The Law Society of Ontario requires lawyers to take “reasonable steps” to protect client confidentiality, including the technology systems that store and transmit client information. There is no LSO cybersecurity certification or pass/fail checklist. Instead, the LSO’s Rules of Professional Conduct (Rule 3.3-1), Technology Guideline, and Cybersecurity Checklist create a standard that is judged after a breach occurs, based on what controls were actually in place, not what was planned. For most Ontario law firms using Microsoft 365 or Google Workspace, meeting this standard requires identity management, device controls, and conditional access policies that go beyond basic MFA.
If you’re managing a small law firm in Ontario, cybersecurity probably isn’t the first thing on your mind every morning. You’re focused on clients, cases, court dates, and running a practice. Security is one of a hundred things competing for your attention.
But here’s the reality: the LSO holds you personally accountable for protecting client information, including how your technology handles that information. And what constituted “reasonable steps” five years ago doesn’t meet the standard today.
According to the Ontario Bar Association’s 2026 cybersecurity report for legal practices, up to 40% of law firms experienced a cyber breach in 2024 (OBA, 2026). The ABA’s 2024 Cybersecurity TechReport found 36% of firms reported a security incident in the past year (ABA, 2024). Law firms are targeted specifically because they hold highly sensitive client information and often lack the security infrastructure of larger organizations.
This post explains what the LSO actually requires, how those requirements translate to specific technology controls, and where most small firms have gaps they don’t know about.
Infographic followed by clarification on Law Society Of Ontario cybersecurity guidelines and Microsoft 365 below.
Is Your Firm’s Security Meeting the LSO Standard?
The Law Society of Ontario requires “reasonable steps” to protect client confidentiality. Here’s what that looks like in practice.
What Most Firms Have
M365 Business Standard • Entra ID Free- MFA as an all-or-nothing switch (security defaults)
- No control over which devices access client data
- No ability to block sign-ins from unusual locations
- Manual account removal when staff leave (easy to miss)
- No visibility into risky sign-in attempts
- No device encryption enforcement
- No remote wipe if a laptop is lost or stolen
What the LSO Expects
M365 Business Premium • Entra ID P1 + Intune- Conditional access: MFA + managed device + location + real-time risk checks
- Only verified, encrypted devices can access firm data
- Suspicious sign-ins blocked automatically
- Centralized access control with immediate revocation
- Full audit trail of who accessed what, when, from where
- Remote wipe capability for lost or stolen devices
- Device compliance enforcement (encryption, patching, screen lock)
It’s the Same Microsoft 365 You Already Use
This isn’t a new platform. It’s unlocking the security layer already built into Microsoft 365 Business Premium. Moving from Business Standard to Business Premium is roughly $10 per user per month. The difference in security capability is enormous.
What the LSO Actually Requires
The LSO’s cybersecurity expectations come from three sources, each with a different level of authority.
Rule 3.3-1 of the Rules of Professional Conduct is a binding obligation. It requires lawyers to hold in strict confidence all information concerning the business and affairs of the client. This isn’t a suggestion. Failure to protect client confidentiality can result in disciplinary action.
The LSO Technology Guideline sits below the Rules of Professional Conduct. It outlines when technology use is mandatory, when it’s recommended, and reminds lawyers to address security, disaster management, and technological obsolescence. The Technology Guideline calls on lawyers to adopt adequate measures to protect against security threats and to develop practices that offer reasonable protection against inadvertent disclosure of confidential communications. It’s guidance, not a rule, but it establishes the standard against which your decisions would be evaluated.
The LSO Cybersecurity Checklist is the most specific published guidance. It calls for strong unique passwords, multi-factor authentication wherever possible, access limited to what professional obligations permit, regular access reviews for former employees and inactive accounts, device encryption, software patching, firewalls, VPNs, vendor vetting against Canadian privacy standards, automated backups, team training, and an incident response plan.
Together, these three sources create a clear expectation: you must take reasonable, current steps to protect client information using appropriate technology. The standard evolves as threats evolve.
Why “Reasonable Steps” Is a Harder Standard Than It Sounds
“Reasonable steps” sounds flexible. It is. But that flexibility works against you, not for you.
The standard isn’t evaluated when everything is going well. It’s evaluated after a breach, when a client complains, when an insurer investigates, or when the LSO reviews your conduct. At that point, the question becomes: given what was available and what was known about current threats, were your security controls adequate?
A law firm that had MFA turned on, conditional access policies enforced, devices encrypted and managed, and an incident response plan documented is in a fundamentally different position than a firm that relied on passwords and hoped for the best.
