SOCHQ Pro+ · For law firms

Cybersecurity for Law Firms: Your Ethical Duty, Without an Enterprise Budget

A plain-language guide for small and solo law firms — what the rules of professional conduct actually require, the threats aimed squarely at you, and how a small firm meets the bar without a security team.

This is practical guidance, not legal or ethics advice. Your obligations depend on your jurisdiction and your specific practice. Confirm with your state bar's rules and a qualified professional before making decisions.

For most businesses, weak security is a financial risk. For a law firm, it's also an ethical one. The duty to protect client information isn't a best practice you can get to later — it's written into the rules that govern your license. And the people trying to get at that information know exactly how valuable it is.

The good news: meeting your obligations doesn't require an enterprise budget or an IT department. It requires understanding what "reasonable efforts" actually means today, and doing a handful of things in the right order. Let's walk through it.

Why firms are targeted disproportionately

Attackers target law firms on purpose. You hold litigation strategy, intellectual property, M&A details, settlement terms, and the personal data of every client — concentrated, sensitive, and monetizable. The most common threats today are spear phishing, ransomware, business email compromise, supply-chain compromise through your vendors, and the simple theft of a laptop or phone.

And here's the leverage that makes firms especially attractive: time pressure. A litigation firm in trial can't pause while systems are restored. A criminal defense firm with clients in custody faces speedy-trial obligations. Ransomware that hits during a critical deadline gives the attacker enormous leverage — which is precisely why they aim at firms. Ransom demands against professional-services firms exceeded $1.2 million on average in 2025, and even firms with backups face weeks of recovery.

Your obligations aren't optional — they're ethical

The ABA Model Rules of Professional Conduct (adopted, with variations, by most states) make data protection a duty of the license:

Rule 1.6(c) — Confidentiality. This is the core. Lawyers must make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to," information relating to a representation. That's an affirmative duty to secure client data — not just to avoid leaking it yourself.
Rule 1.1 — Competence (Comment 8). Competence now explicitly includes keeping abreast of "the benefits and risks associated with relevant technology." You can't competently protect what you don't understand.
Rule 1.4 — Communication. Includes keeping clients informed — which, after an incident, can mean notifying them.
Rules 5.1, 5.2, 5.3 — Supervision. You're responsible for the security practices of your staff and your vendors (your IT provider, your cloud host, your e-discovery platform).
Rule 1.15 — Safeguarding Property. Increasingly read to include client data, not just funds.

The critical point most firms miss: the standard is whether you made reasonable efforts — not whether harm occurred. A bar can open disciplinary proceedings if an investigation finds you lacked basic safeguards like MFA, encryption, or staff training, even if no client was ever harmed. The absence of effort is itself the violation.

State bars increasingly spell this out. The New York State Bar, for example, has urged all attorneys to implement multi-factor authentication, encrypted email for sensitive communications, documented incident response plans, written cybersecurity policies, and staff training.

What "reasonable efforts" looks like in practice

Translated for a small or solo firm:

Multi-factor authentication (MFA) everywhere. On email, your practice management system, document storage, and any cloud tool. It's the single highest-impact, lowest-cost control, and it's increasingly the baseline bars expect.
Encryption for sensitive data and communications. ABA Formal Opinion 477R holds that unencrypted email is generally fine for routine matters, but encryption is required when the sensitivity warrants it — Social Security numbers, financial records, trade secrets, or matters with sophisticated adversaries. At minimum, use encrypted email transport and a secure client portal for sensitive documents.
Tested backups and a recovery plan. Your defense against ransomware's time-leverage. If you can restore quickly, the threat loses much of its power. Test a restore — backups you've never tested are a guess.
Vendor due diligence. Every vendor with access to client data is a potential breach path — the 2025 MOVEit vulnerability cascaded across thousands of organizations, including firms that used it for file transfer. Know who touches your data, put security expectations in your contracts, and don't rely solely on a vendor's self-reported posture.
A written incident response plan. Who does what, who gets notified, in what order — decided before a 2 a.m. crisis, not during one.
Staff training. Your people are the front line against phishing and business email compromise. Brief, regular training prevents the click that starts most breaches.
Documentation. To a bar investigator, undocumented security is no security. Keep your policies, your risk assessment, and your training records.

"We're a small firm — we can't afford enterprise security"

This is the honest objection, and historically it had teeth. The tools that deliver real protection — continuous monitoring, threat detection, a security operations center watching for trouble — were priced and built for large firms. A three-attorney practice was told to buy enterprise software or hope for the best.

That gap is what's changed. Enterprise-grade security no longer has to mean enterprise-priced security. The same monitoring that protects a 500-attorney firm now scales down to a solo practice at a fraction of the cost. And the math has always favored prevention: the expensive path is the breach — the ransom, the missed deadline, the malpractice exposure, the bar complaint, the clients who leave.

What to do this quarter

Turn on MFA across email and every system holding client data.
Set up encrypted email and a secure client portal for sensitive material.
Fix and test your backups.
List your vendors with data access and confirm your contracts address security.
Train your team on phishing and write a simple incident response plan.
Document all of it, so you can show reasonable efforts.

How SOCHQ Pro+ fits

SOCHQ Pro+ gives a small firm the protection a large firm has — continuous monitoring, threat detection, asset visibility, and the documentation trail that demonstrates reasonable efforts — built and priced for a practice without an IT department. It's made by people who run security operations centers for a living, scaled down on purpose.

It doesn't replace your judgment about your ethical obligations, and it isn't legal advice — but it handles the watching and much of the technical work that "reasonable efforts" now requires, so you can focus on practicing law.

Again: guidance, not legal or ethics advice. Confirm your specific obligations with your state bar's rules and a qualified professional.

Want a quick read on where your firm stands? Take the free SOCHQ Law Firm Cyber Readiness check — a short assessment that flags your biggest gaps against the safeguards bars expect.

— The SOCHQ Pro+ team

See where your firm stands.

Free, private, 2 minutes — and you'll leave with a prioritized action plan.

Free security assessment

← Back to the overview