Law firm turns its cybersecurity liability into a valuable asset


  • A boutique law firm with around 20 attorneys unexpectedly received a vendor security questionnaire from one of its largest clients.
  • The questions, which were focused on policies and procedures, network security, physical security and privacy practices, were difficult to understand and even harder to answer.
  • Although the questionnaire was completed and submitted by the deadline, there was a feeling of uneasiness. Going through this process made it abundantly clear to the law firm that their data security was not up to par.


  • A week after submitting the questionnaire, the law firm was notified by their client that they were terminating the relationship because they had failed the security assessment.
  • Losing this client would cost the firm several hundred thousand dollars per year.
  • The law firm realized they would soon be receiving more questionnaires from other clients as well since this was becoming a common practice.


  • The law firm asked TCDI to perform an assessment of both their policies and procedures as well as the security of their technical infrastructure so that the next time they were sent a questionnaire they would pass it with flying colors.
  • The first step of the project was for TCDI to perform its cybersecurity assessment that compared the law firm’s current policies and procedures to best practices and standards of NIST, ISO 27001, HIPAA/HITECH, and more. TCDI’s cybersecurity team worked closely with the client to identify what they were currently doing well as well as areas that needed to be addressed.  The team then compiled a list of prioritized findings and recommendations on how to enhance data privacy and compliance.
  • The next phase of the process focused on the security of the law firm’s technology through penetration testing. During the test, TCDI simulated a cyber-attack to see if it could hack into the firm’s computer systems.  Several vulnerabilities were quickly identified that would have allowed a hacker to easily gain access to the law firm network.  The penetration testing report including TCDI’s findings, recommendations, and prioritized action plan.
  • After completing the cybersecurity assessment, TCDI had identified several gaps in the law firm’s data privacy practices and technical environment
  • The law firm did not have personnel with the requisite skills to implement many of the recommendations so they utilized TCDI’s Chief Security Officer On-Demand service. TCDI worked closely with the client to help them patch the vulnerabilities identified in their systems.  In addition, they helped the client develop policies and procedures that should have already been in place (e.g. disaster recovery, incident response, privacy policies, etc.)
  • Shortly after TCDI and its client completed the remediation steps listed on the prioritized action plan, the law firm received another questionnaire from a different client. This time, the client was prepared for it and passed the test with flying colors.