Law firms are entrusted with highly sensitive information — client records, case strategies and proprietary data. If this information is compromised, the consequences can be severe. Cybercriminals know this all too well, which is why law firms have become prime targets for increasingly sophisticated attacks.
To help prevent this, the American Bar Association (ABA) sets clear expectations for law firms regarding information security. Rule 1.6 requires lawyers to make reasonable efforts to prevent unauthorized access or disclosure of client information. ABA Resolution 109 further urges firms to "develop, implement and maintain an appropriate cybersecurity program".
Failing to meet ABA requirements can expose law firms to serious risks, including data breaches or ransomware attacks, which could damage client trust and firm reputation. Non-compliance may also result in significant business disruption, disciplinary action from regulatory bodies, malpractice lawsuits and loss of professional liability coverage.
What should law firms be doing?
With the rise in cyber threats, regulatory scrutiny and client demands, law firms must proactively demonstrate robust security practices. Use this checklist to assess your firm's alignment with ABA guidelines and industry best practices:
1. Review legal and regulatory compliance
- Ensure IT systems comply with laws such as General Data Protection (GDPR), Health Insurance Portability and Accountability Act (HIPAA), D.C. Data Breach Notification Law, Tennessee Information Protection Act (TIPA) and other relevant regulations.
- Stay updated on new requirements affecting client data protection.
2. Conduct a cybersecurity maturity assessment
- Evaluate your current security posture.
- Identify and prioritize gaps based on industry standards.
3. Educate and train staff
- Establish clear policies for handling sensitive information.
- Provide ongoing cybersecurity training for all employees.
4. Perform comprehensive security assessments
- Schedule regular vulnerability scans and penetration tests.
- Include phishing and social engineering exercises to test staff awareness.
5. Strengthen data management and availability
- Secure data storage, backup and recovery processes.
- Test restoration procedures to ensure business continuity.
6. Monitor and respond to threats
- Implement real-time threat detection and response systems.
- Develop and rehearse incident response plans.
7. Obtain independent assurance
- Consider a system and organization controls (SOC) SOC 1, SOC 2, or SOC 3 attestation to demonstrate commitment to data security.
- Maintain documentation for client, insurer and partner requests.
Need guidance?
Navigating ABA compliance and cybersecurity can be challenging. If your firm needs support, Baker Tilly's risk assurance and advisory professionals understand the unique complexities legal organizations face. Our experienced team guides firms through every stage of their cybersecurity journey, offering specialized IT audit and risk management services to help protect sensitive client information and meet regulatory requirements.
With our support, you can focus on what matters most — serving your clients with confidence.

