Cyber & Privacy Lawyers
End-to-end breach response, privacy & cyber governance support from our specialist cyber lawyers and advisors.
- Legal-first incident response so privilege and reporting obligations are handled correctly
- Practical cyber & privacy advice that boards, directors & executives can act on
- Microsoft 365, AI & framework-aligned guidance grounded in real operational experience
- Sector-specific programs for AFSL, healthcare & property/agency organisations
Our Services
GRM LAW provides cyber, privacy and AI advisory services for Australian organisations that need legal-first support across incidents, governance and compliance. Our core offerings include:
01. M365 Cyber Counsel
We act as your named cyber lawyer for everything that touches your Microsoft 365 environment.
- Quarterly review of your tenant posture (Secure Score, Conditional Access, Purview, Defender and eDiscovery) with a plain-English memo;
- Short quarterly board updates on cyber posture and priorities;
- On-call framing of Microsoft 365 incidents so you know what is privileged, what is reportable and what to say;
- A monthly advice drawdown included, with further work scoped as needed.
Indicative annual fees are generally scoped between $36,000 and $96,000 depending on tenant size and regulatory overlay.
02. Breach + Drill Subscription
We put a breach-coach relationship in place before you need it, and keep your incident plan tested.
- A plain-English incident-response plan authored and maintained under privilege;
- Two facilitated incident-response tabletops per year, calibrated to your sector and data profile;
- Board-ready post-drill reports with clear findings and actions;
- A set number of hours of in-year incident coordination included, with additional time only if needed.
Indicative annual fees are generally scoped between $24,000 and $60,000 depending on scale and complexity.
03. Cyber Annual Report
We produce the cyber report your directors can table at the AGM or year-end board meeting.
- Interpretation of Microsoft Secure Score in business language;
- A control statement against the Essential Eight maturity targets;
- A regulator-readiness statement against the regimes that apply to you (for example CPS 234, RG 271, the Privacy Act and SOCI, as applicable);
- A board narrative and a privileged director cyber-duty memo.
Indicative fixed fees are generally scoped between $18,000 and $35,000.
04. AI Governance Counsel
We help you adopt and govern AI in a way that fits Australia’s current legal position.
- An assessment of where AI is already used in your business and what data it processes;
- An AI acceptable-use policy authored under privilege;
- A review of your position against the automated decision-making transparency obligation commencing 10 December 2026;
- A legal review of your key AI vendors and contracts, and a board paper on AI risk.
Project fees are typically scoped between $22,000 and $55,000, or added as a retainer overlay in the $9,000 to $18,000 per-year range.
05. Vertical Cyber Programs
We run year-long cyber programs in sectors where regulators and data risk are higher.
- Sector-specific gap assessments and program design for healthcare, financial services (AFSL) and property/agency;
- Policy and procedure build tailored to the applicable frameworks;
- Quarterly review memos for management and the board;
- An annual sector-appropriate cyber report.
Indicative annual fees are generally scoped between $80,000 and $180,000 depending on sector and organisational scale.
06. Board Adviser Retainers, Gap Assessments & SOCI Compliance
We support boards and directors who want structured cyber oversight and alignment with recognised frameworks.
- Our standalone Board Adviser Retainer gives you a named cyber lawyer on call for board and director cyber questions, supported by short quarterly board memos and a monthly advice allowance;
- Our Compliance Gap Assessment engagements are advisory-grade, framework-led reviews against standards such as the Essential Eight, ISO 27001 controls, the NIST Cyber Security Framework and CPS 234, with remediation roadmaps and board summaries;
- Our SOCI Compliance work covers SOCI capture analysis and the design of Critical Infrastructure Risk Management Programs authored under privilege, with ongoing review and reporting support where needed.
These engagements are scoped to your governance needs and any auditor, insurer or tender requirements.
07. Privacy Readiness, DSAR Handling & Cross-Border Data
We advise on the privacy reform window and day-to-day data-rights work for Australian organisations.