The OBA’s cybersecurity report positions cybersecurity not as an optional add-on but as an integral part of modern legal practice management, advocating for a layered defense strategy combining technical controls, policies, training, incident preparedness, and insurance (OBA, 2026).
How the LSO Checklist Translates to Technology Controls
The LSO Cybersecurity Checklist maps directly to specific technology capabilities. Here’s what each requirement actually demands from your systems.
“Require strong unique passwords and use MFA wherever possible.” At minimum, this means multi-factor authentication on every account that accesses client data. But MFA alone isn’t enough anymore. Modern attacks (called adversary-in-the-middle, or AiTM attacks) can intercept MFA tokens in real time. Conditional access policies add layers beyond MFA: they verify the device is managed, check the sign-in location, assess real-time risk, and block suspicious attempts even when the password and MFA token are correct. We’ve seen this consistently across client environments. Conditional access is why none of our clients have lost data to an AiTM attack.
“Grant access to sensitive data only where permitted.” This requires role-based access control, not just user accounts. It means defining who can access what, enforcing those boundaries through policy, and having an audit trail showing who accessed client files and when. In Microsoft 365, this is managed through Entra ID roles, sensitivity labels, and access policies.
“Regularly review and revoke access for former employees and inactive accounts.” Manual processes for offboarding are unreliable. A centralized identity management system lets you revoke all access, including email, file sharing, cloud applications, and device access, from one place in minutes. Without centralized identity management, forgotten accounts are the norm, and each one is an open door.
“Encrypt laptops, phones, tablets and any other electronic devices.” Device encryption needs to be enforced, not requested. Mobile device management (MDM) through a platform like Microsoft Intune can verify that every device accessing firm data is encrypted, patched, and compliant. Without device management, you’re trusting that every team member has enabled encryption on their own.
“Keep all software up to date and promptly apply patches.” Automated patch management through endpoint management tools ensures updates happen on schedule across all firm devices. Manual patching on individual machines means some devices are always behind, and those are the devices attackers target.
“Choose vendors who meet Canadian privacy and security standards.” This requirement extends beyond your own systems. Cloud providers, practice management software, and communication tools all need to meet the standard. Review contracts for data residency, access controls, and incident response obligations.
The Microsoft 365 Tier Gap
This is where most small law firms have a blind spot. They have Microsoft 365, they see MFA is turned on, and they assume they’re covered. But the security capabilities available to your firm depend entirely on which Microsoft 365 license you’re running.
Microsoft 365 Business Basic or Standard includes Entra ID Free. You can create user accounts, turn on MFA through an all-or-nothing setting called “security defaults,” and delete accounts when someone leaves. That’s it. No conditional access policies. No device management. No control over which devices access client data. No automated access reviews. No remote wipe if a laptop is stolen.
Microsoft 365 Business Premium includes Entra ID P1 and Microsoft Intune. This is where real identity management begins. Conditional access policies that verify device, location, and risk level before granting access. Intune for device compliance enforcement, encryption verification, and remote wipe. Defender for Business for endpoint threat detection. Self-service password reset. This tier provides the technical controls that map to what the LSO Cybersecurity Checklist actually demands.
The cost difference between Business Standard and Business Premium is roughly $10 per user per month. The difference in security capability is enormous.
What About Firms Using Google Workspace?
Not every law firm runs Microsoft 365 for email and productivity. Some firms use Google Workspace. The security challenge is the same: Google Workspace on its own doesn’t include the identity management and device controls that the LSO standard requires.
The solution we implement for Google Workspace firms is Microsoft Enterprise Mobility + Security E3 (EMS E3), which includes Entra ID P1 and Intune. Every Windows computer already requires a Microsoft identity to sign in. That identity is already there. We use it as the security layer in front of everything, including Google Workspace access, applying the same conditional access policies and device management controls that Microsoft 365 Business Premium clients get natively.
This approach means one identity to manage, one place to enforce access policies, and one place to revoke everything when someone leaves. You don’t need to switch platforms to get proper security controls.
More on Google Workspace and security controls for PIPEDA, LSO compliance, or Vendor Screenings.
What Actually Happens After a Breach
When a breach occurs, multiple investigations typically follow. Your cyber insurer evaluates what controls were in place to determine coverage. If a client complaint reaches the LSO, they assess whether you took reasonable steps given what was known and available. If personal information was compromised, PIPEDA’s breach notification requirements apply separately.
In every case, the question is the same: what was actually configured and enforced, not what was planned or assumed.
