Most law firms believe they have cybersecurity handled. They have an MSP. They have antivirus. Everybody changed their passwords last year. If pressed, the managing partner might mention that the firm “takes security very seriously,” which is the corporate equivalent of saying you eat healthy because there’s a banana on your desk.
Antivirus and a managed service provider alone are not a security program. And for law firms specifically, the gap between “we have some tools” and “we have a defensible security posture” is a professional obligation.
Legal Cybersecurity Requirements for Lawyers (ABA and State Rules)
The ABA’s Model Rule 1.1 has required technology competence since 2012, and Model Rule 1.6 extends the duty of confidentiality to electronic communications and data storage. Forty states have now adopted the technology competence standard.
New York went further in 2023, becoming the first state to mandate cybersecurity-specific continuing legal education credits for all attorneys. Florida and North Carolina require broader technology CLE. The direction is clear: the profession has decided that cybersecurity literacy is not optional for practicing lawyers.
So what does it actually look like when a law firm takes this seriously?
Law Firm Data Security: Your Document Management System Is the Real Target
When people outside the legal industry think about data security, they think about “files.” But law firms don’t just have files. They have document management systems — iManage, NetDocuments, Worldox — that contain the entire institutional knowledge of the firm: privileged communications, draft agreements, litigation strategy, M&A details that would move stock prices. A DMS is not a file server with a nice interface. It’s the single richest target in your environment, and it needs to be treated that way.
That means access controls scoped to matters, not just to people. It means audit logging that can reconstruct who touched what document and when. It means understanding how your DMS integrates with email, with mobile devices, with the cloud sync features that attorneys enable because they want to work from home on Sunday night. Every one of those integrations is a potential exposure, and most firms have never mapped them.
Identity Management for Law Firms: The New Security Perimeter
The traditional security model assumed that threats came from outside and defenses went around the edge. That model is gone. Your attorneys work from home, from court, from hotel lobbies. They access firm systems from personal phones. The perimeter is no longer the firewall — it’s the login.
That makes identity management the foundation of everything else. Multi-factor authentication is the minimum, and it needs to be enforced everywhere, not just on the VPN. Conditional access policies should govern who can reach what systems from which devices under what circumstances. Meanwhile email remains the primary vector for phishing, as well as the kinds of social engineering attacks that specifically target firms involved in financial transactions. That means your email system needs its own layer of protection, beyond whatever comes with your Microsoft 365 license.
Third-Party Risk for Law Firms: Your Biggest Hidden Exposure
Law firms have always relied on outside vendors, but the nature of that reliance has changed. Now we’re seeing eDiscovery platforms, cloud-based practice management tools, legal research services, court filing systems, virtual data rooms . . . and every one of these represents a third party with some degree of access to client data. Most firms have never conducted a formal assessment of how those vendors handle security, and most vendor agreements don’t address it in any meaningful way.
This matters more than firms realize, because the exposure isn’t just theoretical. Institutional clients (banks, insurance carriers, publicly traded companies) increasingly require their outside counsel to complete detailed security questionnaires as a condition of engagement. Firms that can’t answer those questionnaires credibly are losing work to firms that can. And if a breach occurs through a vendor that the firm never vetted, the firm still owns the client notification, the reputational damage, and the potential malpractice exposure.
Cybersecurity Auditability: What Law Firms Must Be Able to Prove
Prevention matters. But the ability to demonstrate what happened and, importantly, what you did about it, matters more than most firms appreciate. Regulators, malpractice insurers, and clients who have entrusted you with sensitive information will all want to know the same things after an incident: What was compromised? When did you know? What did your response look like?
If you can’t answer those questions with logs, documentation, and a clear timeline, then you didn’t have a security program. You had a collection of tools and good intentions. Audit trails, access logs, and documented policies shouldn’t be viewed as mere bureaucratic overhead. In fact, they’re the evidence that your firm met its duty of care.
Incident Response for Law Firms: A Governance Problem, Not IT
When a security incident occurs, the first instinct is to hand it to IT. But for a law firm, the most consequential decisions in the first hours of a breach are business decisions: Which clients need to be notified and when? What are the firm’s obligations under state breach notification laws? Does the firm’s malpractice carrier need to be contacted? Is there a litigation hold? Who speaks to the press?
These decisions cannot be made on the fly by someone whose primary job is maintaining the network. They require a plan that was developed before the incident, reviewed by firm leadership, and tested at least once. Incident response for law firms is governance, not IT support.
Where to Start
If you read this and recognized gaps in your firm’s current posture, you’re not alone. The good news is, that recognition is itself a useful starting point. Most firms don’t need to overhaul everything at once. They need a clear-eyed assessment of where they stand today, mapped against what the profession and their clients actually require.
We work with law firms and legal organizations on exactly these assessments, and we regularly present on cybersecurity topics at Continuing Legal Education programs for bar associations and law firms. If you’re not sure how your current environment maps to the areas outlined above, that’s usually the first useful conversation. Contact us to schedule one.