- Our Privacy Act 2026 Readiness reviews look at your privacy posture across the 2024 privacy amendments (the Privacy Act 1988 as amended), including data inventories, consent and collection notices, statutory-tort exposure and OAIC notification readiness;
- Our DSAR / Privacy Request Handling work triages and responds to data-subject access requests, privacy complaints and OAIC enquiries, including contested matters under privilege and the preparation of response templates for repeat patterns;
- Our Cross-Border Data Transfer Reviews assess international data flows and cross-border disclosures, recommending contractual safeguards when you are using offshore vendors, processing data overseas or entering new markets.
These matters are usually delivered as fixed-fee projects or low-volume retainers, scoped to the volume and complexity of requests and jurisdictions.
08. M&A Cyber DD, Cyber Clauses, Whistleblower Work & General Cyber Counsel
We cover the cyber and privacy layer in deals, contracts and regulatory engagements.
- Our M&A Cyber Due Diligence overlays sit on buy-side and sell-side transactions, surfacing target posture, data-class exposure, incident history and input into warranties and indemnities;
- Our Cyber-Clause Review & Drafting services review and draft cyber and data clauses in vendor master agreements, data-processing agreements, supplier security schedules, insurance policies and franchise documents;
- Our Whistleblower Disclosure & Cyber-Reporting Overlap work handles cyber-related whistleblower disclosures under privilege, including concurrent regulator engagements and scheme reviews;
- Our General Cyber Counsel offering is the catch-all for any other cyber law question that does not fit a defined product, including one-off regulator queries, vendor cyber reviews and counsel-to-counsel support.
These services are quoted per matter or, for repeat contract and advisory work, via an at-volume retainer.
Clients We Advise
GRM LAW’s merger & acquisition lawyers understand how business transactions are structured, negotiated & executed – and act as strategic counsel to a broad spectrum of buyers & sellers, including:Â
Microsoft 365-Based Organisations
Businesses running on Microsoft 365 that need legal oversight of Secure Score, access controls, data protection and incident response.
AFSL Holders, Private Credit & Financial Services
AFSL licensees, private credit funds and lenders where cyber resilience and privacy are core licence and director-duty issues.
Property Developers, Real Estate Funds & Agencies
Developers, funds and agencies exposed to payment-redirection fraud, trust-account risk and buyer data obligations.
Medical & Allied Health Providers
Clinics and allied health practices handling sensitive health information with high Notifiable Data Breach exposure.
Franchisors & Franchise Networks
Franchisors and networks where a single franchisee breach can become a brand-wide legal and regulatory problem.
SMEs, Family Businesses & Corporate Groups
Growing organisations and family groups facing narrowing privacy exemptions, AI use and complex data clauses in contracts.
Boards & Directors Seeking Cyber Governance Support
Chairs and non-executive directors who want structured legal input on cyber, privacy and AI risk at board level.
SOCI & Other High-Exposure Entities
Entities captured or likely to be captured under the Security of Critical Infrastructure Act and similar high-exposure regimes.
Speak With Our Cyber Lawyers
Our Cyber lawyers will contact you to discuss your situation & outline next steps.Â
What Our Clients Say
How The Process Works
01.
Initial Scoping Call & Intake
We start with a focused 30-minute scoping call to understand your systems, data, sector and whether you are dealing with a live incident, a one-off project or an ongoing governance need.
02.
Engagement, Conflicts & Privilege Setup
We run conflicts, agree scope and issue an engagement letter that clearly sets out what we will do, how we work with your existing advisers and how privilege can operate over key work-product.
03.
Legal Review & Assessment
We complete the agreed review – whether that is an incident assessment, a framework-led gap analysis, a privacy reform review or an AI and data risk assessment – and map your position against the applicable laws and standards.
04.
Advice, Plans & Board Materials
We deliver clear, practical outputs such as incident-response plans, board papers, cyber and privacy reports, policies and regulator-readiness advice so directors and executives know what to do next.
05.
Implementation Support & Ongoing Review
We support you as changes are implemented, work alongside your chosen technical providers, and provide ongoing reviews, drills and updates where you choose a retainer or annual program.
Speak With Our Cyber Lawyers
Our Cyber lawyers will contact you to discuss your situation & outline next steps.Â
Why Choose GRM LAW
01. Legal Frame First & Privilege-Aware
We are lawyers, not an IT vendor. We design cyber engagements so the legal frame comes first and key work-product can attract legal professional privilege where the law allows.
