Law firms are the soft target in South Florida’s professional services landscape. A single Brickell litigation boutique sits on enough M&A correspondence, sealed settlement terms, and trust-account routing numbers to make a ransomware operator’s quarter. And firms know it — which makes the cybersecurity gap in many Miami practices that much more remarkable.

The Florida Bar was the first state bar in the country to mandate technology CLE back in 2016. Three hours of technology programming, every cycle. The American Bar Association’s Model Rule 1.6(c) — adopted in some form by 42 states as of 2026 — explicitly requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

In practical terms: cybersecurity is now an ethical obligation for Florida attorneys, not a nice-to-have IT line item. This guide is the playbook we walk through with Miami firms — from solo practitioners in Coral Gables to 80-attorney litigation shops downtown — when they hire BASG to either build the security program from scratch or hold their existing MSP accountable.

If you only have time for the TL;DR: write down your security baseline, enforce MFA everywhere, encrypt every endpoint, kill business email compromise at the gateway, and run a real tabletop exercise twice a year. Everything else is detail.

Why Miami law firms are higher-risk than the national average

You do not need a Mossack Fonseca-sized footprint to be a target. South Florida law firms have a specific risk profile that attackers know how to exploit:

High-value trust accounts. Wire fraud in real estate, immigration, and probate practices routinely costs six figures per incident.
Cross-border client data. LATAM clients, foreign-national matters, and offshore entities raise the regulatory complexity of any breach.
Heavy reliance on cloud practice management. Clio, NetDocuments, iManage, MyCase, Smokeball, PracticePanther — each is a target, and each requires a different security configuration.
High partner mobility. Laterals move firms with their books of business. Departing attorneys are a top-three insider data risk in legal.
Small-firm IT outsourcing. Many firms under 30 attorneys rely on break/fix IT or a generalist MSP that does not understand legal-specific risk. That gap is where breaches happen.

The result: a Miami law firm with 20 attorneys can be more exposed than a 200-person firm in another city — because the personal injury and immigration plaintiff’s bar in Florida specifically attracts business email compromise (BEC) and trust-account fraud at unusual rates.

The four Florida Bar duties, translated into technology

The Florida Bar Rules of Professional Conduct create four overlapping duties relevant to cybersecurity. Every firm’s program should be able to defend each one in writing.

Duty of competence

You cannot competently represent a client if you do not understand the technology you use to handle their matter. In 2026, “the technology I use” includes your practice management platform, your email security gateway, your endpoint protection, and your file-sharing tool. Competence is also why Florida’s technology CLE requirement exists.

Duty of diligence

Diligence means staying current — on threats, on patches, on vendor disclosures. The firm that has not patched its VPN appliance in six months is not diligent. The firm that uses end-of-life Windows 10 on a partner’s laptop in 2026 is not diligent.

Duty of confidentiality

The big one. Confidentiality means reasonable safeguards to prevent unauthorized access or disclosure. “Reasonable” is a moving target — what was reasonable in 2018 (a strong password) is no longer reasonable in 2026 (MFA, encryption, monitoring).

Duty to supervise

You are responsible for the actions and inactions of your nonlawyer staff and your vendors. That includes the contract paralegal in Hialeah, the e-discovery vendor in Atlanta, and the MSP that holds your admin credentials. Supervision is documented or it does not exist.

We map these four duties to specific technical controls during onboarding through our industry compliance practice — so partners can sign off on a security program their malpractice carrier and the Bar will both recognize.

The baseline controls every Miami firm needs in 2026

This is the minimum. Not the aspiration — the minimum.

Identity and access

MFA enforced on every system that touches client data. Microsoft 365, Google Workspace, practice management, document management, court e-filing portals, banking, and remote access.
Authenticator app or security key, not SMS. SMS-based MFA is no longer considered reasonable for high-risk accounts.
Conditional access policies that block legacy authentication, untrusted devices, and risky sign-ins.
Privileged account separation. Admin credentials are never the same as daily-driver email credentials.

Endpoints

Full-disk encryption on every laptop, desktop, and tablet — verified, not assumed.
Modern EDR (endpoint detection and response). Traditional antivirus is not enough against current ransomware tradecraft.
Centralized patch management. Critical patches within 14 days for workstations, faster for internet-facing systems.
Mobile device management for any phone or tablet that accesses client email.

Email and BEC defense

This is where law firms lose the most money, by an order of magnitude over any other category. The fixes are well-understood:

Advanced phishing protection beyond the default Microsoft 365 license.
SPF, DKIM, and DMARC at enforcement — not just monitoring.
Banner labels on external email so a partner can spot a spoofed counterpart immediately.
Out-of-band verification protocol for any wire transfer or trust account instruction. Voice confirmation on a known number. Always. No exceptions, including from name partners.

Our cybersecurity services team treats BEC defense as the single highest-ROI project for any Florida law firm. The math is simple: one prevented wire-fraud incident pays for years of program cost.

Data and document handling

Encrypted client portal for file exchange. Email attachments containing sensitive matter material are not acceptable as a default workflow.
Document management with audit logging. You need to be able to say who opened which document when.
Retention and disposition policies that align with Florida Bar, Florida Statutes, and any matter-specific rules.
Backups that are isolated from production credentials. Immutable, off-site, tested.

