The professional obligations to protect client information have not moved. The threat environment has. Law firms are a routine target for ransomware, business email compromise and supply chain attacks against practice management software. The controls needed to meet the obligations are neither exotic nor expensive.
The baseline every firm should meet
- Multi factor authentication on every account, without exception.
- Timely patching of client facing systems and endpoints.
- Encrypted backups tested by actual restoration, not just by the vendor's dashboard.
- A written incident response plan with named roles and retained specialists.
- Regular, short, mandatory training on phishing and payment fraud.
The failures we see most often
Shared accounts, missing MFA on legacy systems, unrestricted forwarding rules on partner mailboxes, and backups that turn out to be encrypted by the attacker along with everything else. Every one of these is straightforward to fix in advance, and painful to explain in retrospect.

