place to drive the need for an ISO certification or even a framework set up, but specifically I’ve worked with firms to secure their eDiscovery system per se. So we start by looking at how ISO can actually be implemented from an eDiscovery perspective, but also including privacy requirements in that as well. So it becomes like this whole two-fold process where we look at what they’re currently having, but it also optimises their process as well, so their eDiscovery process. Because when they’re looking at it, one of the main things you’re doing when you’re looking at eDiscovery is you’re looking at the integrity of the data. So you’re, a lot of the time, uploading it into systems and you’re potentially messing with the metadata, which could render it unusable in a particular case. So we look at how we can secure that from the perspective of, maybe using a particular vendor, but also looking at how we can apply the security controls in place of, for instance, if you’re looking at it from your mobile device, how are we securing that mobile device? Also, traveling is a huge one. So, making sure that you’re using the right controls when you’re traveling. So I’ve helped companies set up that, whether it be a policy, a procedure, or just the actual controls in place. A lot of the small firms too, I’ve helped with just looking at their particular requirements from the cyber liability perspective and how we can implement one on an affordable cost. So a lot of the times you’ll get this giant quote, and “how can we implement this when we can’t afford this?” And I’m seeing this kind of as a large theme in Australia, with the small to medium firms, is they can’t afford it. |
| 00:47:55 | DT: | Yeah. |
| 00:47:55 | SS: | So I’ve been working with some firms to actually set up smaller frameworks for them, so where we’ll go in and I’ll actually do an audit of their systems, look at what controls they have in place, and provide recommendations so that they don’t have to implement a giant ISO framework, and they don’t have to go through the certification but what they can do is use my expertise and knowledge to actually implement a smaller framework that works for their firm and means that they’re meeting some controls based on a larger international standard, but something that fits to their firm. So again, working with smaller firms there, and that’s all proactively, so that’s working to get them set up on a smaller portion. And then from the reactive perspective, I’m unfortunately working with a couple law societies where members of the law societies were breached. |
| 00:48:44 | DT: | Yeah. |
| 00:48:44 | SS: | And I mean, unfortunately the breach happened internationally. |
| 00:48:48 | DT: | How do you mean? |
| 00:48:48 | SS: | Unfortunately, they had an instance where letters were actually sent in a completely different country imitating and pretending to be this firm. |
| 00:48:57 | DT: | Oh wow. |
| 00:48:58 | SS: | And I’m talking paper letters and emails, so it expanded past just the cyber aspect of it. So we’re working with that member now to, one, implement some major security controls because they created a whole new domain name. They created a whole new email and they sent out paper copies, all requesting money and telling them to send their information so that they can get that. |
| 00:49:23 | DT: | Wow. |
| 00:49:23 | SS: | Yeah, so cyber criminals, they’re expanding. |
| 00:49:26 | DT: | I mean, that’s so hard to really even detect as a firm, right? If someone’s using your letterhead for that purpose, and I mean, part of the job is sending letters to unfamiliar people. Sometimes as a lawyer, that seems like a really tough thing to defend yourself against. |
| 00:49:40 | SS: | Yeah. That one is definitely unorthodox, I would say. So there’s a couple of things that I am doing. I’m working with one, getting them in touch with the right authorities so that they can report this because it does have to be reported. Two, getting them in touch with the right forensics to see what happened and how they got access, because it sounds like what actually happened was a breach in their system, right? So where they were holding their information, so their document management system, and looking at setting up better controls around managing that so that it doesn’t happen in the future. Also, setting up cybersecurity awareness training for members of law societies, for lawyers, is something I’m working on. And not just your large companies that kinda give your, “oh, here’s cybersecurity awareness training,” but tailored, cybersecurity awareness training so that we’re meeting the needs of the clientele. Because not everybody is going to have the ability to report it to IT, right? So getting firms and sole proprietors to think about how they would manage and what they need to have in place is something that I’m working with a lot of law firms and law societies on now. |
