Digital security for lawyers and law firms. The complete operational guide.

The threat model lawyers actually face

Most legal cybersecurity training starts with abstractions. Ransomware. Phishing. Insider threat. These categories exist, but they do not describe what we see when a law firm calls because something is wrong.

The actual threat surface for a lawyer breaks into five concrete adversary types. The first is the criminal extortion group that does not care what kind of firm you are. They scan the internet for exposed Remote Desktop, unpatched VPNs, and leaked credentials, then deploy ransomware. They have no interest in your specific clients. They have interest in your willingness to pay. The vishing pattern documented across ADT, Medtronic, and Trellix applies in identical form to law firms: a phone call to one staff member, a compromised SSO, and the firm’s document management system is open.

The second is the targeted actor. State-level intelligence services, sophisticated litigants, and corporate competitors. They are not opportunistic. They want a specific case file, a specific draft motion, a specific deposition transcript. When the value of a piece of information justifies a custom phishing campaign or a paid insider, you are no longer in a numbers game.

The third is opposing counsel. Not breaking in. Working within the rules. Subpoenas to cloud providers, depositions of IT staff, motions to compel production of metadata, discovery requests phrased to capture Slack and Teams logs. The lawyer who has not thought about what their own document management system would produce under a properly drafted discovery request is exposed without knowing it.

The fourth is law enforcement. Subpoena, search warrant, pen-trap order, geofence warrant, ECPA section 2703(d) order. Each instrument reaches a different layer of the firm’s data. Most lawyers can describe attorney-client privilege in the abstract. Fewer can describe what their cloud provider hands over under each type of legal process.

The fifth, and the one we encounter most often, is the firm itself. The associate who CCs the wrong client. The paralegal who emails a discovery production to a Gmail address that turns out to be a typo. The partner who autocompletes a recipient and sends settlement strategy to opposing counsel. We have seen all three in the last twelve months, at firms ranging from two attorneys to two hundred.

Client data is not one category

The fastest single improvement a firm can make is to stop treating “client data” as one undifferentiated category. It is at least four. Each one has a different threat model, a different access pattern, and a different containment requirement.

Privileged communications are the narrowest and most sensitive category. Emails between the lawyer and the client, attorney work product, internal strategy memoranda. These should never sit in shared inboxes, never appear in admin databases, and never be processed by tools the firm does not control. The reality of client confidentiality on the digital tools lawyers actually use is that the perimeter is narrower than most firms assume.

Case file data is broader. Pleadings, exhibits, deposition transcripts, expert reports. Some of this is publicly filed. Some of it is subject to protective orders. Some of it is informally sensitive but not technically privileged. Treating it all at the same protection level either over-protects routine documents or under-protects sensitive ones.

Administrative data is the third category. Billing records, retainer agreements, conflict checks, client contact information. This is the data that turns up in breaches at vendors like LexisNexis. It is also the data most likely to be exposed in routine SaaS breaches because it sits across more systems than the firm typically tracks.

The fourth category is the firm’s own internal communications about clients. The Slack thread where two associates debate strategy. The email chain debating whether to take a case. The partner’s notes to herself before a status conference. Most firms do not realise this data exists as a distinct corpus. Discovery counsel on the other side does.

Email is still where the breach happens

Every postmortem we have read or conducted on a law firm breach in the last three years includes email at the entry point or at the exfiltration point or both. Despite a decade of investment in document management, secure portals, and matter-centric architecture, the lawyer’s email account remains the single most consequential attack surface.

The single highest-impact change a firm can make today is to enforce phishing-resistant multi-factor authentication on every account that touches client data. Not text message codes. Not authenticator app TOTP. Hardware security keys or device-bound passkeys. We have seen firms with TOTP enforced get breached through real-time phishing. We have not yet seen a firm with hardware keys enforced on email get breached through credential theft.

The second is to audit the autocomplete list. Outlook and Gmail both retain old recipient suggestions. We have seen a discovery production sent to a Gmail address with one letter different from a colleague’s name. The colleague had left the firm four years earlier. The address had been retained as a suggestion. The breach was the autocomplete.

The third is to stop using email for the largest single category of client communication where it adds the most exposure: document delivery. Sending a signed engagement letter back and forth as an attachment turns the firm’s most sensitive document into an artefact stored on at least four servers (the firm’s, the client’s, and both providers’ backup systems). Use a client portal. Track it. Audit it. Email is for conversation, not custody.