Network and remote work

Firewall with intrusion prevention and SSL inspection at the office.
Zero-trust remote access, not legacy VPN-only.
Segmented guest Wi-Fi that cannot reach the practice management network.
Cloud security posture management for Microsoft 365, especially around external sharing settings.

Practice management platforms: shared responsibility, not outsourced responsibility

Many firms assume that because they moved to Clio, NetDocuments, or iManage Cloud, security is “handled.” It is not.

The platform secures its infrastructure. You secure your configuration, your users, your access policies, and your integrations. The shared responsibility model in legal tech is real, and most breaches involving cloud practice management are misconfiguration, not platform compromise.

What we audit on every legal client engagement:

External sharing settings in document management — locked down to authenticated, time-bound links by default.
API and integration scopes — every third-party connector reviewed against least-privilege.
User provisioning and deprovisioning — when an attorney leaves, access dies on the same day, not three weeks later.
Logging and alerting — anomalous downloads, mass deletions, and unusual access patterns surface to someone who acts.

Vendor management: where the duty to supervise lives or dies

Your vendor list is longer than you think. A typical 25-attorney Miami firm has 30 to 60 vendors with some level of client data access — court reporters, e-discovery providers, contract attorneys, transcription services, expert witnesses, marketing agencies, the MSP, the printer-and-copier vendor that scans to email.

The supervision duty extends to all of them. Practical implementation:

Inventory every vendor with access to client information. Categorize by data sensitivity.
Require a written data processing agreement with each vendor, including breach notification timelines.
Collect a security questionnaire or SOC 2 report annually for high-sensitivity vendors.
Document the review. Date, reviewer, decision. The Florida Bar grievance process is not the time to discover you have no records.

Incident response: build it now, run it twice a year

Law firms that have a tested incident response plan recover faster, lose less money, and avoid the regulatory penalties that compound a breach. Firms that wing it usually end up in the bar journal.

The plan needs to be Florida-aware:

FIPA (Florida Information Protection Act) notification timeline: within 30 days of breach discovery, in most cases.
Florida Bar reporting considerations — when does an incident rise to the level requiring self-disclosure?
Client notification scripts that protect privilege while satisfying ethical obligations.
Law enforcement contacts — FBI Miami field office, local cyber-focused agencies.
Insurance and breach coach contacts with after-hours numbers.

Run a tabletop exercise twice a year. Not a fire drill — a structured conversation that walks the partner-in-charge, the IT lead, and outside counsel through three scenarios: ransomware on a Friday at 4 p.m., a stolen partner laptop in the airport, and a successful wire-fraud attempt against trust account funds. Document gaps. Fix them.

The 90-day program for firms starting from zero

If your firm is honest about where it stands and the answer is “not where we should be,” here is how the first 90 days look:

Days 1–30: assess and write down

Inventory systems, vendors, and data.
Map current controls against the Florida Bar duties.
Draft a written information security program (WISP).
Identify the top three to five immediate risks.

Days 31–60: fix the high-impact gaps

Enforce MFA everywhere.
Encrypt every endpoint.
Lock down email and deploy SPF/DKIM/DMARC.
Configure conditional access policies.
Document the wire-transfer verification protocol and train staff.

Days 61–90: operationalize

Deploy or upgrade EDR firm-wide.
Stand up centralized logging and alerting.
Run the first tabletop exercise.
Schedule the first phishing simulation campaign.
Brief partners on the WISP and obtain sign-off.

Firms that do not have the bandwidth to run this internally bring in our co-managed IT practice. We handle the cybersecurity stack, the documentation, and the Florida-specific compliance posture; the firm’s existing IT person (if there is one) keeps focus on day-to-day operations.

What “reasonable safeguards” looks like to a Bar grievance committee in 2026

The threshold has moved. Five years ago, “reasonable” might have meant antivirus and a strong password. In 2026, when a grievance hits a Florida Bar review committee, the questions they ask are sharper:

Did the firm have MFA on the compromised account?
Was the endpoint encrypted?
Was there a written security program?
Were users trained against phishing?
Was the vendor that introduced the breach reviewed and approved?
Did the firm have a tested incident response plan?

“We had antivirus” is not a defense. “We had a documented program, tested twice a year, supervised by leadership, and the breach happened despite reasonable safeguards” is.

When to bring in outside help

Most Miami law firms under 50 attorneys do not have a dedicated CISO, and they should not need one. What they need is a partner who understands the Florida Bar, the legal tech stack, and the specific threats to South Florida practices — and who will document the program in a way that survives a grievance, a malpractice claim, and a client security questionnaire.

That is what we do. We run cybersecurity programs for Miami law firms across litigation, immigration, real estate, healthcare regulatory, and commercial transactional practices. We hold the documentation. We run the tabletops. We pick up the phone at 11 p.m. on a Saturday when the partner’s laptop disappears from a hotel lobby.

If your firm has not had its security program independently reviewed in the last 12 months — or has never had one — get in touch for a free 30-minute assessment. We will tell you, honestly, where you stand against the 2026 baseline.

Your clients trust you with their secrets. Your job is to keep them. In 2026, that job is largely a cybersecurity job.

Law Firm Cybersecurity in Miami: 2026 Florida Bar & ABA Guide