Table of Contents
Your firm holds trust account credentials, privileged communications, litigation strategy, and client PII across every practice area. The value of that data puts your firm on par with financial institutions and healthcare organizations.
The security infrastructure protecting it usually doesn’t.
Most small and midsize law firms run the same tools any generic small business would: email filtering, basic antivirus, and maybe two-factor authentication on email.
This guide covers what a real law firm cybersecurity posture requires, from the threats targeting your firm to the bar obligations you’re already expected to meet.
Why Law Firms Are High-Value, Under-Protected Targets
Law firms are targeted because of what they hold and how they hold it.
The combination of privileged communications, financial authority, and sensitive personal data makes your firm’s environment disproportionately valuable, while the security investment at most small and midsize firms doesn’t reflect that value.
What Attackers Are Actually After
The data inside your firm isn’t one category of sensitive information — it’s several, and each one carries a different secondary value to an attacker:
A 15-attorney firm might hold all five data types simultaneously, across dozens of active matters. That concentration is what makes law firms attractive targets relative to their size.
The Security Gap That Creates the Opening
Most firms in the 5-to-50 attorney range are protected by tools designed for general small businesses. You likely have email filtering, some form of antivirus, and maybe MFA on your Microsoft 365 accounts.
What you probably don’t have:
That gap between what your firm holds and how it’s protected is the opening attackers look for.
The Threats Law Firms Are Actually Facing
Generic cybersecurity guides list the same threats for every industry.
What they miss is how each threat specifically exploits the way your firm operates. Each of the threats below targets a vulnerability that exists because you’re a law firm.
Business Email Compromise and Trust Account Wire Fraud
This is the most financially catastrophic attack pattern in the legal industry.
An attacker compromises an email account at your firm, often through a phished credential, and monitors the inbox without acting. They wait until a wire transfer is being arranged in a real estate closing, settlement disbursement, or M&A transaction.
When the moment comes, the attacker intercepts the thread and sends modified wire instructions from the compromised account. The recipient sees what looks like a legitimate message with a slightly different account number.
By the time anyone notices, the funds are gone and often unrecoverable.

Phishing and Outside Counsel Impersonation
Your firm operates in a high-trust communication environment. Emails from opposing counsel, courts, title companies, and clients are acted on quickly because that’s how legal work moves. Attackers exploit that rhythm by impersonating trusted contacts or spoofing legitimate email domains.
Microsoft 365 environments without conditional access policies or DMARC enforcement are particularly exposed. An attacker who gains access to one account can move laterally through shared drives and monitor communications across matters.
Ransomware and Timing Attacks
Attackers have learned to deploy ransomware at the worst possible moments for law firms: before a trial date, during a merger, or ahead of a filing deadline.
The more dangerous pattern is exfiltration before encryption. Attackers copy privileged communications, client data, and financial records before locking your systems. The threat becomes twofold: pay to restore access, and pay again to prevent publication of privileged materials your firm was obligated to protect.
Insider Threats and Access Control Gaps
The insider threat at most law firms isn’t a malicious actor — it’s the account that was never offboarded when an attorney left, the shared login that gave broader access than anyone realized, or the departing staff member whose credentials still work months later.
High staff turnover in support roles, attorney departures, and lateral hires all create windows where access controls don’t match who should actually have access to what.
What Bar Rules Actually Require from Your Firm’s Security
Most cybersecurity guides mention ABA Rule 1.6 in passing. Few explain what the rule actually requires you to do, or what happens when you can’t demonstrate that you’ve done it.
What “Reasonable Efforts” Means in Practice
ABA Model Rule 1.6(c) requires attorneys to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
ABA Formal Opinion 483 further clarified that lawyers must also monitor for unauthorized access and notify affected clients after a breach.
State bars have built on this framework. California, New York, Florida, and several other states have issued formal ethics opinions reinforcing that the duty of confidentiality extends to how client data is stored, secured, and transmitted digitally.
Requirements vary by jurisdiction, so firms should consult their state bar’s formal opinions or outside counsel for guidance specific to their practice. Several states have gone further, issuing bar association tech competency standards that explicitly tie an attorney’s duty of competence to understanding the technology risks surrounding client data.
In practical terms, “reasonable efforts” now implies a baseline that includes:
These aren’t suggestions from a best practices list. They’re the framework bar associations use when evaluating whether a firm met its obligations. A firm that can’t document its security practices faces exposure in a disciplinary proceeding regardless of whether a breach has occurred.
The Compliance Exposure Most Firms Miss
The convergence is what catches firms off guard. Cyber insurance questionnaires, client security audits, and state bar opinions are increasingly asking the same questions:
Firms that can’t answer clearly are getting denied coverage at renewal, repriced upward, or losing client relationships to competitors who can document their posture.
How to Get Your Law Firm Cyber Insurance-Ready (And Why NIST Helps):
Covers the specific controls underwriters require, where firms typically fall short, and how to close readiness gaps.
What Malpractice Exposure Looks Like
A breach that compromises client funds, exposes privileged communications, or causes missed deadlines because systems were down creates malpractice exposure on top of the ethical obligations above.
