The legal profession must overcome its silos to protect its most important assets, argues this tech consultant
What am I doing about it? What could we do about it? And who is actually doing anything right now?
These were the questions I kept asking myself in the summer of 2025. I was working inside one of the world’s largest law firms, assessing our cybersecurity practices against well-known information security frameworks. The deeper we went, the clearer it became that the legal sector is not where it needs to be. Not because people don’t care or leadership isn’t paying attention, but because almost every firm is trying to solve this problem on its own.
That is the core issue. Cybersecurity in law is still treated as a firm-specific project, when in reality it affects the entire profession.
Firms don’t work in isolation. We work together on matters. We exchange sensitive files with opposing counsel. We rely on shared platforms, vendors, and cloud infrastructure. If one firm is hit, clients don’t say, “Oh well, that was just that firm.” They question how legal data is protected holistically. That is where the real risk lies.
“If you want to go fast, go alone. If you want to go far, go together.”
Few areas illustrate this better than cybersecurity.
Most firms I’ve spoken to are acting: buying tools, tightening policies, hiring consultants, conducting training, and commissioning assessments. But they are doing all of this in silos. There is no shared baseline. No commonly accepted definition of what “good” looks like for a Canadian law firm – or, frankly, for any law firm.
According to 2024 IBISWorld data, Canada has roughly 35,000 law firms of varying sizes. They hold highly sensitive client data but typically lack cybersecurity teams, threat intelligence functions, and security engineers. They are data-rich and resource-poor – and attackers are aware of this.
The risk is not theoretical. In 2024, a Florida law firm faced a class action after a breach exposed client information. The firm reportedly settled for US$8.5 million, becoming one more example in a growing list of law firms targeted by ransomware and data theft.
Meanwhile, Canadian law firms are increasingly interdependent. We share clients, documents, systems – and, critically, risks. A compromise in one environment can easily spread to another, particularly in a digitized and interconnected ecosystem.
This leads to a simple question: if we are all connected, why are we defending ourselves separately?
We have bodies, but they don’t solve the problem
We do have organizations in the legal technology space. ILTA exists. The Canadian Bar Association has groups. Provincial law societies publish guidance. But none of these bodies solves the collaboration problem.
ILTA, for example, is excellent but paywalled and primarily serves medium and large firms that can afford the fees. No single group reaches the thousands of small and mid-sized firms that make up the majority of Canada’s legal market. And none provides truly actionable, operational “knowledge and skills” that firms can plug into their day-to-day work.
Instead, we end up with scattered pockets of collaboration, mostly among well-resourced firms, while the majority are left to fend for themselves. That divide is precisely where the collective risk sits – and where bad actors thrive.
We have a shared duty to confidentiality, not a competitive edge
Confidentiality is the foundation of the profession. But it does not stop at one firm’s firewall.
If one firm in a multi-firm matter is breached, everyone is exposed. If one firm transmits compromised files through a shared DMS or client portal, everyone is exposed. If a small firm working on a high-stakes matter is compromised, the fallout can affect clients, courts, regulators – even governments.
Clients already understand this. Many in-house legal teams now assess the cybersecurity posture of external counsel before engaging them. Insurers are tightening their requirements, and audits are becoming more frequent. Firms of every size, including solo practitioners, are expected to have reasonable safeguards and a working incident response plan.
The pressure is here. The risk is real. The only question is whether the profession responds collectively or continues to duplicate effort and go it alone.
A collaborative, vendor-neutral platform is the realistic next step
If we accept that collaboration is necessary, we need a model to make it real.
Not another vendor product.
Not another paid membership group.
Not another 200-page policy document no one uses.
What we need is a shared, vendor-neutral, profession-led platform – built by law firms for law firms – with a simple goal: Help firms protect themselves.
Such a platform would offer practical tools, templates, checklists, incident response playbooks, tabletop scenarios, and guidance tailored to firms without dedicated security teams. In short, a firm seeking to align with ISO 27001 can utilize freely available resources to achieve this goal, with support from the legal community, rather than relying solely on expensive consultants.
This kind of platform is not a luxury. It is the only credible way to elevate the entire profession, not just the firms with the largest budgets – many of which are struggling themselves.
A call to the profession
Canadian law firms are at a crossroads. It may sound like a cliché. It might be. But it is also true.
We can either wait for a major domestic breach to force change – and it will come – or we can start building together now. The legal sector has always taken collective responsibility for ethics and competence. Cybersecurity deserves the same status. If it does not get it, “confidentiality” will cease to have real meaning.
Attackers are already collaborating, sharing tools, and behaving like a team. If we do not choose our own jerseys, we will not be able to keep up.
It is time for the profession – including large and small firms, law societies, clients, insurers, and technologists – to build a shared cybersecurity foundation that protects everyone, not just those with resources. A kind of cybersecurity democracy for law.
If we must ask “why?”, the answer is simple: cybersecurity in law is not a competitive advantage; it is a shared responsibility.
And we are running out of time to treat it that way; the legal doomsday clock is nearing midnight.
