Law Firm Data Security — How to Protect Attorney-Client Privilege in 2026

Back to Blog

Law firms hold some of the most sensitive data in existence. Merger and acquisition strategy before a deal closes. Criminal defense details that could mean the difference between freedom and incarceration. Immigration records tied to a client's ability to remain in the country. Estate plans revealing the full financial picture of a family across generations. Litigation strategy that opposing counsel would pay dearly to see.

This is precisely why law firms have become prime ransomware targets. The cost of unauthorized disclosure — to clients, to the firm, and to the attorneys personally — is catastrophic on every dimension. Financially. Reputationally. Ethically. A ransomware group attacking a hospital expects the hospital to pay to restore medical records. A ransomware group attacking a law firm expects the firm to pay to keep client files from being released publicly. The extortion math is different, and criminals have figured it out.

The response cannot be reactive. By the time you are negotiating with a threat actor at 2 a.m., the decisions that could have prevented it were made months or years ago — in how you configured your document management system, whether your attorneys use MFA, and whether anyone has tested your backups in the last 12 months.

ABA Model Rule 1.1 — Technological Competence

The ABA's 2012 comment update to Model Rule 1.1 changed what it means to be a competent attorney. The rule now requires lawyers to stay current with "the benefits and risks associated with relevant technology." That language was broad by design, and state bars have spent the intervening years interpreting it in progressively stricter terms.

Technological competence is no longer optional continuing education. It is a professional obligation. And it is increasingly interpreted to include meaningful cybersecurity awareness — not the ability to write code, but the ability to understand how your tools work, who has access to them, and what the failure modes look like.

In practice, that means understanding how your email system routes and stores messages. It means knowing which staff members have access to which client matters in your document management system. It means knowing the answer to "if our office manager clicks a phishing link tonight, what happens next?" If you don't know the answer to that question, you are not yet operating at the level of technological competence the ABA expects.

It also means having a data breach response plan before you need one — not writing one the morning after an incident. State bar ethics opinions in California, New York, and Florida have all reinforced this point in recent years: the plan must exist, it must be documented, and attorneys must understand their role in it.

ABA Model Rule 1.6 — Confidentiality and "Reasonable Measures"

Model Rule 1.6(c) requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." That phrase — reasonable efforts — is doing a lot of work, and its meaning has evolved significantly as the threat environment has changed.

The practical implications of Rule 1.6 in the current environment are specific and actionable. Encrypted email for sensitive matters is no longer a nice-to-have — it is the baseline for communications involving material non-public information, criminal defense strategy, or immigration status. Sending unencrypted email containing that category of information and suffering a breach is a difficult position to defend before a state bar grievance committee.

Secure file-sharing must replace the habit of emailing attachments. When a client or opposing counsel needs a document, the transmission method matters. Unsecured email attachments sit in mail servers, personal accounts, and backup systems for years. A secure file-sharing portal with expiring links and access logging is materially more defensible — both to your clients and to regulators.

Access controls on your document management system are a direct Rule 1.6 issue. If every person in your firm can open every client file regardless of whether they work on that matter, you have already failed a basic confidentiality obligation. The technology to fix this has existed for decades. Implementing it is a reasonable effort. Not implementing it is not.

The DMS Security Checklist

Document management systems — iManage, NetDocuments, WorldDox, SharePoint configured for legal use — are the operational heart of a law firm's data security posture. They are also among the most commonly misconfigured systems we encounter when we assess legal clients. The following eight items represent the minimum acceptable configuration for any firm with a duty of confidentiality.

