Industries · Legal & professional services

Privilege doesn't end where your IT begins.

No single cyber-law names law firms — but the duty of confidentiality is close to absolute, the data is a prime target, and clients and insurers now demand proof. We keep privileged data under EU control, out of external processors, with the security evidence that wins work.

Talk to us about legal IT What we run →

Law firms and professional-services firms hold some of the most sensitive data anywhere — privileged, confidential client material — yet no single cyber-statute targets them the way DORA targets finance, which can mask how demanding their real obligations are. The duties that bind are the near-absolute professional duty of confidentiality and legal privilege, GDPR controller liability for client data, and the security conditions clients and cyber-insurers increasingly impose. The failure mode is the same one that hit healthcare: confidential data lost through external processors and ransomware. Argus Root runs legal IT so that privileged data stays under your control inside the EU, defended against the attacks that target it, with the evidence clients and insurers now require.

In short

No dedicated cyber-law for law firms — but the duty of confidentiality and legal privilege is close to absolute and regulator-enforced.
GDPR applies fully — client files are personal, often special-category data, and the firm is the controller, liable even when a processor is breached.
Law firms are a deliberate ransomware target: concentrated, high-value confidential data makes a breach a confidentiality crisis, not just downtime.
Clients send security questionnaires and cyber-insurers require controls (MFA, tested backups, ISO 27001) — one posture serves client, insurer and risk.
The answer mirrors healthcare: EU-sovereign infrastructure, privileged data out of external processors and under your control.

What rules actually bind a law firm's IT?

The absence of a single named statute is itself a trap. Because there is no DORA or NIS2 written specifically for private legal practice — the judiciary sits outside NIS2, and law firms are not designated essential entities — it is easy to assume the security bar is low. It is not; it is set by several overlapping duties that, taken together, are exacting. The first and heaviest is the professional duty of confidentiality and legal privilege, which is close to absolute, owed to the client, and enforced by the bar or professional regulator. A confidentiality failure is not merely a data incident; it strikes at the core of what a firm is.

On top of that sits GDPR, which applies in full because client matters are saturated with personal data and frequently with special-category data, and the firm is the controller, carrying liability even when a processor causes the breach. And increasingly the bar is set commercially as well as legally: corporate clients impose security requirements through their engagement terms and due-diligence questionnaires, and cyber-insurers impose controls as conditions of cover. The result is that a law firm's IT is heavily obligated despite no single law saying so — and a firm that mistakes the lack of a named statute for the lack of a duty is exposed on every one of these fronts at once.

Why are law firms a target, and where does the data leak?

Law firms concentrate precisely what an attacker most wants to steal or ransom: confidential, high-value client information whose exposure is acutely damaging — and they have, as a sector, historically invested in security below the sensitivity of what they hold. That makes them a deliberate target rather than incidental collateral. And as in healthcare, the data that leaks tends not to leak through the firm being breached directly so much as through the external systems it has entrusted with the data: document platforms, cloud services and software vendors operated outside the firm's control. Every such processor is another place privileged material can be exposed, and another jurisdiction it can be reached from.

Four duties bind a firm even with no single cyber-law to point to. And privileged data follows one of two paths: kept inside an EU estate you control, where confidentiality holds, or sent out to an external processor, which is where confidential legal data is typically lost.

The conclusion is the same one healthcare reached, and it reframes the security problem from monitoring to architecture. The most effective protection for privileged data is not another layer of alerting on top of an external platform but keeping the data off that platform in the first place — under the firm's control, inside the EU, with the processors that would otherwise hold it removed from the path wherever they are not essential. Confidentiality, engineered this way, becomes a property of where the data lives rather than a promise made about a system someone else runs.

Does privilege survive a third-party processor?

