In 2023, a popular legal practice management platform got hit with ransomware. Client matter files from thousands of firms spilled out into the open — firms that had done everything right internally. Strong passwords. Solid firewalls. The vendor wasn’t the same story.

That’s the uncomfortable truth about third-party vendor risk: your firm’s security is only as strong as the weakest vendor in your stack.

The Problem: You’re Locked Down. Your Vendors Aren’t Necessarily.

Most law firms have actually made real progress on internal security. MFA is on. Employees know what a phishing email looks like. Laptops are encrypted. That’s genuinely solid work.

But here’s what gets missed: the practice management software holding every matter file, every client note, every deadline. Your e-signature tool with engagement letters and personal information attached. Your billing platform with years of payment data, matter descriptions, and contact details.

Each vendor has access to data that’s yours — and your clients’ — even though it lives on their servers, under their security policies.

When a vendor gets breached, attackers skip your network entirely. They go straight through the vendor’s systems and walk out with your clients’ confidential information. Your firm gets the call. Your firm handles the fallout. Your clients look to you for answers.

This isn’t theoretical. It happens to large firms and small ones. And it’s accelerating because attackers have figured out that legal vendors are high-value, centralized targets. One breach. Thousands of firms’ data.

The real issue isn’t that law firms are careless. It’s that vendor risk management hasn’t been treated as part of the security conversation — until now.

Why This Matters for Law Firms

Law firms have obligations most industries don’t. The ABA Model Rules of Professional Conduct — specifically Rules 1.6 and 5.3 — are explicit: attorneys have a duty of confidentiality that covers how vendors and non-lawyer staff handle client information.

Rule 5.3 is straightforward: you’re responsible for ensuring that people and entities working on your behalf comply with your professional obligations. That includes software vendors.

Beyond ethics rules, many firms handle matters that trigger state privacy laws. Operating in California with a vendor breach that exposes client personal information? Your firm likely faces notification obligations under the CCPA — even though you didn’t cause the breach.

Healthcare litigation, immigration cases, financial matters — these can pull client data under HIPAA or GLBA requirements depending on context.

The financial exposure is real. Malpractice insurers now ask about vendor security during coverage renewals. A breach traced back to an unvetted vendor — one you never audited, never reviewed a contract with — is exactly the scenario that creates coverage problems.

Smaller firms are most vulnerable. Vendors prioritize breach response resources for their largest accounts. If you’re a ten-person firm paying a modest monthly subscription, you’re far down the list when the vendor is triaging notifications and remediation.

How to Assess Third-Party Vendor Risk at Your Firm

Vendor risk assessment sounds formal. It doesn’t have to be. You don’t need a dedicated security team or compliance department. You need a consistent process and three specific documents.

Start by mapping who touches your data. List every software platform and service that stores, processes, or transmits client information. Practice management software. Document management. E-signature tools. Billing platforms. Cloud storage. Third-party IT support. Most firms are shocked by how long this list gets.

Request these three documents from every vendor:

  1. A SOC 2 Type II report. A System and Organization Controls 2 audit is conducted by an independent auditor and evaluates a vendor’s security, availability, and confidentiality controls. Type II reviews a period of time rather than a single snapshot, making it meaningful. If a vendor can’t or won’t produce one, take that seriously.

  2. A data processing agreement (DPA). This contract defines how the vendor uses your data, where it’s stored, how long it’s retained, and what happens if something goes wrong. Many vendors have these ready. If they don’t, ask why.

  3. A breach notification clause. This specifies how fast the vendor notifies you after discovering a breach — ideally within 72 hours — and what information they’ll provide. Vague language like “timely manner” doesn’t cut it.

Ask direct questions before signing:

  • Where is our data stored, and is it encrypted at rest and in transit?
  • Do you use subprocessors, and are they subject to the same security requirements?
  • What’s your incident response process if you detect unauthorized access?
  • When did you last run a penetration test, and can you share a summary?

You’re not being adversarial. You’re doing exactly what your ethical obligations require.

Review vendors you already use. If you’ve been on a platform for three years without reviewing their security posture, now’s a reasonable time to ask for updated documentation. Reputable vendors expect these questions.

What to Look for in an IT Partner

If your firm works with a managed IT services provider (MSP), they should do more than keep computers running. Ask whether they include vendor risk review in their services.

A good IT partner helps you build and maintain your vendor inventory, reviews SOC 2 reports on your behalf, and flags risky contract language. They should advise you when a vendor you’re considering has a known security history or lacks basic certifications.

When evaluating an MSP, ask:

  • Do you have experience with legal industry compliance — ABA Model Rules, state bar guidance on technology?
  • Can you help us set up a vendor due diligence process?
  • Do you monitor threat intelligence specific to legal software vendors?
  • What’s your process if a vendor we use announces a breach?

A provider working exclusively with professional services firms already knows your typical vendor stack. That’s a real advantage when things go wrong.

The Bottom Line

Your firm’s security includes every vendor that touches client data — not just your internal systems. A breach at a practice management platform, e-signature tool, or billing provider can expose years of confidential files without any failure on your part. The good news: managing this doesn’t require a compliance department. It requires a vendor inventory, three key documents, and the right questions asked before you sign.

Frequently Asked Questions

What is third-party vendor risk for law firms?

Third-party vendor risk is the security and compliance exposure created when your firm shares or stores client data with outside software vendors and service providers. If a vendor’s systems get breached, your clients’ information can be exposed even if your firm’s security is solid. Law firms face particular risk because the confidentiality obligations in ABA Model Rules 1.6 and 5.3 extend to how vendors handle client information on your behalf.

Are law firms responsible for notifying clients if a vendor is breached?

It depends on jurisdiction and the type of data involved. In California, the CCPA may require notification to affected individuals even when the breach happened at a vendor, not within the firm. Many state bar associations have issued guidance saying firms must assess their notification obligations after a vendor incident. Your data processing agreement should specify the vendor’s obligation to notify you quickly — from there, your obligations follow applicable law and bar rules.

What is a SOC 2 report and why should law firms ask for one?

A SOC 2 (System and Organization Controls 2) report is an independent security audit evaluating whether a vendor’s systems and controls meet established standards for security, availability, and confidentiality. A SOC 2 Type II report is more useful than Type I because it reviews controls over time rather than at a single moment. Requesting this report from any vendor storing or processing client data is a practical, widely accepted baseline for vendor due diligence.

What should a law firm’s vendor contract include to protect against data breaches?

Vendor contracts involving client data should include a data processing agreement (DPA) defining data handling obligations, retention limits, and security requirements. The contract should also have a specific breach notification clause requiring the vendor to notify your firm within a defined window — typically 72 hours of discovery — with details about scope and nature. Language around subprocessors (vendors your vendor uses) and data deletion after termination is worth reviewing carefully too.

If you’re working through third-party vendor data breach risk at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area — we know your world.