• 1
  Role-based access controls (partners vs. associates vs. staff). Not everyone in the firm needs access to every matter. Segment access by role, and configure your DMS to enforce it. Partners managing a sensitive acquisition should not share a permission tier with administrative staff.
• 2
  Matter-level permissions for sensitive cases. Beyond role-based tiers, your highest-sensitivity matters — criminal defense, M&A pre-close, immigration, domestic relations — should have matter-level access restrictions requiring affirmative authorization for each user added.
• 3
  MFA on all DMS access. Multi-factor authentication must be enforced at the DMS login, not just the network perimeter. Attorneys accessing NetDocuments or iManage from home, from court, or from a hotel network should require a second factor every time.
• 4
  Audit logs of who accessed what and when. Your DMS should maintain tamper-resistant logs recording every document access, download, and modification by user, timestamp, and IP address. These logs are essential for both breach investigation and bar grievance defense.
• 5
  Secure external sharing — no USB drives, no personal email. External document sharing must flow through your DMS's built-in sharing portal or a managed file transfer tool. USB drives create untracked copies. Personal email creates records outside your control. Both are hard to defend under Rule 1.6.
• 6
  DMS vendor BAA if applicable. If your DMS vendor has access to or stores data for matters involving HIPAA-covered clients (a personal injury firm, a healthcare transaction practice), confirm whether a Business Associate Agreement is required and whether your vendor will execute one.
• 7
  Off-site backup independent of your DMS vendor. If your DMS vendor suffers an outage, a ransomware incident, or a billing dispute that locks your account, you need a copy of your data that you control. Independent, encrypted, off-site backup is not optional.
• 8
  Annual access review to remove departed users. Former associates, summer clerks, contract attorneys, and staff who left the firm must be deprovisioned promptly. An annual audit of all active DMS accounts against current personnel is the minimum standard. Quarterly is better.

Ransomware: Why Law Firms Are Attractive Targets

The ransomware economics of targeting a law firm are straightforward from an attacker's perspective. The data is high-value. The firm's reputational exposure from disclosure is severe. And law firms — particularly those with under 100 attorneys — frequently operate with smaller IT teams relative to the sensitivity of the data they hold. That combination makes them a preferred target category for ransomware-as-a-service operations.

The Grubman Shire Meiselas & Sacks attack in 2020 is the case study the legal industry still talks about. The REvil ransomware group encrypted the firm's systems, exfiltrated approximately 756 gigabytes of client files, and publicly demanded $42 million in ransom — specifically threatening to release material related to high-profile entertainment clients to maximize pressure. When the firm declined to meet the demand, partial client files were released publicly. The reputational and legal fallout was significant, and the firm was not a small operation — it was a well-resourced entertainment and media law firm with a national reputation.

Three controls are non-negotiable in the post-Grubman threat environment. First: immutable backup, meaning a backup that cannot be encrypted or deleted by ransomware even if an attacker gains administrative access to your systems. Second: Endpoint Detection and Response (EDR) on every workstation and server, providing behavioral analysis that catches ransomware activity before encryption begins. Third: email security — a gateway that inspects attachments, follows links, and blocks malicious content before it reaches an attorney's inbox. These three controls, deployed correctly, stop the majority of ransomware attacks before they cause material damage.

Client Trust Accounts and Business Email Compromise

IOLTA client trust accounts present a distinct and serious threat vector that ransomware alone does not capture. These accounts hold client funds — settlement proceeds, retainers, real estate transaction funds — and they are high-value wire targets for business email compromise (BEC) attacks.

The attack pattern is consistent: a threat actor compromises an email account inside the firm — typically through a phishing attack or a credential obtained from a data breach — and monitors communication patterns silently for days or weeks. When a large wire transfer is being coordinated, the attacker sends a fraudulent email appearing to come from the attorney, instructing the client or the title company to change wire instructions to an account the attacker controls. By the time the misdirection is discovered, the funds have been moved through multiple accounts and are largely unrecoverable.

A callback verification policy is mandatory for any firm handling wire transfers. When wire instructions arrive by email — regardless of who the email appears to come from — the firm must verify the instructions by calling the sender on a previously known phone number, not a number provided in the email itself. This single control stops BEC wire fraud in the overwhelming majority of cases.

Dual control for wire transfers over $10,000 adds a second layer: no single person should be able to initiate and approve a wire transfer without a second authorized party confirming the instructions. This is standard practice in banking and increasingly expected in legal practice management. If your firm regularly handles real estate closings, settlement distributions, or large retainers, implementing dual-control approval is one of the highest-ROI risk controls available to you.

The Numbers Behind the Risk

That gap — between the frequency of incidents and the fraction of firms prepared to respond to one — is the operational reality of the legal sector right now. Most small and mid-size firms know they are at risk. Fewer have taken the structural steps to respond effectively when an incident occurs. The firms that have a written, tested incident response plan before they need it spend less time in crisis, incur lower recovery costs, and are in a materially better position when they face bar grievance inquiries or client notification obligations.

The incident response plan does not need to be a hundred-page document. It needs to clearly answer four questions: Who do we call in the first hour? What do we preserve and what do we isolate? Who do we notify and when? And who makes decisions when the managing partner is unreachable? If your firm can answer those four questions right now, without looking anything up, you are ahead of the majority of your peer firms in the 2023 survey.