Article
Safeguarding your firm: Why information security and IT risk management are crucial
Protecting sensitive client data while meeting ABA expectations in an increasingly complex cyber threat landscape.
Jan. 21, 2026 · Authored by Erica Hightower
Law firms are entrusted with highly sensitive information — client records, case strategies and proprietary data. If this information is compromised, the consequences can be severe. Cybercriminals know this all too well, which is why law firms have become prime targets for increasingly sophisticated attacks.
To help prevent this, the American Bar Association (ABA) sets clear expectations for law firms regarding information security. Rule 1.6 requires lawyers to make reasonable efforts to prevent unauthorized access or disclosure of client information. ABA Resolution 109 further urges firms to "develop, implement and maintain an appropriate cybersecurity program".
Failing to meet ABA requirements can expose law firms to serious risks, including data breaches or ransomware attacks, which could damage client trust and firm reputation. Non-compliance may also result in significant business disruption, disciplinary action from regulatory bodies, malpractice lawsuits and loss of professional liability coverage.
What should law firms be doing?
With the rise in cyber threats, regulatory scrutiny and client demands, law firms must proactively demonstrate robust security practices. Use this checklist to assess your firm's alignment with ABA guidelines and industry best practices:
1. Review legal and regulatory compliance
- Ensure IT systems comply with laws such as General Data Protection (GDPR), Health Insurance Portability and Accountability Act (HIPAA), D.C. Data Breach Notification Law, Tennessee Information Protection Act (TIPA) and other relevant regulations.
- Stay updated on new requirements affecting client data protection.
2. Conduct a cybersecurity maturity assessment
- Evaluate your current security posture.
- Identify and prioritize gaps based on industry standards.
3. Educate and train staff
- Establish clear policies for handling sensitive information.
