Cyber Security for Law Practices

The modern security challenges facing law firms are more complex than ever. Regardless of its size, a firm is obligated to follow the data breach laws established in all 50 states, which require disclosure within a reasonable time following a cyber attack. This has forced law firms to take preventative measures to mitigate the risk of a breach by implementing security policies and procedures.

Cybercriminals seek to exploit targets that are well-funded and have a lot to lose if their private information is made public. Attacks on law firms have become more common and frequent. It’s not enough to try and keep up with the latest in security compliance and data protection, your legal firm has to be prepared in protecting its confidential data.

Failure to properly secure your Practice’s data puts you and your firm at risk. Beyond that, it can violate the trust you have with your clients and can damage your firm’s reputation.

Cybercriminals view attorneys’ protected data as a highly exploitable and lucrative target. Information contained within your business’s network can be a treasure trove for those wishing to do you harm. Consider what’s on your servers (local and/or cloud). This may include:

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Intellectual Property
  • Client Confidential Information
  • Sensitive HR Information including Employee Files
  • Merger, Acquisition, and Business Records

All of this, as well as other confidential information including Attorney-Client privileged data, is of great interest to hackers and cybercriminals. You have an obligation to protect client information, and failure to do so leaves you open to disrupted operations, serious legal ramifications, and reputational damage.

Today, hackers will so far as to encrypt sensitive data and then threaten to release it to the public. They will even contact the firm’s clients in an effort to pressure the firm and extort a faster payout.


The American Bar Association has its own set of rules (Model Rules of Professional Conduct) that Practices are required to follow. Rule 1.6 C states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The ABA has also released multiple Ethics Opinions which provide guidance for lawyers on how to address cybersecurity. These include Lawyer’s Obligations After an Electronic Data Breach or Cyber Attack and Securing Communication of Protected Client Information.




Protecting your firm and client’s data requires a multi-faceted approach. If you have the financial resources, you may already have an Information Security Officer (ISO) or better yet, a Chief Information Security Officer (CISO). If not, it may be wise to consider vCISO Services from JANUS. Many firms lack these resources, and all too often security is relegated to the internal IT departments or a Managed Service Provider (MSP) who is responsible for day-to-day IT operations and maintenance.

Utilizing internal resources to manage security is a 2-fold challenge. The first is that they are focused on keeping day-to-day operations running smoothly, leaving them little time to focus on security.

The bigger issue is that they are most likely not certified, security specialists. Properly addressing security requires a specialist with experience in the field, who can devote 100% of their time to security-related issues.

Your Practice may have availed itself of an MSP to reduce payroll, headcounts, and operational complexity. Undoubtedly your MSP has sold you on the concept that a single organization can take care of all your IT needs, including security. When it comes to assessing your cyber readiness, your MSP will most likely be hesitant to divulge weaknesses since that would be admitting that their performance is less than stellar.


Assessing your cyber readiness requires a firm that is independent and has no hidden agendas. JANUS sells no hardware or software, and we never approach a client with an eye toward selling hardware or software solutions. When it comes to security, our singular focus is protecting your clients, and the Practice, in the best possible manner.

Consider having a conversation with a specialist security organization that understands and has deep expertise in the challenges that legal teams face today. In business since 1988, JANUS Associates can help you meet your security, privacy, and compliance goals. Reach out today.

New call-to-action