← The Craftwork Group  ·  Blog

law firm security checklist

Law Firm Security Checklist: PNW Guide

By Nina Forsythe · The Craftwork Group · Published 2026-06-11

A law firm security checklist is not a policy document. It is a set of controls you can prove are operating, because that is what a bar inquiry, a malpractice carrier, or a client security questionnaire will ask you to demonstrate.

What should a law firm owner actually check first?

Start with the things that fail quietly. A control that exists on paper and not in operation is the one that breaks when an incident or a questionnaire stresses it. Run these in order. Each item ends with what counts as evidence, not what counts as a yes.

• Multi-factor authentication, enforced. Log into your email and your practice management system from a device you have never used. If you get in with only a password, MFA is not enforced. Enabled and enforced are different words. The evidence is an admin screen showing MFA required for all users, with no opt-out path in the enrollment flow.

• Who can open client files. Ask for a current list of every person with access to your document system, and the date someone last reviewed it. If the answer is "everyone" or "I'd have to check," that is the finding. The evidence is a dated access review, by name, ideally quarterly.

• Departed staff. Pick the last person who left the firm. Confirm their account is disabled, not just "we changed the password." The evidence is a deactivation record with a date that matches their departure, not months later.

• Backups that have been restored. Backups existing is not the control. Backups that restore is the control. Ask when someone last pulled a file back from backup and confirmed it opened. If the answer is a year ago or never, you have storage, not recovery. The evidence is a test restore log with a date.

• Encryption on laptops and phones. Any device that touches client matters should be encrypted at rest. The evidence is a device report showing encryption status per machine, not a verbal "I think they are."

• A documented incident response contact list. Not a thirty-page plan. One page that names who gets called first, in what order, when a laptop is lost or an account is breached. The evidence is not that the document exists. It is that the person named on it can confirm they are named on it and knows what they are supposed to do. If they are surprised when you ask, the control is not operating.

Why does the paper version fail a review?

Because a review asks a different question than the binder answers. A binder describes intent. A review asks for evidence of operation. I keep seeing Pacific Northwest firms that consider themselves covered because a vendor wrote them a security policy that nobody currently employed has read. That document is not nothing. But it is a description of controls, and a description is not the control.

The distinction that matters most for a law firm:

• Documentation says "we enforce MFA."
• Evidence is the admin screen, dated, showing it enforced for every account.

One survives a malpractice carrier's questionnaire and a client's vendor review. The other survives until someone asks to see it work. Your ethical obligation around client confidentiality lives in the operating reality, not the paper that is supposed to describe it.

What is the right order of operations if I can only do a few things this quarter?

I am not an auditor, and nothing here attests your compliance. What I am is a specialist who has been doing this work since the late 1990s, building posture and the evidence trail that supports it. If you can only close three gaps this quarter, close these. They are the simplest to verify yourself and produce evidence the same day you act on them.

• Enforce MFA on email and your practice management system. No opt-out.
• Run one access review and write down the date.
• Restore one file from backup and confirm it opened.

None of these requires a consultant to start. They require an owner willing to test the thing instead of assuming the thing.

There is more that a firm handling sensitive matters should build toward. We describe the broader picture for legal practices on our law firms page and the full range of what we do at our services page. But the checklist above is what you can act on without us.

What do your results from this checklist actually mean?

Run the six items. Some will pass. Some will turn out to be paper. The list you end up with is not a grade. It is a map of where your posture and your documentation disagree. The decision in front of you is whether you close those gaps before the next client questionnaire or carrier renewal, or after.

Posture, not paper. If you want a second set of eyes on what your evidence actually shows, reach out and we will start with the six.