02. Real Cyber & Privacy Operator Depth
We run our own hardened environment aligned to APRA CPS 234, self-mapped to ISO 27001 controls and targeting Essential Eight Maturity Level 2, so our advice is grounded in controls we actually operate.
03. Board & Regulator Focus
We understand what boards and regulators expect to see, from annual cyber reports and director-duty memos through to OAIC notifications, Cyber Security Act reporting and privacy-reform readiness.
04. Vendor-Neutral Implementation Support
We work alongside your existing IT team or chosen technical providers under a clear legal architecture, and where we suggest partners they are vetted and always optional.
05. Partner-Led Boutique With National Reach
The cyber practice is supervised by founding partner Gavin McInnes, Accredited Specialist in Business Law, with direct partner involvement on every matter for clients across Australia.
Meet Gavin McInnes
Gavin McInnes is an award-winning corporate, commercial, banking & finance and property lawyer. For nearly 20 years he has advised key players in the banking, energy & resources, technology, allied health, veterinary, childcare, hospitality & property sectors.
As founding partner of GRM LAW and an Accredited Specialist in Business Law, Gavin supervises the firm’s Cyber Law & Advisory practice, bringing the same partner-led approach and commercial judgement to cyber, privacy and AI matters as he does to complex transactions and disputes.
Representative Business Acquisition, Roll‑Up & Exit Experience
We act for buyers, sellers & investors on strategic business acquisitions, roll‑ups & exits across Australia, including:Â
Greencross (GXL)
Veterinary clinic acquisitions and continued business expansion for a national veterinary group.Â
Dental Partners
Orthodontic business acquisitions and expansion for a national dental network.Â
My FootDr
Podiatry clinic acquisitions for a national podiatry clinic group.Â
Early Learning Services (ELY)
Childcare sector acquisitions for an ASX‑listed early childhood education provider.Â
Foundation Early Learning (FEL)
Structuring and acquisition of childcare centres for a national early learning operator.Â
Andersens Carpets
Sale of the Andersens Carpets business.Â
Australian International Hospitality (AIH)
Hospitality acquisitions for Australian International Hospitality.Â
Prosek Security & Brisk Security Group
Sale of Prosek Security and Brisk Security Group.Â
Trycall & Yabbr / Tru Vision
Acquisition of Trycall by Yabbr and sale of Tru Vision.Â
Recognition & Awards
Cyber & Privacy Law Essentials
Statutory Privacy Tort
Australian law includes a statutory tort for serious invasions of privacy, which commenced on 10 June 2025. It covers both intrusion into private affairs and misuse of information, so mishandling personal data can now lead directly to claims by affected individuals.
OAIC Enforcement & Proactive Sweeps
Following 2024 amendments to the Privacy Act 1988 (Cth), the OAIC has stronger enforcement powers and a tiered civil penalty regime with a top tier of up to $50 million. It also conducts proactive privacy compliance sweeps across selected sectors, including real estate agencies.
Mandatory Ransomware Payment Reporting
Under the Cyber Security Act 2024 (Cth), from 30 May 2025 certain entities must report ransomware and cyber-extortion payments to the Australian Government within 72 hours. Reporting business entities over the $3 million turnover threshold, and responsible entities for critical infrastructure assets, face specific reporting and penalty settings.
Automated Decision-Making Transparency
The Privacy Act 1988 (Cth), as amended, introduces an obligation that from 10 December 2026 Australian Privacy Principles entities must disclose in their privacy policy where computer programs make, or substantially help make, decisions that could significantly affect an individual. This creates a concrete transparency requirement around AI and automated decision-making.
Speak With Our Cyber Lawyers
Our Cyber lawyers will contact you to discuss your situation & outline next steps.Â
Legal & Compliance Insights
Frequently Asked Questions
Why should my first call in a cyber incident be to a lawyer, not IT?
Because the first decisions in a breach are legal: what is privileged, what must be reported and when, and what you say to regulators and affected individuals. When forensic work is properly scoped under a breach-coach retainer, legal professional privilege can attach to key work-product.
