Blog
← Back to Blog
September 25, 2017 legal

Law Firms Are Prime Targets for Hackers. Here's Why.

Law office with legal documents

If you're a hacker looking for valuable data, law firms are a goldmine. Corporate merger details. Intellectual property. Financial records. Litigation strategies. Personal information on high-net-worth individuals. Medical records in personal injury cases. Real estate transaction details. Trust and estate documents.

All of this lives in law firm systems. And many firms, particularly small and mid-size firms, have security postures that are significantly weaker than the corporations and individuals whose data they hold.

Why Law Firms Are Targeted

They Have What Attackers Want

A corporate law firm working on a merger has access to material non-public information that could be worth millions in insider trading. A firm handling patent applications has intellectual property that competitors would pay for. A personal injury firm has medical records, SSNs, and settlement amounts. The data density in a law firm is extraordinary.

They're Often the Weak Link

A Fortune 500 company might spend millions on cybersecurity. The law firm advising them on a deal? They might have a firewall, basic antivirus, and a shared password for their document management system. Attacking the law firm to get the corporation's data is often easier than attacking the corporation directly.

They Have Ethical Obligations

Attorneys have ethical duties of confidentiality and competence. A data breach at a law firm isn't just a business problem. It's a potential bar complaint. The ABA's Model Rule 1.6 (Confidentiality of Information) and Formal Opinion 477 make clear that lawyers must take reasonable measures to protect client information when using technology. "I didn't know" isn't an acceptable defense.

Common Vulnerabilities We See

  • Email as file transfer: Sending unencrypted documents containing sensitive case information via regular email. No encryption, no password protection, no secure portal.
  • Weak access controls: Every attorney and paralegal can access every client file. No matter separation. No need-to-know enforcement.
  • No mobile device management: Attorneys accessing client files from personal phones and tablets with no encryption, no remote wipe capability, and no separation from personal apps.
  • Remote access without 2FA: Attorneys working from home or traveling, accessing firm systems through VPN or remote desktop with just a password.
  • Outdated systems: Practice management software that hasn't been updated in years. Servers running end-of-life operating systems.

Minimum Security Standards for Law Firms

  1. Encrypt everything. Full disk encryption on every device. Encrypted email for sensitive communications. Encrypted file sharing instead of email attachments.
  2. Two-factor authentication. On email, remote access, document management systems, and cloud services. Non-negotiable.
  3. Matter-based access controls. Staff should only access matters they're working on. Configure your DMS to enforce this.
  4. Mobile device management. If attorneys access firm data on personal devices, implement MDM to ensure encryption, enable remote wipe, and separate firm data from personal apps.
  5. Incident response plan. Know what you'll do when (not if) a breach occurs. Your ethical obligations include prompt notification to affected clients.
  6. Cyber insurance. As we wrote about last year, the cost is minimal compared to the risk. Many malpractice carriers now offer cyber endorsements.

Your clients trust you with their most sensitive information. That trust comes with an obligation to protect it. The threat is real, the stakes are high, and the standards are rising. Don't wait for a breach to take action.