Law Firms Must Embed Cybersecurity in Governance to Protect Data
Law Firms Must Embed Cybersecurity in Governance to Protect Data
Publish Date: 2026-05-19 04:30:00
Source Domain: news.bloomberglaw.com
The Bottom Line
- Law firms’ volume of sensitive data make them targets for data breaches, so cyber risk should be critical to client service.
- Attorneys may have ethical and legal obligations to safeguard client data and communicate clearly and promptly with affected clients about the extent of a data breach.
- Firms should consider best practices outside the IT department such as integrating cybersecurity into firm governance and giving staff regular security training.
Law firms are especially attractive targets for data breaches given the volume and sensitivity of their data. In April, Jones Day became the latest victim of the “Silent Ransom Group,” a hacking ring that posted data from 10 of the firm’s clients.
A robust internal cybersecurity program is no longer enough. To protect themselves and their clients, law firms must prioritize rigorous due diligence of vendors, continuous monitoring, and a security-conscious culture that treats cyber risk as a core element of client service and professional responsibility.
Ethical Obligations
While ethics duties don’t impose strict liability for every incident, they require firms to use reasonable efforts to safeguard client information, detect and respond to incidents, communicate with affected clients, and supervise personnel and vendors appropriately.
The American Bar Association has long addressed ethical duties related to data breaches, including in Formal Opinions 477R and 483. The New York City Bar Association also issued guidance. And in 2020, a California ethics opinion found that lawyers must conduct a reasonable inquiry and notify clients of a data breach.
Notice requirements: Firms must promptly evaluate notice obligations when they know or reasonably should know that a data breach has occurred. They must notify current clients if the breach involves or has likely involved material client information or hampers their ability to perform legal services.
Notice should, at minimum, disclose the breach and known…
