Law firms occupy one of the most valuable positions in the adversarial targeting hierarchy. They hold attorney-client privileged communications between corporations and their counsel — communications that may contain litigation strategy, M&A deal terms, regulatory investigation responses, and settlement negotiations. The same privilege that makes those communications legally protected makes them enormously valuable to adversaries: they reveal exactly what a company knows, fears, and plans to do about its most sensitive legal matters.
The targeting of law firms is not hypothetical. In May 2020, the REvil (Sodinokibi) ransomware group compromised Grubman Shire Meiselas & Sacks, a prominent entertainment law firm, and exfiltrated roughly 756 gigabytes of client files — including contracts and personal information for celebrities including Lady Gaga, Madonna, and Bruce Springsteen. The attackers ultimately demanded $42 million — doubled from an initial $21 million — and, when the ransom was not paid, began auctioning the files on the dark web. In 2016, the Panama Papers leak exposed 11.5 million documents from Mossack Fonseca, a Panamanian law firm, revealing offshore financial arrangements for politicians and business executives worldwide. In both cases, the value of the stolen data was inseparable from the privileged and confidential nature of legal documents. Law firms remain high-value targets because they concentrate privileged client data. Phishing and ransomware are consistently cited as the leading attack vectors against firms, and roughly one in three firms reports having experienced a security breach (ABA Legal Technology Survey). Because the legal industry is not broken out as a standalone sector in the Verizon DBIR (it falls under NAICS 54, Professional, Scientific and Technical Services), a precise law-firm-specific root-cause split should be treated with caution.
ABA Ethical Obligations: What the Rules Actually Require
ABA Model Rule 1.6: Confidentiality of Information
ABA Model Rule 1.6(c) requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. This is a technology-neutral obligation — it applies regardless of how the information is stored or transmitted. The comments to Rule 1.6 explicitly acknowledge that cloud storage, email, and electronic communications are within scope, and that lawyers must understand the technology they use well enough to assess whether it provides adequate protection.
ABA Formal Opinion 477R: Securing Communication of Protected Client Information
ABA Formal Opinion 477R (2017) clarifies the standard for electronic communications under Rule 1.6. The opinion concludes that unencrypted email is generally appropriate for most attorney-client communications, but that a fact-sensitive analysis is required for highly sensitive matters — including where metadata analysis or the interception of communications creates a material risk. For M&A representations, regulatory investigations, and litigation involving adversaries with nation-state capabilities, end-to-end encrypted communications channels are the professionally appropriate standard.
ABA Formal Opinion 483: Obligations After an Electronic Intrusion
ABA Formal Opinion 483 (2018) addresses what a lawyer must do after discovering a data breach. The opinion establishes that lawyers have a duty to monitor for data breaches, a duty to stop ongoing breaches upon discovery, and an obligation to notify clients when their information may have been accessed. This duty to monitor implies that a law firm without security monitoring — no SIEM, no EDR, no log review — is potentially in violation of its professional obligations to clients.
Technical Security Controls for Law Firms
Client Matter Separation
Law firms that represent clients with adverse interests — or that hold sensitive information about M&A targets, regulatory investigations, or litigation adversaries — must implement access controls that restrict document access to the attorneys and staff working on a specific matter. Most document management systems (iManage, NetDocuments, SharePoint with appropriate configuration) support matter-level access control, but this capability is frequently not implemented or enforced. An attorney who can access all client files in the DMS is a single point of compromise — one credential theft exposes the entire client base.
Privilege-Aware Data Loss Prevention
DLP policies for law firms require domain-specific configuration. Standard DLP rules — blocking SSN patterns, credit card numbers, health record identifiers — are necessary but insufficient. Privilege-aware DLP should also monitor for matter numbers, client names, and document markings (PRIVILEGED AND CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED) in outbound transmissions and flag them for review when they are destined for external addresses not associated with the matter. This requires coordination between IT and legal operations to maintain accurate matter and recipient lists.
Vendor Agreements with Privilege Carve-Outs
Law firms routinely share privileged client documents with e-discovery vendors, expert witnesses, co-counsel, and litigation support providers. Each of these third parties represents a privilege and confidentiality risk. Engagement letters and vendor agreements should include explicit data security requirements (encryption at rest and in transit, access controls, breach notification obligations), a prohibition on disclosure of client information to subcontractors without consent, and an acknowledgment that the materials shared are privileged and subject to confidentiality obligations. The absence of these provisions may constitute a waiver of privilege in some jurisdictions.
NYDFS 500 Applicability to Financial Law Firms
Law firms that are licensed by the New York Department of Financial Services — including those that operate in the capacity of a licensed money transmitter or that are affiliated with regulated financial entities — are directly subject to 23 NYCRR Part 500. More broadly, many law firms that serve NYDFS-regulated clients are required by those clients to maintain security programs that meet or approximate NYDFS 500 standards as a condition of receiving client data. The practical effect is that NY-based financial services law firms face de facto NYDFS 500 obligations regardless of direct licensure. Firms should conduct a gap assessment against the current NYDFS 500 requirements — including the November 2023 amendments — and document their compliance status. Fortress MSSP provides penetration testing and security program assessments designed to satisfy the NYDFS 500 annual testing requirement. Contact us to discuss your firm's specific obligations.