Ask any managing partner at a Newport Beach or Irvine firm what keeps them up at night, and you’ll hear a familiar list: a difficult client, a missed deadline, a malpractice claim, an associate who just resigned three weeks before trial. What you won’t hear, almost ever, is the name of the person who actually has the keys to every privileged document, every client trust account routing number, and every partner’s inbox.
That person is your IT provider. And in 2026, they are quietly the single largest unmanaged liability on your firm’s risk register.
This isn’t a sales pitch dressed up as a warning. It’s math. Law firms have become one of the most attractive targets in cybercrime — clients know it, attackers know it, your malpractice carrier knows it and yet most firms still treat IT as a back-office utility, like the copier vendor. The gap between what your IT provider is doing and what your bar obligations actually require has widened into a canyon.
The malpractice you can’t insure your way out of
Here’s the part that gets missed in every partner meeting: California attorneys are personally on the hook for cybersecurity, and “I hired an IT guy” is not a defense. ABA Formal Opinion 483 makes the duty explicit — under Model Rules 1.1 (competence), 1.6 (confidentiality), and 5.3 (supervision of non-lawyer assistants), attorneys must make reasonable efforts to monitor for breaches, prevent unauthorized disclosure, and notify clients when material information is exposed. The California State Bar’s Formal Opinion 2020-203 adopts the same framework and adds California Business & Professions Code §6068(m) on top.
Translation: your IT vendor is a non-lawyer assistant. Their failure is your ethical violation. The bar doesn’t care that you outsourced it.
And California adds a second layer. Civil Code §1798.82 — the state’s data breach notification statute — requires notice to affected residents and, in larger incidents, to the California Attorney General. A breach involving privileged communications is not just a confidentiality problem; it’s a regulatory event with statutory teeth, deadlines, and a public-facing paper trail.
Your IT provider is not your security provider (and probably never was)
Most Orange County firms hired their IT company for one reason: things stopped working and someone needed to fix them. Printers, Outlook, the VPN that drops every time a partner travels. That’s IT support. It is genuinely useful work, and it is not — repeat, not — cybersecurity.
A real cybersecurity program for a law firm involves 24/7 threat monitoring, endpoint detection and response, email filtering tuned for spear-phishing, multi-factor authentication enforced everywhere (not just where it’s convenient), encrypted backups tested against ransomware, written incident response playbooks, and documented evidence that you did all of this — because when the bar asks, “what reasonable efforts did you make?”, a verbal answer doesn’t cut it.
Most firms have approximately none of that. They have antivirus, a firewall someone configured in 2017, and a guy named Dave who answers the phone fast.
| What you think your IT provider is doing | What they’re actually doing | What the bar expects |
|---|---|---|
| Email security | Microsoft 365’s default spam filter | Advanced threat protection, impersonation detection, DMARC enforcement |
| Threat monitoring | Nothing, until a partner can’t log in | 24/7 SOC monitoring with documented response times |
| Backups | A NAS in the server closet, last tested never | Immutable, off-site, tested quarterly against ransomware scenarios |
| Multi-factor authentication | “Turned on for email, mostly” | Enforced on every system, every user, no exceptions for partners |
| Incident response | A phone number and “we’ll figure it out” | Written IRP, breach counsel pre-engaged, notification workflow ready |
| Documentation | Verbal assurances from your IT guy | Written security policies, audit logs, training records |
Why your partners are the target — and why it works
Business email compromise is now the single most expensive cyber threat to professional services firms, and law firms sit in the bullseye. BEC accounted for 73% of all reported fraudulent ACH and wire incidents in 2024, up from 44% the year before. The FBI has tallied $55 billion in losses from BEC over the last decade.
