Executive Summary (save-worthy): If you touch sensitive client data, you have an ethical duty to take reasonable protective measures - period. This article outlines 12 controls every firm can implement in the next 90 days to meet that duty in a practical, repeatable way. Nothing here is time‑locked; it’s core hygiene that stays relevant.
Plain‑English promise: No jargon, no scare tactics - just a checklist your partners, admins, and IT that can be agreed upon.
Why it matters: Passwords alone don’t stand up to modern scams. MFA blocks account takeovers; phishing‑resistant MFA (e.g., security keys) blocks most phishing‑based bypasses.
What good looks like: Enforce MFA for email, case systems, remote access, file sharing, e‑billing, and admin portals. Prefer Microsoft Authenticator or other Authentication keys; if you must use push‑based MFA, turn on number matching if available as a cross check.
Why it matters: Reused or weak passwords are still the #1 assist for attackers.
What good looks like: Firm‑wide password manager with shared vaults; SSO for major apps; admin‑level controls and offboarding procedures.
Why it matters: Lost/stolen laptops and phones are still the easiest data breach.
What good looks like: Full‑disk encryption (Windows BitLocker, macOS FileVault, iOS/Android native), mobile device management (MDM), screen auto‑lock in minutes, remote wipe.
Why it matters: You must safeguard client confidentiality - especially in transit.
What good looks like: Email encryption available for sensitive matters, secure client portal for large files, and a simple decision tree: email, encrypted email, or portal?
Why it matters: Too much access turns small mistakes into big incidents.
What good looks like: Role‑based access, just‑in‑time admin privileges, separate admin accounts, and quarterly access reviews.
Why it matters: Most breaches still involve unpatched or misconfigured systems.
What good looks like: Centralized patching with deadlines; secure baselines (CIS Benchmarks); automated configuration drift alerts; routine vulnerability scans.
Why it matters: Modern threats evade traditional antivirus.
What good looks like: Endpoint Detection & Response (EDR) across all devices, plus centralized logging with alerts on privilege misuse, new admin creation, or unusual data access.
Why it matters: Ransomware targets backups first.
What good looks like: Immutable, offline or logically air‑gapped backups; encryption; frequent restore tests; recovery time objectives agreed with practice leaders.
Why it matters: People are your biggest risk and your biggest control.
What good looks like: Quarterly, role‑based training (attorneys, staff, IT); monthly micro‑lessons; realistic phishing simulations with coaching - not shaming.
Why it matters: Your risk extends to e‑discovery, cloud storage, transcription, and AI tools.
What good looks like: A short vendor questionnaire, security addendum, and data‑processing agreement; minimums: MFA, encryption, logging, breach notice timeline, data return/delete.
Why it matters: When - not if - something happens, your response must be fast and ethical.
What good looks like: Named response team (legal, IT, PR, insurance), tabletop exercises twice a year, outside counsel and forensics on standby, draft client notifications ready to customize.
Why it matters: Home and travel expand your attack surface.
What good looks like: VPN or zero‑trust access, encrypted devices only, private workspaces for calls, printed‑document rules, and camera/mic hygiene.
Even if you’re not a regulated financial entity, New York’s SHIELD Act expects reasonable administrative, technical, and physical safeguards for any business that holds private information of NY residents. Build these safeguards into your baseline; they align well with the controls above.
Why now: Clients expect faster turnarounds and cost transparency. AI helps reduce repetitive drafting and research time - but only when deployed with confidentiality, accuracy, and governance in mind.
Guardrails first (evergreen):
- Confidentiality: Do not place client/matter data into public tools. Use tenant‑controlled, zero‑retention platforms with SSO/MFA, DLP, and encryption. Apply NDAs/DPAs with vendors.
- Competence & supervision: Require human review of all outputs, verify citations, and disclose AI assistance in billing where required by your jurisdiction/engagement terms.
- Records & accountability: Log prompts/responses used in client work, track versions, and keep data provenance.
- Bias & accuracy: Treat AI like a junior researcher - use it to accelerate, not to decide. Validate facts; capture sources.
Practical use cases (safe starters): - First drafts of routine documents (engagement letters, memos, discovery requests) using firm templates.
- Summaries of depositions/hearings/long PDFs; creation of timelines and chronologies.
- Contract/lease clause extraction with risk flags for attorney review.
- E‑discovery triage and suggested PII/PHI redactions (final human verification required).
- Intake triage and conflicts‑check assistance within strict privacy boundaries.
- Time‑entry narratives from calendars/emails to improve billing accuracy.
90‑day AI adoption plan:
- Days 0–14: Select three high‑value use cases. Approve an AI policy. Choose an enterprise/private AI platform. Turn on logging and access controls. Train a pilot team.
- Days 15–45: Integrate with DMS/email where appropriate, convert best‑practice templates into AI‑ready prompts, run red‑team tests, and define metrics (time saved per task, accuracy rate, user satisfaction).
- Days 46–90: Expand training, review results in your QBR, perform vendor‑risk checks, and scale to a second practice group with measured ROI.
How LI Tech Advisors helps: We’re experts in AI‑enhanced business intelligence and legal workflows. We deliver an AI Readiness & Governance Assessment, provide policy/tooling templates, implement secure, tenant‑controlled AI, design workflows and prompt libraries, train attorneys/staff, and instrument dashboards that show real ROI (time saved, accuracy, adoption).
Days 0–14
- Turn on phishing‑resistant MFA (start with partners/admins).
- Inventory devices/apps; enable encryption + MDM.
- Stand up secure file exchange and a “when to use what” guide.
Days 15–45
- Patch/Config sprint: close critical gaps; set auto‑patch windows.
- Deploy EDR; enable centralized logging.
- Launch quarterly training and first phishing drill.
Days 46–90
- Offline/immutable backup in place; test a restore.
- Vendor review on top 10 apps; add security addendum.
- Run an incident‑response tabletop; finalize notification templates.
Outcome: a lightweight security program your partners can sign, not just admire.
Want a quick win? Book a 20‑minute Legal Tech Risk Baseline. You’ll leave with your risk grade, top 5 fixes, and a 90‑day action plan.
Anthony has been in the MSP business since before the acronym existed. Managed IT once started as break-fix solutions and some light phone support.
Since then, he has seen the industry flourish into a landscape of platforms, cloud servers, software tools and AI . Tailoring network configurations and software stacks to the specific needs of each business.
In his current role, he focuses on proactive planning, ensuring clients can avoid potential issues altogether. This involves meticulous planning for enhanced business continuity, allowing swift resolution of any unforeseen challenges. What initially began as addressing "fires" through break-fix solutions has evolved into a proactive approach, ensuring that such issues are prevented from arising in the first place.
