Most managing partners I talk to say data security is handled. The firm has Microsoft 365. There’s antivirus. The practice management vendor takes care of the rest. Nobody has been breached that anyone knows of, so the system must be working.
That’s the assumption. The data Rocket Software published in February 2026 puts a number on the gap behind it. Sixty-nine percent of IT leaders rank data security as their top concern. Only about a third say they would feel extremely confident passing a regulatory audit. That’s the same group of people, two different answers about the same environment.
For a law firm, that gap is not abstract. It is the duty of confidentiality sitting on top of an environment nobody can fully describe. Under the ABA Model Rules, Rule 1.6(c) frames that duty around reasonable efforts to prevent unauthorized disclosure or access. For California firms, the path runs through Business and Professions Code section 6068(e), Rule 1.1’s competence requirement, and Formal Opinion 2010-179 on technology. Different path. Same practical problem.
The sprawl that built up while nobody was watching
Most firms today are running what the industry calls a hybrid environment. You probably wouldn’t describe it that way. You’d say you have Microsoft 365 for email and documents, Clio for matters and billing, maybe NetDocuments or iManage if the firm has grown into a dedicated document management system, QuickBooks for the books, a copier vendor that handles e-filing, and maybe a file server in the back room that’s been there since before the managing partner made partner.
Each of those was added for a good reason. Each one solved a problem. None of them came with an answer to the questions that matter now.
Where does an active client file actually live? In Clio, because that’s where the matter is. In SharePoint, because the associate dragged it there to work on it from home. In Outlook, because the client emailed a draft. In the file server, because the original intake was scanned there four years ago and never moved. In the departed paralegal’s personal Dropbox, because she set that up during the pandemic and nobody asked.
Who has access to it? The two attorneys on the matter, of course. The paralegal supporting them. The contract attorney brought in for discovery, whose access nobody remembered to revoke when the matter closed. The IT vendor, because administrative access to the file server may technically allow visibility into everything. The former associate who left for another firm last spring and whose Clio login still works because nobody runs an offboarding checklist.
This is the environment the cyber insurance renewal questionnaire is asking about. It is also the environment a firm may have to explain through its confidentiality and competence duties. None of that is about perfection. It is about being able to describe what you have, and a firm that does not know what it has cannot describe it.
Where the questions get uncomfortable
The Rocket Software research asked IT leaders whether they would pass an audit. Two-thirds said no, or not confidently. The interesting part is the same group rates security as their top priority. They care about the answer. They just don’t have it.
For a firm, the parallel set of questions sounds like this. If the State Bar contacted you tomorrow with an inquiry tied to a former client’s complaint, could you tell them every place that client’s file exists today? If your cyber insurance renewal asks how many former employees still have system access, what’s the answer? If opposing counsel raises a spoliation concern in discovery, can the firm document what data has been preserved, where, and who can reach it?
The honest answer at most firms is “we would have to look into it.” That’s the gap. Not a security gap exactly. A visibility gap. The firm cannot answer the questions a regulator, an insurer, or a court might one day ask.
Then there’s AI. Most firms are at least thinking about it. Some are already using Copilot, ChatGPT, or a legal-specific tool. AI tools work on the data you point them at, and they happily reach across the whole environment if nothing is stopping them. If the firm doesn’t know where its sensitive data lives, layering AI on top doesn’t fix the problem. It speeds it up.
What “reasonable efforts” looks like in practice
The ABA’s phrase is a useful one. It is not a list of products to buy. It is a state the firm can describe and defend. Three things have to be true.
The firm knows where client data lives. Not perfectly. But the partner can name the systems, the partner can say roughly what kind of data sits in each one, and the firm has a way to find a specific client’s data when it needs to.
The firm knows who has access to what. Current employees, by role. Former employees, none. Vendors, with documented permissions for what they need. When someone leaves, there’s a process that closes access before the end of the day.
The firm reviews this on a schedule. Not constantly. But on a calendar that catches the access creep before it builds up for years.
That’s most of what the standard looks like in practice for a small or mid-sized firm. The tools to support each of those exist and are not expensive. The work is not technical. It’s organizational. It’s the same kind of work a firm already does when a matter closes and the closing memo gets filed.
Back to the question this started with
Could you, today, tell us where every active client file lives and who can open it? If the answer feels closer to “we’d have to check” than to “yes, here it is,” that’s the gap worth closing before something forces the firm to close it under pressure. We help firms map where their data lives, clean up access, and document the answers before a regulator, insurer, client, or opposing counsel is asking. It is usually less work than partners expect, and it is much easier to do before one of those pressures forces the issue.