Documents and the metadata you ship with them

The volume of metadata embedded in a routine Word document is larger than most lawyers realise. Track changes history, author names, comments, document properties, hidden text, last-saved-by entries, the path on the local drive where it was edited. We have seen all of these surface in opposing motions filed in matters where the only intentional disclosure was the document text itself.

The basic discipline is to ship PDFs, not Word documents, for anything that leaves the firm. Generate the PDF from the final version. Use a tool that does not embed Word metadata into the PDF. Verify by opening the file’s properties before sending. Five minutes of habit closes a category of exposure entirely.

For documents that must be sent as Word, run a metadata scrubber. Microsoft Word’s Document Inspector is a starting point. It does not catch everything. For documents being filed publicly or produced to opposing counsel, an additional verification step using a dedicated tool is warranted. A boutique IP firm we worked with lost a privilege dispute over a single comment left in a draft Word document produced in discovery. The substantive case had been winning. The metadata was not.

Mobile devices and the home office problem

The pandemic ended five years ago. Hybrid work did not. Most firms now have lawyers handling privileged material on personal devices, in personal cloud storage, on home networks they did not configure, in coffee shops, on hotel Wi-Fi, in their parents’ guest rooms over the holidays.

The minimum bar for any device that touches privileged material is full-disk encryption, automatic lock with a strong passcode, biometric authentication, and the ability to be remotely wiped. Modern iPhones and iPads meet this by default if a passcode is set. Most Macs meet it if FileVault is enabled. Windows machines require BitLocker, which is enterprise-licensed and which many firms have purchased but not deployed.

Personal cloud storage is the problem we see most often after a partner leaves. iCloud Drive, Google Drive, Dropbox, OneDrive personal accounts. Privileged documents end up there because the lawyer was working on the train and saved to Desktop without thinking about which Desktop sync was active. The firm’s matter centricity does not extend to the personal iCloud account.

The fix is policy plus enforcement, in that order. Policy that prohibits saving client material to personal cloud accounts. Enforcement through device management that prevents personal sync clients from running on firm-issued machines, or that requires lawyers to use firm-managed devices for any work outside the office.

Vendors and the chain of trust

Most law firms do not get breached through their own infrastructure. They get breached through a vendor. The document management vendor. The eDiscovery vendor. The court reporter. The cloud-hosted research platform. The accounting and trust-account software. The legal research database whose customer records were just leaked. Each one is a potential entry point that the firm does not control and often does not audit.

The baseline question to ask every vendor that touches client data is what they do when they receive a subpoena or court order for the firm’s data. The right answer is that they notify the firm and give the firm an opportunity to move to quash before producing. The wrong answers include “we comply with all lawful requests” without any notification commitment, or “we are required to keep such requests confidential” without specifying under what authority.

The second baseline question is what authentication they require for administrative access to your data. Vendors who allow password-only or text-message-MFA login to admin consoles handling client data are exposing the firm by proxy. The detailed posture for client data across vendors and platforms is a separate operational document. The summary is that the firm’s security is the vendor’s security.

When law enforcement requests arrive

Most firms have a written policy for responding to subpoenas served on the firm itself. Far fewer have a policy for responding to subpoenas served on their cloud providers, their email host, or their court reporter. The firm does not always receive notice of these. When notice arrives, the window to act is sometimes measured in days.

A lawful subpoena to a cloud provider can reach metadata about which clients you communicated with, when, and from where. A search warrant can reach the content of those communications. A pen-trap order can reach prospective communications going forward. Each instrument has a different legal threshold and a different scope. The ABA Model Rules of Professional Conduct, specifically Rule 1.6 on confidentiality and Rule 1.1 on competence, treat the lawyer’s understanding of these mechanics as a professional obligation, not an optional specialisation.

The practical workflow we recommend is to ensure that every vendor commits in writing to notice before production, to maintain a designated firm contact for legal process, and to have engaged outside counsel for technology law matters before the firm needs one. The lawyer who looks for a privacy lawyer the day they receive an unexpected vendor notice is starting from the wrong end.

Breach response: the first 72 hours

When a breach happens, the first 72 hours decide whether the firm controls the narrative, the remediation, and the disclosure, or whether it spends the next six months reacting to events driven by others.