A firm with documented conditional access policies, managed devices, encrypted endpoints, regular access reviews, and an incident response plan has a defensible position. A firm with passwords, basic MFA, and unmanaged personal devices does not.
Closing the Gap
If your firm is on Microsoft 365 Business Standard with MFA turned on and nothing else, you’re not meeting the current “reasonable steps” standard. Here’s what closing that gap looks like.
Upgrade to Microsoft 365 Business Premium or add EMS E3 to your existing setup. Configure conditional access policies that verify device compliance, location, and risk level. Enroll firm devices in Intune for encryption enforcement, patching, and remote wipe capability. Implement role-based access controls that limit who can access what. Document your access review process and run it on a schedule. Create and test an incident response plan. Train your team on current threats, especially phishing and business email compromise.
For most small firms, this implementation takes three to four weeks with the right IT partner. The technology is already built into the Microsoft platform. It just needs to be configured.
Help Is Here
Learn how we help law firms implement the security controls that meet LSO expectations. Read about our IT Compliance Services or see our Cybersecurity Solutions for small businesses. Already on Microsoft 365? Read our guide: Is Microsoft 365 PIPEDA Compliant?
Ready to discuss where your firm stands? Schedule a consultation or call us at (416) 292-3300.
FAQ
Does the Law Society of Ontario require specific cybersecurity software?
No. The LSO does not mandate specific products or platforms. Instead, Rule 3.3-1 of the Rules of Professional Conduct requires lawyers to protect client confidentiality, and the LSO Technology Guideline and Cybersecurity Checklist outline the types of controls expected: multi-factor authentication, device encryption, access controls, vendor oversight, backups, and incident response planning.
The choice of technology is yours, but the controls must be implemented, documented, and maintained. The standard is “reasonable steps” based on what’s currently available and what current threats demand.
What is the difference between MFA and conditional access for law firms?
Multi-factor authentication verifies your identity with a second factor, typically a phone notification, when you sign in. Conditional access goes further by also evaluating the device you’re signing in from, your location, and real-time risk signals before granting access. MFA alone can be bypassed by modern adversary-in-the-middle (AiTM) attacks that intercept the authentication token. Conditional access blocks these attacks because even with a valid password and MFA token, the attacker doesn’t have a compliant, managed device.
For law firms handling confidential client information, conditional access is the current minimum for meeting the “reasonable steps” standard.
Can a law firm meet LSO cybersecurity requirements with Microsoft 365 Business Standard?
Microsoft 365 Business Standard includes basic MFA through security defaults, but does not include conditional access policies, device management through Intune, or endpoint threat detection. These features are available in Microsoft 365 Business Premium, which also includes Entra ID P1. While Business Standard provides a starting point, the LSO Cybersecurity Checklist calls for access controls, device encryption enforcement, and regular access reviews that require the capabilities in Business Premium or an equivalent add-on like Enterprise Mobility + Security E3.
Do LSO cybersecurity requirements apply to solo practitioners?
Yes. The Rules of Professional Conduct apply to all lawyers licensed by the LSO, regardless of firm size. Solo practitioners handle the same types of confidential client information as larger firms and face the same obligation to take reasonable steps to protect it. In practice, the OBA’s cybersecurity report specifically targets solo practitioners and small firms, noting that these practices are often more vulnerable because they lack dedicated IT staff or security resources. The technology controls are the same; the implementation can be scaled to fit a solo practice.
How do LSO cybersecurity requirements relate to PIPEDA?
They overlap but serve different purposes. PIPEDA governs how you collect, use, and disclose personal information in commercial activities, with its own breach notification requirements. The LSO’s obligations focus specifically on client confidentiality under professional conduct rules. A data breach at a law firm can trigger obligations under both: PIPEDA requires notification to affected individuals and the Privacy Commissioner, while the LSO may review whether you took reasonable steps to protect client information. Implementing proper security controls, including identity management, device encryption, and access policies, satisfies requirements under both frameworks simultaneously.
What should a law firm do immediately after a cybersecurity breach?
The OBA’s cybersecurity report outlines a first-60-minutes response: immediately contain the breach by isolating affected systems, document everything you observe, escalate to your cybersecurity provider or expert, preserve evidence for investigation, and begin assessing notification obligations. Do not attempt to investigate on your own if you lack expertise. You may have notification obligations under PIPEDA, and depending on the nature of the breach, you may need to report to the LSO. Having an incident response plan documented before a breach occurs is one of the specific items on the LSO Cybersecurity Checklist.