The privilege itself, as a legal status, does not simply vanish because data moved to a vendor — but the confidentiality that privilege rests on can be hollowed out the moment privileged material sits in a system the firm does not control. Privileged data held on a platform operated under foreign jurisdiction is exposed to legal demands served on that provider, regardless of the firm's wishes, and each additional processor in the chain is one more place the data can be breached, subpoenaed or mishandled. The protection privilege is supposed to give the client is only as strong as the confidentiality of the systems the data actually lives in.

So the practical answer is to keep privileged data where you control it. We run the infrastructure holding matter data inside the EU, operated by an EU entity, with external processors stripped from the privileged path wherever they are not essential, so the data stays under your control and out of reach of foreign compulsion. The check below is the kind we run to establish that posture — where the data lives, who can compel access, and whether the evidence a client or insurer will ask for is ready.

confidentiality posture — legal estate (illustrative)

# does privileged client data ever leave your control?
$ check residency --matter-data
location: EU · operator: EU entity · external processors holding privileged data: 0
$ check confidentiality --foreign-access
foreign legal access to privileged matter data: none
$ check posture --client-questionnaire
ISO 27001 controls: mapped · evidence: ready for client + insurer

all privileged data under your control · privilege preserved
# no statute names it — the duty of confidentiality is absolute anyway

We keep Privileged data in the EU External processors removed Ransomware defence Tested backups ISO 27001 evidence Under your control

Meeting client security questionnaires and cyber-insurance.

Two commercial forces now set the security bar for firms as firmly as any regulator. Corporate clients send detailed security questionnaires before instructing, because their own compliance obligations flow down to their advisers, and a weak or evasive answer increasingly costs the firm the work. Cyber-insurers, in parallel, require specific controls — multi-factor authentication, tested backups, endpoint protection, patch discipline — as conditions of cover, and price premiums against the posture they find. Between them, security has become a commercial gate, not just a risk-management nicety.

The useful thing is that one well-run posture answers all three demands at once. The controls that satisfy a cyber-insurer are the same ones that let a firm answer a client questionnaire with evidence rather than assurances, and the same ones that actually reduce the risk of a breach. A recognised certification such as ISO 27001, mapped controls and an EU data posture turn the security conversation from a defensive scramble into a competitive advantage — a reason corporate clients choose the firm and insurers price it favourably. We build that posture and supply the evidence behind it, so the questionnaire and the renewal are routine rather than fire drills.

What we run for legal and professional services.

We bring the relevant services together into one confidential, sovereign estate rather than selling them piecemeal. The foundation is EU-operated managed cloud and infrastructure where the privileged data paths stay under your control, with the security hardened and the ransomware defences that the threat actually warrants delivered through our managed security and vulnerability management practices. Continuity — which for a firm facing court deadlines is not optional — is engineered in through backup and disaster recovery, with restores that are tested rather than assumed.

Around that core we supply the evidence the commercial world now demands, tied to your obligations through our compliance and sovereignty practice, so a client questionnaire or an insurer's renewal is answered with mapped controls and an EU posture rather than hopeful prose. We integrate with the practice-management and document systems your firm runs on rather than replacing them, keep the confidential data inside infrastructure you control, and sequence every change so client work is never the experiment. The result is a firm whose confidentiality duty is honoured in the architecture, not just in the engagement letter.

Confidential by design, because privilege is absolute.

A firm's entire value rests on clients trusting it with their secrets, which makes confidentiality less a compliance line item than the thing being sold. Honouring that duty technically means refusing to let privileged data drift into systems the firm cannot see or control, because a duty that is absolute in the engagement letter cannot be conditional in the infrastructure. The lack of a statute named after law firms does not soften the obligation; it only means the firm, rather than a regulator, has to be the one that takes it seriously.

We run legal IT on that premise. The infrastructure is operated inside the EU on open foundations, with no resale layer and no default path to a foreign platform, the privileged data stays under your control, and the security evidence clients and insurers ask for is ready rather than improvised. It is the same principle behind everything Argus runs — a European operator that builds and runs the thing itself and tells you the truth about it — applied to the sector where confidentiality is not one obligation among many but the foundation the whole practice stands on.

