Law firms are among the most targeted organizations for cyberattacks. Not because they have the weakest defenses — though many do — but because they hold the most valuable data. Client confidences, financial information, settlement details, merger plans, real estate transactions, trust account credentials. A single law firm breach can expose dozens or hundreds of clients simultaneously.

Solo and small firm attorneys face a specific version of this problem. You have the same sensitive data as a large firm, but without the IT department, the dedicated security budget, or the enterprise-grade tools. You're running your practice on a laptop, a phone, and a collection of cloud services. And the attackers know it.

The question is not whether you'll be targeted — it's whether you'll notice when it happens.

This is not a guide to building a fortress. Solo attorneys don't need a fortress. They need the security equivalent of locking the doors, closing the windows, and installing a basic alarm system. The basics, done consistently, stop the vast majority of attacks.

Why Law Firms Are Targeted

Understanding the threat model matters. Attorneys aren't being targeted by sophisticated nation-state hackers. They're being targeted by opportunistic criminals who follow the money.

Trust account access. IOLTA and trust accounts hold client funds. Business email compromise attacks targeting wire transfers are the single most common and most costly attack vector for law firms. An attacker who can intercept or redirect a wire transfer — particularly in a real estate closing — can steal tens or hundreds of thousands of dollars in a single transaction.

Client data for identity theft. Law firms collect exactly the information identity thieves need: full legal names, Social Security numbers, dates of birth, financial account information, and copies of government-issued identification. A breached law firm is a one-stop shop.

Ransomware leverage. Encrypted client files create extraordinary pressure to pay. Unlike a retail business that might rebuild from backups, a law firm facing ransomware knows that the encrypted files may contain information subject to privilege, court deadlines, and statute of limitations dates. The urgency is inherent.

Low-hanging fruit. Solo attorneys are disproportionately targeted because attackers correctly assume that small firms have weaker security controls. No dedicated IT staff, limited security training, outdated software, and personal devices used for firm business. The attack surface is large and the defenses are thin.

The ABA's most recent Legal Technology Survey consistently finds that a significant percentage of law firms have experienced some form of security breach. Small firms report lower breach rates — not because they're attacked less, but because they're less likely to detect breaches when they occur.

The Minimum Viable Security Stack

You don't need to spend thousands on security tools. You need to implement a specific set of controls, use them consistently, and build habits that make security automatic rather than an afterthought.

Here is the minimum security stack for a solo attorney practice. Every item on this list is non-negotiable.

Password Manager

Stop reusing passwords. Stop storing them in a spreadsheet, a notebook, or your browser's password manager. Use a dedicated password manager — 1Password, Bitwarden, or Dashlane are all solid options for solo practitioners.

A password manager does three things: generates strong unique passwords for every account, stores them securely behind a single master password, and auto-fills them so you don't have to remember or type them. The master password should be long (16+ characters), unique, and something you've memorized.

Every account you use for firm business — email, practice management, cloud storage, banking, court filing systems — gets a unique, randomly generated password. If one service is breached, the compromised password doesn't work anywhere else.

Cost: Free (Bitwarden) to roughly $3-5/month for premium features.

Two-Factor Authentication Everywhere

A password alone is not enough. Two-factor authentication (2FA) adds a second verification step — typically a code from an authenticator app or a physical security key.

Enable 2FA on every account that supports it. Prioritize these accounts first:

Email (this is the master key — if someone controls your email, they can reset every other password)
Practice management software
Cloud storage (Dropbox, Google Drive, OneDrive)
Banking and financial accounts
Court e-filing systems
Domain registrar (where your website domain is managed)

Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS-based 2FA. SMS can be intercepted through SIM swapping attacks. Authenticator apps cannot.

For the highest-value accounts — email and banking — consider a physical security key like YubiKey. It's the strongest form of 2FA available and eliminates phishing risk entirely for those accounts.

Cost: Free (authenticator apps) or roughly $25-50 for a physical security key.

Encrypted Email

Standard email is not secure. It's transmitted in plain text and stored on servers you don't control. For routine client communication, this is a known risk that most attorneys accept. For sensitive communications — financial information, settlement terms, privileged strategy discussions — you need encryption.

