When a law firm’s website goes down at 9pm on a Thursday, the question that follows is rarely a technical one. It is a governance one. Who is responsible for this? Who do we call? What do we do first?
In most firms, nobody has a clear answer. Not because they are careless, but because digital governance has never been anyone’s official responsibility. It sits in a gap between IT support, the person who originally built the site, and a principal who has more pressing things to manage.
That gap is where most digital risk quietly accumulates.
What Digital Governance Actually Means
Digital governance is not a technology question. It is an accountability question.
It covers who is responsible for your website and digital infrastructure, what your obligations are around client data and privacy, how you would respond if something went wrong, and whether the people responsible for your firm (partners, practice managers, board members if you have them) have a clear enough picture of your digital risk position to make informed decisions.
For a law firm, the stakes are higher than for most. You hold confidential client information. You operate under professional conduct obligations. Your digital presence is often the first point of contact for someone in a difficult situation. A failure at any of those points is not just an inconvenience. It is a potential professional, legal, and reputational problem.
The Vendor Gap
Most law firms have accumulated digital vendors over time without much structure. A web developer who built the site in 2019. A hosting provider that was set up by someone who has since left. A domain registrar whose login details exist in one person’s personal email. A plugin or form tool that auto-renews annually and that nobody has reviewed.
The vendor gap is the space between what your firm thinks is managed and what is actually owned, documented, and understood. It is one of the most common sources of digital risk we encounter, and it is almost entirely invisible until something breaks.
A basic vendor audit covers: who owns the domain and where it is registered, who controls the hosting account and what the recovery process is if access is lost, what third-party tools are running on the site and what data they are collecting, and what your contractual position is if you need to move to a different provider.
None of this is technically complex. It just requires someone to sit down and work through it.
Client Data and the Privacy Act
Law firms are not exempt from the Privacy Act 1988. If your firm has an annual turnover above $3 million, you are covered by the Australian Privacy Principles in full. Smaller firms may also be covered depending on the nature of the information you handle, and the practical reality is that any firm collecting sensitive personal information through a website should be operating as though the obligations apply regardless.
In practical terms, this means your contact forms and enquiry mechanisms need to transmit data securely, your privacy policy needs to accurately describe what you do with the information you collect, and you need a credible response plan for the event of a data breach. The Notifiable Data Breaches scheme requires notification to the Office of the Australian Information Commissioner and to affected individuals where a breach is likely to cause serious harm.
For most firms, the privacy policy on their website is a template that was copied from somewhere else, has not been reviewed since it was published, and does not accurately reflect current practice. That is a straightforward thing to fix, but it does require someone to actually do it.
Access and Continuity
One of the quieter governance risks for law firms is access continuity. What happens when a key person leaves and takes the passwords with them? What happens if the principal who set up the Google Workspace account is no longer at the firm and nobody else has admin access?
These are not edge cases. They happen regularly, and they can cause significant disruption at precisely the wrong moment.
Sound access governance means keeping a documented record of every digital system your firm depends on, the credentials or access method for each, and a named owner for each account. That record needs to be stored somewhere secure and accessible to more than one person.
It also means periodic review. Access credentials change. People leave. Subscriptions lapse. A system that was documented accurately two years ago may no longer reflect your current position.
What Good Governance Looks Like in Practice
Good digital governance for a law firm does not require a dedicated IT function. It requires three things.
First, a clear picture of what you have. Website, hosting, domain, email, forms, third-party tools, and the vendor relationships behind each.
Second, a named person responsible for each. Not necessarily technical expertise. Just clear accountability.
Third, a regular review cycle. For most firms, a quarterly check of the key risk areas is sufficient. The goal is to catch issues before they become problems, not to achieve a perfect state of readiness that nobody has time to maintain.
The Digital Risk Checklist we built for community legal centres covers the seven risk areas that apply most directly to purpose-driven organisations handling sensitive data. It was written with CLCs in mind, but the framework translates directly to law firm practice. It is a practical starting point for a governance conversation with your leadership team, and it is free.
[ Digital Risk Checklist (PDF) ]
For firms that want a more complete set of governance documents, the Digital Governance Pack includes six ready-to-use templates covering vendor due diligence, a digital risk register, accessibility self-assessment, privacy policy structure, and an incident response one-pager. It was also written for CLCs, but the documents themselves are broadly applicable.
Accessibility as a Governance Matter
Accessibility tends to be treated as a design question. It is also a governance one.
The Disability Discrimination Act 1992 applies to law firm websites. WCAG 2.1 AA is the practical standard. If your site cannot be navigated by someone using a screen reader, or fails basic colour contrast or keyboard navigation tests, you are carrying legal exposure as well as an ethical gap.
Most firms have never checked. Our Website Accessibility Checker gives you a baseline read in a few minutes.
The Case for an External Digital Steward
For most law firms, building comprehensive internal digital governance capability is not realistic. The firm exists to provide legal services. Digital infrastructure is a means to that end, not a core competency.
The more sustainable model is an external partner who carries the technical accountability, keeps the systems maintained and documented, flags risks before they become incidents, and can translate the digital position into plain English for the people responsible for the firm.
That is the model Marzipan operates under. We work with a small number of legal, community, and purpose-driven organisations on an ongoing basis, handling the digital governance, search visibility, security oversight, and compliance management that most firms do not have internal capacity to sustain. You can read more about how that works on our Digital Stewardship Programme page.
If you would like a clear starting point, the Digital Capacity Diagnosis is a one-off structured review of your firm’s website, search visibility, security posture, accessibility, and governance gaps, with a prioritised action plan in plain English.
[ Digital Capacity Diagnosis ]