What is a breach coach?
A breach coach is the lawyer who leads your incident response. As breach coach we coordinate forensic providers and IT, manage notification and reporting obligations, liaise with insurers and regulators, and frame the legal strategy around the incident.
Do you provide IT security or forensic services yourselves?
No. GRM LAW provides the legal, policy and advisory layer. We work alongside your existing IT team or chosen technical providers, and where needed we can introduce vetted, vendor-neutral implementation partners, but the technical build and monitoring sit outside our legal scope.
What does mandatory ransomware payment reporting require?
Under the Cyber Security Act 2024 (Cth), certain entities must report ransomware and cyber-extortion payments to the Australian Government within 72 hours. Reporting business entities over the turnover threshold and responsible entities for critical infrastructure assets have specific reporting obligations and potential penalties if those obligations are not met.
Do I have to sign up to a subscription to get help?
No. While many clients use our M365 Cyber Counsel, Breach + Drill Subscription or Vertical Cyber Programs, we also handle one-off matters such as privacy reform readiness reviews, gap assessments, DSAR handling, cross-border data reviews, M&A cyber due diligence and cyber-clause drafting.
Can you work alongside our existing lawyers, insurers and advisers?
Yes. Much of our work sits alongside corporate counsel, brokers, insurers and IT providers. We are comfortable taking the cyber and privacy legal layer on a matter while working collaboratively with your existing advisers.
What legal frameworks and obligations do you advise on?
We advise on the Privacy Act 1988 (Cth) as amended, the statutory tort for serious invasions of privacy, OAIC guidance and enforcement, the Cyber Security Act 2024 (Cth), the Notifiable Data Breaches scheme, automated decision-making transparency and, where relevant, sector regimes such as CPS 234, RG 271 and SOCI.
How does your CPS 234 and Essential Eight experience actually help us?
It means we are familiar with the practical controls and frameworks you are expected to meet, because we run a comparable control set ourselves. That allows us to give legal advice that connects directly to real-world configurations and board reporting, not just abstract principles.
How do engagements start and how is pricing agreed?
Most engagements begin with a no-obligation 30-minute scoping call to clarify what you need and whether it is best handled as a subscription, a fixed-fee project or an hourly matter. We then scope the work and provide an indicative fee or fee range before you commit.
Books By Gavin McInnes
Practical guides on structuring, asset protection and private credit in Australia.
Protect Your Assets
A plain‑English guide to protecting your home, business interests and investments under Australian law. Written for business owners, professionals and families who want to keep what they’ve built safe from avoidable risk.Â
Private Credit In Australia (Coming Soon)
A forthcoming guide to structuring, documenting and managing private credit transactions in the Australian market, written for lenders, sponsors and their advisers.Â
Explore Our Other Practice Areas
Deep expertise across corporate, banking & finance, property and related commercial work.
Private Lenders & Non‑Bank Finance
Strategic loan, security & enforcement advice for private credit funds, family offices & non‑bank lenders across Australia.Â
Property Development & Projects
End‑to‑end legal support for property developers from site acquisition & approvals through to construction, sales, leasing & disputes.Â
Business Acquisitions & Disposals
Buy‑side & sell‑side advice on business and share sales, from initial structuring and due diligence through to completion.
Corporate & Commercial Advisory
Ongoing corporate, governance & commercial contracts advice for private companies, family businesses & investors.
Structuring & Asset Protection
Structuring businesses, investments & personal wealth to manage risk, protect assets and support long‑term succession.
Franchising
Establishing, growing & restructuring franchise networks, including franchise agreements, disclosure, compliance & exits.
IP & Technology
Protecting and commercialising intellectual property, software & technology through tailored licensing, development & sale agreements.Â
Cyber & Privacy Law
Legal‑first breach response, privacy compliance, AI governance & cyber risk advisory for boards, directors & businesses across Australia.
Request Free Consultation
Not sure which matter or service is right for you? Leave your details & our lawyers will contact you to discuss your situation & outline next steps.
Enquire Now
Tell us briefly what you need help with & we’ll reply within 1 business day.