Your Law Firm's IT Is a Liability: Protecting Client Confidentiality in the Digital Age

Here's a question every managing partner should ask themselves: if opposing counsel subpoenaed your firm's cybersecurity practices tomorrow, would you be comfortable with what they'd find?

For most small and mid-sized law firms in Ohio, Michigan, and Indiana, the honest answer is no. And that's not because attorneys don't care about security — it's because most firms have never had anyone sit down and explain what "reasonable" cybersecurity actually looks like for a legal practice.

Let's fix that.

The Ethical Obligation You Might Be Overlooking

The American Bar Association's Model Rule 1.6 (Confidentiality of Information) was amended over a decade ago to include a duty to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

The Ohio Rules of Professional Conduct mirror this requirement. So does Michigan's and Indiana's. Translation: protecting client data isn't just good practice — it's an ethical obligation. And "reasonable efforts" means more than a strong password and a locked filing cabinet.

What constitutes "reasonable" depends on the sensitivity of the information, the size of the firm, the cost of security measures, and the difficulty of implementing them. But here's what it definitely doesn't mean: running Windows 10 (end of life October 2025) on machines that store client files, having no email encryption, using shared passwords, and backing up to a USB drive that sits on someone's desk.

If that sounds like your firm, keep reading.

Law Firms Are High-Value Targets (And Not Just the Big Ones)

There's a misconception that cyberattacks only target AmLaw 100 firms with deep pockets and high-profile clients. In reality, small and mid-sized firms are attacked more frequently precisely because they have weaker defenses.

Think about what a typical 15-attorney firm has on its network: client financial information, Social Security numbers, medical records from personal injury cases, business trade secrets from commercial litigation, real estate transaction details, estate planning documents with complete personal and financial histories. That's a goldmine for criminals.

Business Email Compromise (BEC) is the #1 attack vector targeting law firms. Here's how it works: an attacker gains access to an attorney's email account (usually through phishing), monitors conversations silently for days or weeks, and then at the right moment — say, during a real estate closing — sends wire transfer instructions from the attorney's actual email address to the client or title company, redirecting funds to an account the attacker controls.

The FBI estimates that BEC attacks cost U.S. businesses over $2.7 billion in 2023. Law firms are disproportionately targeted because they regularly handle large financial transactions and because clients trust emails from their attorney without question.

One compromised email account. One fraudulent wire instruction. Hundreds of thousands of dollars gone. And the malpractice exposure that follows.

The Technology Debt Most Firms Are Carrying

Law firms are notorious for running technology long past its expiration date. We've walked into firms that are still running a server they bought during the Obama administration, using a practice management system that hasn't been updated since before COVID, with workstations running operating systems that no longer receive security patches.

The reasoning is understandable: "It still works." And technically, it does — until it doesn't. Legacy systems can't run modern security tools. Unpatched software has known vulnerabilities that attackers exploit routinely. Old servers have higher failure rates, and when they fail, the data recovery is expensive and sometimes impossible.

But the bigger issue is that these aging systems create a false sense of security. "We've never been hacked" isn't a security strategy — it's luck. And in 2026, relying on luck to protect client confidentiality is a risk that no ethical attorney should be comfortable with.

What "Reasonable" Cybersecurity Actually Looks Like for a Law Firm

Here's a practical breakdown of what a well-protected law firm should have in place. None of this is exotic or prohibitively expensive — it's the baseline.

Email security and encryption: Business-grade email with advanced threat protection, encrypted email capability for sending sensitive documents, and multi-factor authentication (MFA) on every account. If your firm is still using a free email service or doesn't have MFA enabled, that's your first call.

Endpoint protection: Every laptop, desktop, and mobile device that accesses firm data should have endpoint detection and response (EDR) software — not consumer antivirus. EDR monitors behavior in real time and can catch threats that traditional antivirus misses entirely.

Data backup and disaster recovery: Automated, encrypted backups that run daily (at minimum), stored offsite or in the cloud, with tested recovery procedures. You should know exactly how long it would take to recover your entire system after a ransomware attack — and "we think it would take a few days" is not an acceptable answer.

Access controls: Not everyone in the firm needs access to everything. Practice management systems, accounting data, and client files should have role-based access controls. When someone leaves the firm, their access should be revoked within hours — not whenever someone gets around to it.

Mobile device management: Attorneys work from everywhere — home, court, coffee shops, hotel rooms. Every device that accesses firm data needs to be secured, encrypted, and remotely wipeable if it's lost or stolen.

Security awareness training: Your staff needs to know how to recognize phishing emails, BEC attempts, and social engineering attacks. Regular training — not a one-time presentation at a firm retreat — reduces the risk of human error, which remains the #1 cause of data breaches.

The Malpractice Insurance Question

Here's something that gets managing partners' attention fast: many legal malpractice insurance carriers are now asking detailed questions about cybersecurity practices on renewal applications. Some are requiring specific security controls — MFA, endpoint protection, encrypted backups — as conditions of coverage.

Firms that can't demonstrate adequate security practices may face higher premiums, coverage exclusions for cyber incidents, or difficulty obtaining coverage at all. And if a breach occurs and the firm can't demonstrate that it had "reasonable" security measures in place, the malpractice claim writes itself.

This is where having a managed IT provider who understands legal industry requirements becomes valuable. At Flyght, we help law firms document their security controls, maintain compliance records, and provide the evidence that insurance carriers and bar authorities want to see.

Cloud vs. On-Premise: The Law Firm Decision

Many firms are wrestling with whether to move their practice management, document management, and email to the cloud or keep it on local servers. The answer, as with most things in IT, is "it depends" — but increasingly, cloud-based infrastructure makes more sense for small and mid-sized firms.

Cloud platforms like Microsoft 365 (with proper configuration) provide enterprise-grade security, automatic updates, geo-redundant backup, and accessibility from anywhere — all for a predictable monthly cost. Compare that to maintaining an on-premise server that requires physical security, cooling, power protection, manual updates, and expensive replacement every 5-7 years.

The key phrase is "with proper configuration." Out-of-the-box cloud setups are not automatically secure. Microsoft 365, for example, has dozens of security settings that need to be configured correctly — conditional access policies, data loss prevention rules, retention policies, sensitivity labels, and audit logging. Most firms that "moved to the cloud" are using a fraction of the security features they're already paying for.

That's the kind of thing a managed IT provider catches and fixes during onboarding.