| 00:50:48 | DT: | We’re nearly out of time, but I wanted to finish with a question that picks up on something you said earlier. You said that cybersecurity training is a part of the ISO accreditation and it’s just a prudent thing to do, but threats are always changing. Phishing and business email compromise, like they can be very persuasive, but we kind of know that those risks exist. There is a whole new category of cyber risks associated with using AI tools. We’ve seen the first examples of malicious MCP servers, for example, in some ways, like everything old is new again, Sequel injection, which we thought was like a solved problem – we have a new flavor with prompt injection, right? So how do lawyers keep on top of all of these new risks, because you can even have an annual cybersecurity training program and still miss a lot of really critical threats to your information, your client’s information, when you’re adopting these novel tools. |
| 00:51:39 | SS: | Yeah, as you said, a lot of the cybersecurity awareness training is done annually, but one thing that we’re seeing is the need for threat intelligence, and so what that is, there’s a lot of vendors out there, and they’re great vendors who will actually update and send emails about new threats they’re seeing in the industry. Attending conferences where we’re speaking about the new threats, that’s one way that we can definitely start to do that. Doing a lot of CLE as well. There’s a lot of free resources online, and so just keeping cybersecurity at the back of your mind, and constantly looking at ways to provide your firm with that information is one way. Also, change when you want to do cybersecurity awareness training. Yes, the requirement is annually, but a three minute video is not a long time, and I’m pretty sure everybody could take three minutes and listen to a video and a form of cybersecurity awareness training on new threats that are coming up. And so that’s one thing that I’m working on is providing like a monthly cybersecurity awareness training that’s constantly updating on threats, and so that’s definitely one of the ways you can do that is, just start to start to keep security at the front of mind instead of the back of your mind. |
| 00:52:48 | DT: | Yeah. A consistent theme throughout our conversation today has been proportionality. I think our listeners, all lawyers, have a lot of things that they’re supposed to be keeping front of mind, right? They’re supposed to keep their ethical obligations front of mind from June next year, if not already, they’re supposed to be keeping AML front of mind, privacy, confidentiality, privilege, cybersecurity, on top of getting all the substantive work done, their obligations to the court, there’s a lot to keep track of and hard to expect. I think busy professionals keep all of this stuff front of mind without taking a proportionate approach. |
| 00:53:20 | SS: | Absolutely. |
| 00:53:21 | DT: | And what I’ve really enjoyed about our conversation today is that you’ve been able to give us a vision of what that proportionate approach looks like in terms of how you stay aware of risks, how you insure against risks, how you implement controls to protect against those risks, that I think really is achievable even for smaller firms in our profession. So Santana, thank you so much for joining me today on Tuesday. |
| 00:53:42 | SS: | Thank you for having me. I appreciate it. |
| 00:53:44 | TH: | As always, you’ve been listening to Hearsay the Legal Podcast. We’d like to thank our guest today, Santana Stallberg, for coming on the show. Now, if you want to learn more about making your firm cyber secure, I’d recommend checking out our episode with Reece Corbett-Wilkins. That one is episode 16 (so a little bit back in the archives) and it’s called ‘Managing Data Breaches and Cyber Incidents’. If you’re an Australian legal practitioner, you can claim one continuing professional development point for listening to this episode. Now, as you know, whether an activity entitles you to claim a CPD unit is self-assessed but we suggest that this episode entitles you to claim one practice management and business skills point or a professional skills point – take your pick. For more information on claiming and tracking your points, head on over to the Hearsay website. Hearsay the Legal Podcast is brought to you by Lext Australia, a legal innovation company that makes the law easier to access and easier to practice and that includes your CPD. Now, before you go, we’d like to ask you a favour, listeners. If you’re enjoying Hearsay the Legal Podcast, please consider leaving us a Google review. It helps other listeners to find us and ultimately it keeps us in business. Thanks for listening and we’ll see you on the next episode of Hearsay. |
You must be a subscriber to access this content.