Consider the sequence: a firm suffers a ransomware attack. Client files are encrypted and exfiltrated. The firm had no incident response plan, no offsite backup, and no documented security policy.
The client files a bar complaint. The disciplinary review focuses not on the attack itself, but on whether the firm took reasonable precautions.
The bar’s evaluation turns on your preparation, not on whether you could have stopped the attacker.

What a Law Firm Cybersecurity Baseline Actually Looks Like
Knowing what to actually have in place is what changes your firm’s security position.
The Non-Negotiables Regardless of Firm Size
Whether you’re a 5-attorney firm or a 50-attorney firm, these controls aren’t optional if you want to meet bar obligations, qualify for cyber insurance, and have a defensible posture:
MFA alone is a deeper topic than most firms realize. The gap between having MFA turned on and having it properly enforced, monitored, and documented is where most coverage failures happen — the full breakdown of what insurers actually check is in our guide to MFA for law firms.
Why Multi-Factor Authentication Is Essential for Law Firms:
Covers where MFA needs to be enforced, the difference between available and enforced MFA, and what insurers actually check.
Where Small and Midsize Firms Consistently Under-Invest
Three gaps show up repeatedly when firms go through a law firm IT assessment for the first time:
No written security policy or breach response plan. Many firms treat security informally. The tools might be in place, but nothing is documented, which means the firm can’t demonstrate its posture to an insurer, a client, or a bar reviewer.
No identity threat detection layer. Anti-spam filtering stops phishing at the perimeter. But once an attacker gets past it through a compromised credential or session token theft, they can bypass standard two-factor authentication.
Without identity threat detection and response (ITDR) monitoring for anomalies like impossible travel logins or simultaneous sessions from different locations, that attacker has full impersonation access. The gap between “we have email security and 2FA” and actually being protected is where most small law firms sit.
BYOD without device management. Attorneys and staff regularly access email, documents, and practice management systems from personal phones and laptops that have never been assessed or enrolled in a management platform.
Incident Response: What to Do When Something Goes Wrong
If you're reading this during an active incident, here's what matters:
- Suspend the compromised account immediately. Don't just change the password. If the attacker has an active session, a password change won't terminate it.
- Contact your IT provider. If you don't have one, this is the moment that absence becomes painfully clear.
- Don't communicate through the compromised channel. If email is compromised, use phone calls, texts, or an alternate platform.
- Preserve logs. Forensic investigation depends on log data. Don't wipe or rebuild anything until your IT provider confirms what happened.
- Know your notification obligations. Many state bars require notification to clients when confidential information is exposed. Your cyber insurance carrier likely has a notification procedure too.
The goal of incident response is containment. How quickly you stop the damage determines how much there is to recover from.
In one case handled by Uptime Legal's security team, a managing partner's email was compromised. The firm had declined conditional access management, but 24/7 identity threat detection was in place.
The account was shut down in four and a half minutes from the time of breach, before a single email went out. The next morning, the account was verified clean and brought back online.
What Makes a Cybersecurity Provider Right for a Law Firm
A cybersecurity provider built for law firms understands legal software environments, bar ethics obligations, and the attack vectors that specifically target legal practices.
The gap shows up when something goes wrong and the provider doesn't understand the environment they're protecting, likely because they have no experience with IT support for law firms.
Questions to Ask Any IT or Security Provider
Before signing with any provider, or when evaluating your current one, five questions will tell you whether they understand your firm's needs:
- Do you support our legal software platforms? Practice management, time and billing, and document management systems have specific configurations and failure modes. A provider who's never worked with Clio, NetDocuments, or PCLaw will learn on your firm's time.
- Do you provide ITDR, or only endpoint protection? EDR catches threats on devices. ITDR catches compromised identities, which is where the most damaging law firm breaches start.
- Can you help us with insurance questionnaires and client security audits? If the provider can't help you document your posture for an insurer, they probably haven't built it to the standard an insurer expects.
- What does your breach response procedure look like? You want specifics: who gets notified, what's the escalation path, and what happens at 2 a.m. on a Saturday.
- How do you handle offboarding? When an attorney or staff member leaves, what's the process for revoking every credential and access point?
Red Flags in a Generic IT Provider
Watch for these signals that a provider isn't built for your risk profile:
Any of these signals means your firm's risk profile isn't being treated as distinct from a generic small business.
What Legal-Specific Security Support Looks Like
A provider built for law firms understands matter-based access controls, where access to files and communications is scoped by matter rather than department. They're familiar with bar ethics obligations and can help you document compliance. They've configured security around legal software stacks before and know the failure modes of the platforms your firm depends on.
Understanding data security for law firms at this level is what separates a legal-specific provider from a generalist who treats every client the same way.
How to Move from Risk Awareness to a Defensible Security Posture
Law firms have three options for building a defensible security posture, and which one fits depends on the resources and legal-specific expertise available.
For firms that want managed IT and cybersecurity support built specifically for law firms, Uptime Legal provides legal-specific security, monitoring, and IT infrastructure through Uptime Manage.
WHAT'S NEXT
Frequently Asked Questions
Uptime Legal’s Technology Solutions
Cloud, software, IT, and document management built for today’s law firms.