Options for solo attorneys:

Built-in encryption: Microsoft 365 and Google Workspace both offer encryption options. Microsoft 365's message encryption works well for sending encrypted messages to clients who don't have special software.
Secure client portals: Many practice management systems include encrypted client portals for secure document and message exchange. This is often the most practical solution.
Dedicated encrypted email: Services like Virtru or ProtonMail offer end-to-end encryption. Useful if email encryption is a primary concern.

The practical recommendation: use your practice management system's client portal for sensitive communications and document exchange. It solves the encryption problem and the document management problem simultaneously.

Stop sending sensitive documents as email attachments. Use encrypted file sharing instead.

Your practice management system likely includes secure document sharing. If not, or if you need to share files with clients who don't have portal access, use a business-grade cloud storage service with link-based sharing and expiration dates.

What "secure" means in practice:

Files encrypted in transit and at rest
Access controlled by permissions (not just a shared link that anyone can access)
Ability to revoke access after the matter closes
Audit log showing who accessed what and when

Endpoint Protection

Every device that touches client data needs security software. "Endpoint" means your laptop, desktop, phone, and tablet — every device you use for firm business.

At minimum:

Antivirus/anti-malware: Windows Defender (built into Windows) is adequate for basic protection. For stronger protection, consider a paid solution like Malwarebytes or SentinelOne.
Full-disk encryption: BitLocker (Windows) or FileVault (Mac). If your laptop is stolen, full-disk encryption means the thief gets hardware, not data.
Automatic updates: Every operating system, every application, every browser — set to update automatically. Unpatched software is one of the most common entry points for attacks.
Remote wipe capability: If a device is lost or stolen, you need the ability to erase it remotely. Both Apple and Microsoft offer this for devices linked to their accounts.

Regular Backups

The 3-2-1 rule: three copies of your data, on two different types of media, with one copy offsite.

In practice for a solo attorney:

Primary data in your practice management system (cloud-based)
Automatic backup to a separate cloud service (not the same provider)
Local backup to an encrypted external drive, stored securely

Test your backups. A backup you've never restored is a backup you don't know works. Set a quarterly calendar reminder to test a restore.

Business Email Compromise: The Number One Threat

Business email compromise (BEC) deserves its own section because it is the single most financially devastating attack vector for law firms. The FBI's Internet Crime Complaint Center consistently reports BEC as the highest-loss cybercrime category.

Here's how it works in a law practice:

An attacker gains access to your email account — or a client's email account, or the other party's email account — through phishing, credential stuffing, or malware.
The attacker monitors email conversations, waiting for a financial transaction. Real estate closings are the most common target.
At the critical moment — the day before closing, when wire instructions are being exchanged — the attacker sends a message that appears to come from a legitimate participant, providing fraudulent wire instructions.
The funds are wired to the attacker's account. They're moved offshore within hours. Recovery is rare.

The dollar amounts are staggering. Individual incidents frequently involve six-figure losses. And the liability question — who bears the loss when a wire transfer is redirected through email compromise — is often litigated, with attorneys and title companies facing malpractice claims.

The Wire Transfer Verification Protocol

Every law firm that handles wire transfers needs a written verification protocol. This is non-negotiable.

The protocol:

Never send wire instructions by email alone. Always confirm by phone using a number you have on file — not a number from the email containing the wire instructions.
Never accept changed wire instructions without verbal verification. If someone sends updated wiring instructions — for any reason — call the sending party at a known number to confirm.
Include a standard disclaimer on all emails discussing financial transactions: "Our firm will never change wire instructions by email. If you receive an email appearing to change wire instructions, call our office immediately at [phone number] before sending any funds."
Train every person in your firm who touches financial transactions. Paralegals, assistants, and associates need to follow the same protocol.
Confirm receipt of every wire transfer sent and received. If funds don't arrive when expected, investigate immediately — the window for recovery is hours, not days.

State Bar Ethics Obligations for Data Security

The ethical obligation to protect client data is established and enforceable.

