Law firms handle some of the most sensitive data of any professional services business โ client communications, litigation strategy, M&A details, employment matters, and financial records. A breach doesn’t just create liability. It can end client relationships, trigger bar complaints, and in some cases violate ethical obligations under the California Rules of Professional Conduct.
Palo Alto has a high concentration of boutique firms, solo practitioners, and mid-size practices that represent VC-backed startups, tech executives, and high-net-worth individuals. The data these firms hold is high-value. The IT infrastructure protecting it often isn’t.
The Ethical Obligation Is Real
The California State Bar has made clear that attorneys have a duty of competence that includes understanding the technology used in their practice โ and the risks that come with it. Rule 1.1 of the California Rules of Professional Conduct requires lawyers to keep abreast of changes in the law and its practice, which courts and bar guidance have extended to include technology competence.
Practically, this means:
- You have an obligation to protect confidential client information from unauthorized disclosure (Rule 1.6)
- You must take reasonable steps to prevent inadvertent disclosure โ including through technology
- If you use cloud services or third-party vendors to store client data, you need to understand what protections those vendors provide and whether they’re sufficient
“We use Microsoft 365” is not an answer to these obligations. How your M365 tenant is configured is what matters.
What Most Palo Alto Law Firms Get Wrong
Email is not secure by default. Standard email โ even on a professional domain โ transmits in plaintext unless both ends support TLS and your DNS records are correctly configured. More importantly, if a staff member’s account gets compromised through a phishing email (the most common attack vector against law firms), every client communication in that inbox is exposed. MFA on every account is the minimum. Conditional Access policies that restrict email access to managed or trusted devices is the right standard.
Document storage lacks access controls. Most small firms use SharePoint or a shared drive where everyone has access to everything. This means a breach of any account potentially exposes every client file. Access controls should be structured so that staff and attorneys only access the matters they’re working on. Not every paralegal needs to see every client’s documents.
No encryption on laptops and mobile devices. Attorneys work from home, from client offices, from courthouses. If a laptop is lost or stolen and the drive isn’t encrypted, every document on it is readable by whoever finds it. BitLocker (Windows) and FileVault (Mac) need to be enabled and managed โ not left to individual attorneys to configure themselves.
No written data retention and destruction policy. When a matter closes, what happens to the client files? How long are they retained? Where are they stored? How are they destroyed? Most small firms have no written policy, which creates exposure on multiple fronts โ both from a security standpoint and from a professional responsibility standpoint.
Client portals are often insecure. Emailing documents back and forth with clients is a security risk. A client portal โ a secure, access-controlled system for document exchange โ is the right approach. Many case management platforms include one. If yours doesn’t, a SharePoint-based client portal can be configured relatively easily with proper M365 licensing.
No incident response plan. If a ransomware attack hit your firm tonight, what would you do? Who would you call? How long would it take to restore from backup? If you don’t know the answers to these questions, you don’t have an incident response plan โ and that’s a gap that matters both operationally and ethically.
What a Well-Configured Law Firm IT Environment Looks Like
For a Palo Alto firm with 5โ30 attorneys and staff:
Microsoft 365 Business Premium โ includes Exchange Online, SharePoint, Teams, Intune (device management), Defender for Business (endpoint protection), Azure AD Premium P1 (Conditional Access), and Purview compliance tools. This is the right licensing tier for most law firms. It’s not the cheapest option, but the security and compliance features justify the cost.
Conditional Access โ policies that enforce MFA, block access from unsupported platforms, and optionally restrict access to managed devices. This single configuration change closes the majority of credential-based attack vectors.
BitLocker + Intune โ enforce disk encryption on all Windows devices through Intune policy. For Macs, use FileVault with an Intune compliance policy that blocks non-encrypted devices from accessing company resources.
Matter-based SharePoint structure โ organize client files in SharePoint sites or libraries with explicit permission sets per matter. Only assign access to attorneys and staff actively working on each matter.
Email encryption โ for communications containing sensitive client information, configure M365 Message Encryption (included in Business Premium) or use a secure client portal.
Third-party M365 backup โ Veeam or Spanning. Covers the gap that Microsoft’s native tools don’t: point-in-time restore for SharePoint, Exchange, and OneDrive.
Written policies โ data retention and destruction policy, acceptable use policy, incident response plan. These don’t need to be long, but they need to exist in writing and be reviewed annually.
Getting Started
The right starting point is an IT assessment that covers your Microsoft 365 configuration, device security, backup posture, and access controls โ with specific findings mapped to your obligations under the California Rules of Professional Conduct.
LineSight Digital provides free IT assessments for Palo Alto law firms. We’re based in San Jose and available for on-site visits throughout the Peninsula. We also sign NDAs before starting any engagement involving access to client systems.
Call (408) 805-4799, email [email protected], or use the AI IT Advisor to get immediate answers about your current setup.
For more on IT support for legal practices in the Bay Area, see our law firm IT services page.
Looking for Palo Alto IT support? Looking for general IT support for businesses in Palo Alto? Our Palo Alto IT support page covers the full range of services, pricing, and SLAs.