For a law firm, the playbook is depressingly predictable. An attacker spends six weeks quietly reading a partner’s inbox after a successful credential-phish. They learn how the firm talks to clients, who handles trust accounts, when closings happen, and which paralegal sends the wire instructions. Then, the morning of a real estate closing in Newport Beach, they send a perfectly-formatted email from inside the partner’s actual account — same signature, same tone, same email thread — with updated wiring instructions. The funds go to a money-mule account in Atlanta, get split across three banks, and are in crypto by lunch.
Now the firm has a problem with at least four legs: the client’s money is gone, the firm’s privileged communications were read by a third party for six weeks, the bar wants to know what reasonable efforts were made, and the malpractice carrier is asking whether wire-verification protocols were followed.
What a breach actually costs an OC law firm
The Clio Legal Trends Report puts the average cost of a law firm data breach at $5.08 million in 2024, up over 10% year-over-year. For a small firm, the average is closer to $36,000 — but that number is almost always wrong, because it doesn’t include what really hurts.
What really hurts is this: 56% of law firms that suffered a breach in the past year lost sensitive client information. Nearly 40% of clients say they would fire — or strongly consider firing — a firm that experienced a breach. In a market like Orange County, where partner-to-client relationships are dense, referrals are everything, and the legal community talks, losing one major client to a breach can mean losing the next five who hear about it at the country club.
Then add: forensic investigation ($50k–$250k), breach counsel, mandatory client notifications under §1798.82, credit monitoring offers, possible bar complaints, possible malpractice suits, lost billable hours during recovery, and the awkward press release. The $5 million figure starts to look conservative.
Eight questions every managing partner should ask this quarter
Don’t ask your IT provider whether your firm is secure. They will say yes. Ask them these instead, and ask for written answers:
- Is MFA enforced on every account — including every partner, every paralegal, and every shared mailbox? “Mostly” is a no.
- What is your detection time for a compromised email account? If the answer is “we’d see it eventually,” they’re not monitoring.
- When was our last ransomware-recovery test, and what was the documented recovery time? Untested backups are decorative.
- Do we have a written incident response plan that names breach counsel, our cyber insurance carrier, and notification timelines under California Civil Code §1798.82?
- What logging do we retain, and for how long? If a breach is discovered in March, can you tell me what happened in January?
- What training do staff receive on phishing and wire-verification, and how do you measure it? “We sent an email about it” doesn’t count.
- Can you produce documentation of our security controls if a client’s GC asks — or if the State Bar does?
- What is your written response SLA when something does go wrong? If it’s not in the contract, it doesn’t exist.
If your current provider can’t answer half of these in writing within a week, you have your answer about whether you have a security partner or a printer-repair vendor with a fancier title.
What “good” actually looks like
The firms doing this well in Orange County share a pattern. They’ve moved past the “IT guy” model to a real managed IT and security partnership — one where the same provider that handles the help desk also runs 24/7 monitoring, enforces written policies, documents everything for the bar and for clients, and has actually rehearsed what happens when an attacker gets in. Crucially, they have a single accountable point of contact who knows the firm, not a rotating ticket queue.
They’ve also stopped treating cybersecurity as a discretionary line item. The firms that pay a premium for real security spend less on breach response, malpractice premiums, and client churn. That math has gotten clearer every year for the last five.
The honest version
If your firm hasn’t audited its IT provider against your actual ethical and statutory obligations as California attorneys, you’re carrying a liability that’s larger than most of the cases on your docket — and unlike those cases, this one isn’t insured by your malpractice policy in the ways you’d hope.
The good news: this is fixable, and the firms that fix it before the breach end up with a story that helps win clients, not lose them. The bad news: 2026 attackers are using AI to write phishing emails indistinguishable from real ones, and the window for figuring this out the easy way is closing.
Intelecis has been helping Orange County law firms close the gap between “IT support” and the security their bar obligations actually require since 2010. Get a free, no-obligation security assessment — we’ll tell you exactly where the holes are, in writing.
Get Your Free Security Assessment →
📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010
Related reading:
Cybersecurity Services for Orange County Businesses ·
Managed IT Services in Orange County ·
Schedule a Free Security Assessment