ABA Model Rule 1.6(c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

ABA Formal Opinion 477R (2017): Addresses the duty to use reasonable efforts to protect client communications, specifically in the context of electronic communications. The opinion acknowledges that "reasonable efforts" is a fact-specific inquiry — what's reasonable for a solo practitioner is different from what's reasonable for a large firm — but establishes that ignoring security altogether is not an option.

Comment [18] to Model Rule 1.6 lists factors for determining reasonable security efforts:

The sensitivity of the information
The likelihood of disclosure if additional safeguards are not employed
The cost of employing additional safeguards
The difficulty of implementing the safeguards
The extent to which the safeguards adversely affect the lawyer's ability to represent clients

For solo attorneys, this means: you don't need enterprise-grade security, but you need the basics. Password manager, 2FA, encryption, backups, and a wire transfer verification protocol. These are low-cost, readily available measures that any attorney can implement. Failing to implement them is increasingly difficult to defend as "reasonable."

Multiple state bars have issued their own opinions, with some — notably California and New York — imposing more specific requirements. Check your jurisdiction's specific guidance.

Cyber Insurance

Cyber liability insurance is a separate policy from your professional liability (malpractice) insurance. Most malpractice policies exclude or severely limit coverage for data breaches and cyber incidents.

A cyber insurance policy typically covers:

Breach response costs: Forensic investigation, client notification, credit monitoring
Business interruption: Lost revenue during downtime
Ransomware payments: Coverage for ransom demands (though paying ransoms is controversial and not always recommended)
Regulatory fines and penalties: If applicable
Third-party liability: Claims from affected clients

For solo attorneys, cyber insurance is relatively affordable — often a few hundred dollars per year for basic coverage. The application process will ask about your security practices, which creates a useful forcing function: the insurer wants to know that you have password management, 2FA, encryption, and backups in place.

Some malpractice insurance carriers offer cyber coverage as a rider. Compare standalone policies with rider options to find the best fit.

The Security Checklist for Solo Attorneys

Use this as an implementation guide. Work through it top to bottom. Each item builds on the previous ones.

Immediate (do this week):

Install a password manager and migrate all firm accounts to unique, generated passwords
Enable 2FA on your email account using an authenticator app
Enable 2FA on your banking and financial accounts
Enable full-disk encryption on your laptop (BitLocker or FileVault)
Verify that automatic updates are enabled on all devices

Within 30 days:

Enable 2FA on all remaining firm accounts (practice management, cloud storage, court filing)
Implement a wire transfer verification protocol and distribute it to all staff
Set up encrypted file sharing for client documents (practice management portal or secure cloud storage)
Configure automatic backups to a secondary location
Review and update your engagement letter to include a data security clause

Within 90 days:

Obtain cyber liability insurance (or verify your malpractice policy's cyber coverage)
Conduct a personal security audit: what devices access client data, what accounts hold client information, what happens if any single device is lost or stolen
Test your backup restoration process
Review your tech stack for security gaps — are there tools with client data that lack 2FA or encryption?

Ongoing:

Quarterly: test backup restoration
Quarterly: review account access and remove unused accounts
Annually: review and update your security practices
Annually: review cyber insurance coverage
Always: verify wire instructions by phone before sending funds

What This Means for Your Practice

Cybersecurity for solo attorneys is not about achieving perfect security. Perfect security doesn't exist. It's about raising the cost of attacking you above the cost of attacking someone else. Attackers are opportunistic. They target the firms with the weakest defenses. If you have a password manager, 2FA, encryption, and a wire transfer protocol, you've eliminated yourself from the easy-target category.

The investment is minimal. A password manager and authenticator app are free or nearly free. Full-disk encryption is built into your operating system. Secure file sharing is built into most practice management systems. The total cost of implementing every recommendation in this guide — including cyber insurance — is likely less than your monthly office rent.

The alternative — doing nothing and hoping you're not targeted — is not a strategy. It's a liability. And when the breach happens, "I didn't think it would happen to me" is not a defense your bar association or your malpractice carrier will find compelling.

Lock the doors. Close the windows. Install the alarm. The basics, done consistently, are the difference between a firm that survives a cyber incident and a firm that doesn't.

Cybersecurity for Solo Attorneys: The Basics You Cannot Skip