Questions legal buyers ask.

What rules govern a law firm's IT security?

There is no single cyber-statute aimed at law firms the way DORA targets finance, which can give a false sense of being unregulated. In practice several duties bind firmly: the professional duty of confidentiality and legal privilege, which is close to absolute and enforced by the bar or regulator; GDPR, since client files are full of personal and often special-category data and the firm is the controller; and increasingly the security conditions written into client engagement terms and cyber-insurance policies. The obligation is real and demanding even though no one law spells it out.

Does legal privilege survive a third-party processor?

The privilege itself is a legal status that does not evaporate, but the confidentiality that underpins it can be compromised the moment privileged data sits in a system you do not control. Privileged matter data held on a platform operated under foreign jurisdiction is exposed to legal demands made on that provider, and every external processor in the path is another place the data can be breached. Keeping privileged data on infrastructure under your control inside the EU is how you keep the confidentiality that privilege depends on intact.

Why are law firms a target for ransomware?

Because they concentrate exactly what attackers want: highly confidential, high-value client information whose exposure is acutely damaging, held by organisations that have historically under-invested in security relative to the sensitivity of the data. A breach at a firm does not just disrupt operations; it threatens client confidentiality, the firm's professional standing and its regulatory position all at once. That combination makes legal and professional-services firms a deliberate target rather than collateral, and makes ransomware defence a confidentiality issue, not only an availability one.

What is a client security questionnaire, and why does it matter?

It is the due-diligence assessment that corporate clients increasingly send before instructing a firm, asking detailed questions about its security controls, data handling and certifications. A weak or evasive response now costs firms work, because the client's own compliance obligations flow down to their advisers. A firm that can answer with evidence — mapped controls, an EU data posture, a recognised certification such as ISO 27001 — turns security from a liability into a reason to be chosen. We provide the controls and the evidence behind that answer.

How does cyber-insurance affect our IT requirements?

Significantly. Cyber-insurers now require specific controls — multi-factor authentication, tested backups, endpoint protection, patch discipline — as conditions of cover, and they price premiums against the security posture they find. Weak controls mean higher premiums, narrower cover, or refusal. A demonstrable, well-run security posture does the opposite, and the same controls that satisfy an insurer satisfy a client questionnaire and reduce real risk, so the work is not duplicated effort but one posture serving three purposes.

Can you keep our privileged data inside the EU?

Yes, and for privileged data it is the right design. We run the infrastructure that holds your matter data inside the EU, operated by an EU entity, with the external processors that would otherwise hold privileged material removed from the path where they are not essential. That keeps the data under your control and out of reach of foreign legal compulsion, which is the practical meaning of protecting confidentiality at the IT boundary rather than assuming it stops at the office door.

Do you work with our practice-management and document systems?

Yes. The aim is not to replace the document-management or practice-management systems your firm runs on but to put a sovereign, secure foundation under them and to keep the confidential data paths inside infrastructure you control. We integrate with what you use, harden it, make the backups real and tested, and sequence any change so that client work and court deadlines are never the thing being experimented on. Confidentiality and continuity are treated as the constraints, not the variables.

Why run legal IT with an EU operator like Argus Root?

Because the duty of confidentiality is close to absolute, and the way to honour it technically is to keep privileged data under your control rather than scattered across processors you cannot see. We run the infrastructure ourselves inside the EU, on open foundations, with no resale layer and no default path to a foreign platform, and we give you the security evidence clients and insurers ask for. For a firm whose entire value rests on clients trusting it with their secrets, that is the difference between confidentiality as a promise and confidentiality as an engineered fact.

Make confidentiality a property of your infrastructure.

Tell us what you run and where matter data flows, and we will show you where an external processor is widening your confidentiality surface, what it takes to keep privileged data under EU control, and how to answer the next client questionnaire and insurance renewal with evidence. You get a clear picture of the exposure and the posture, before any commitment.

Talk to us about legal IT See compliance & sovereignty →