The first action is containment. The second is preservation of evidence. These two often conflict. Pulling a compromised laptop off the network protects the rest of the firm but can destroy forensic indicators that would tell you what was taken. The right sequence is to engage incident response before unplugging anything. The detailed playbook for the first hours after a law firm breach walks through this sequence step by step.

The third action is notification: not yet to clients, not yet to the bar, but internally. The managing partner, the firm’s general counsel or designated incident officer, the IT director, the outside counsel for cyber matters. Build the chronology in writing from hour one. Memory will compress over the following days. The contemporaneous notes are what survive.

The fourth action is the legal posture: what does the firm owe its clients, its insurer, its bar, and the affected states’ attorneys general? Each jurisdiction has its own breach notification timeline. Some are measured in days from discovery. Others key off “without unreasonable delay.” None of them start running when the firm decides it is ready to act.

What we have seen go wrong

Patterns from the last twenty-four months of firm-side incidents we have worked or read about, anonymised:

A boutique intellectual property firm paid a ransomware operator after its document management system was encrypted. Six months later it was hit by a different operator using the same initial vector that had never been remediated. The firm paid again.

A solo family law practitioner used a consumer chatbot to draft a motion. Opposing counsel obtained the chat history through a third-party discovery request and produced excerpts as evidence of the firm’s litigation strategy. The matter settled. The case will appear in continuing education materials for years.

A criminal defence lawyer sat in his client’s interview room and watched a forensic examiner extract the contents of his client’s seized iPhone in under an hour. The client’s phone had a six-digit passcode. The lawyer’s own phone, which the lawyer believed to be secure for the same reason, was identical.

A regional personal injury firm contracted a court reporter who employed a transcriptionist with a documented stalking history. The transcriptionist was given access to deposition recordings involving a witness in a custody-related matter. The firm became a defendant in the resulting civil suit.

A mid-size litigation firm produced a Word document in discovery without scrubbing metadata. A track-changes comment by a junior associate, describing the client’s testimony as “not credible,” surfaced in opposing counsel’s motion for sanctions. The associate left the firm. The client did not stay.

None of these were caused by sophisticated technical attacks. Each was caused by a discipline gap that existed before the technology arrived and that the technology amplified.

Frequently asked questions

Does a lawyer have an ethical obligation to understand technology security?

Yes. ABA Model Rule 1.1, Comment 8, makes the duty of competence include the benefits and risks associated with relevant technology. Most state bars have adopted equivalent language. Bar opinions on cloud computing, email encryption, electronic discovery, and increasingly on generative AI use, all treat the lawyer’s understanding of how these tools handle privileged information as professionally required, not optional.

Is email encryption mandatory for client communications?

Not under most current rules, but the analysis has shifted. ABA Formal Opinion 477R established that lawyers should evaluate whether stronger protection than standard email is required based on the sensitivity of the communication. For routine matters, standard email between properly authenticated accounts is generally accepted. For high-sensitivity matters, especially those involving foreign parties, criminal exposure, or trade secrets, the analysis is increasingly that the lawyer should affirmatively use stronger protection rather than default to email.

What is the single most important security control for a small firm?

Phishing-resistant multi-factor authentication on email and on every cloud platform that touches client data. Hardware security keys or device-bound passkeys, not TOTP codes. This single control prevents the majority of breach vectors we see in incident response work. Everything else is a layer on top of this baseline.

If the firm uses a major cloud provider, is that enough?

Major cloud providers offer significantly better baseline security than most firms can build internally. They do not provide automatic compliance with the lawyer’s professional obligations. Configuration choices, access controls, audit logging, retention policies, response to legal process, and incident notification commitments all remain the firm’s responsibility. A cloud provider is a building block. The professional posture around it is the firm’s.

Should the firm carry cyber liability insurance?

Yes, and the policy should be reviewed by someone who reads cyber policies for a living, not by the firm’s general business broker. Coverage for breach response costs, ransomware payments, regulatory fines, and client notification expenses varies substantially across policies. Specific exclusions for inadequate security controls, social engineering, and prior known incidents are the points where coverage most often fails when claimed. The time to read the policy is before the incident.

---

The lawyer’s professional obligations did not change when the practice of law moved into the cloud. The technology changed. The duty of competence did not. What this guide describes is the operational version of what was already required: keeping privileged information privileged, in conditions that did not exist when the rules were written, against adversaries whose tools were not contemplated. None of it requires becoming a security engineer. All of it requires deciding that the discipline matters and then maintaining it.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.