Cybersecurity for Law Firms and Accounting Practices: GDPR and Sensitive Data

8 min read · AstraLoop Studio

If you run a law firm or an accounting practice, you're sitting on one of the most attractive data collections around: tax returns, financial statements, court filings, banking details, litigation records, payroll, and sometimes medical files and personal circumstances of your clients. To an attacker it isn't just an archive, it's a high-value target. To the Italian Data Protection Authority (Garante Privacy) you're a data controller with precise obligations. And to your client, you're the custodian of their confidentiality.

The problem is that many practices have gone digital (cloud practice management software, digital signatures, certified email, e-invoicing, tax agency portals) without ever seriously thinking through cybersecurity. Everything gets handed off to the IT consultant who "installed the antivirus," the same backup has been running for years without ever being tested, and tax documents get shared over WhatsApp. Then a ransomware attack or data breach hits, and it becomes clear the risk was never just technical. It's legal, financial, and reputational.

This article is the vertical-specific guide that's usually missing: what you actually need to protect, which GDPR obligations apply to you, what the real threats look like in 2026, and how to set up a review built around your practice. If you want the full picture, this piece fits inside a complete cybersecurity audit built for Italian SMEs and professionals.

Illustration of a professional firm's archive protected like a safe, representing the custody of clients' sensitive data

Why a professional practice is a prime target

The 2026 Clusit Report shows Italy accounting for roughly 10% of incidents worldwide, with a 23% jump in serious attacks in the first quarter and SMEs making up 72% of the targets. Professional practices fall squarely into this bracket, for three very concrete reasons.

First: the value of the data. An accounting practice's archive contains IBANs, tax credentials, delegations to the tax dashboard, and data on dozens or hundreds of client companies. A law firm holds litigation strategy, confidential settlements, court records. On the black market, that's worth far more than a plain list of email addresses.

Second: the widened attack surface. You're a node in a supply chain. Attackers can reach your clients through you. Third-party compromises have quadrupled in five years, and roughly 30% of breaches involve a supplier. For an attacker, hitting the accountant who serves twenty companies is far more efficient than hitting twenty companies one by one.

Third: the belief that you're "too small to matter." This is the most common mistake. Modern attacks are automated: AI-powered botnets scan the web looking for holes, and a practice with an exposed management system or an outdated WordPress site gets found within minutes. Not because anyone singled you out, but because your system answered the scan.

What GDPR actually requires of you

EU Regulation 2016/679 (GDPR) makes you a data controller for your clients' data. That's not a formality: you are legally responsible for how that data is collected, stored, and protected. And much of what you handle counts as "special category" data (Art. 9), which carries reinforced protections: judicial data at law firms, health data in disability or injury claims, sensitive financial data in tax consulting.

Here are the concrete obligations, translated into things you actually need to have in place.

1. Adequate security measures (Art. 32)

GDPR doesn't hand you a rigid checklist, it asks for measures "appropriate to the risk." For a practice this means, at minimum: access control (who can see what), encryption of sensitive data and portable devices, tested backups kept offline or in a separate environment, and multi-factor authentication on critical logins (practice management software, certified email, tax dashboard). In 2026, antivirus alone is not an "appropriate measure."

2. Record of processing activities (Art. 30)

You have to document what data you process, for what purposes, where it's stored, and who you share it with. For a practice this is also a control tool: it forces you to know where your data actually is, which surprisingly few practices can say with precision.

3. Appointing external processors (Art. 28)

Your cloud practice management software, your email provider, the company that manages your servers: they're all data processors and need to be appointed under a specific contract. If a supplier of yours suffers a breach and you don't have that contract in order, the responsibility falls on you too.

4. Data breach management (Arts. 33-34)

If you suffer a data breach, you have 72 hours from the moment you become aware of it to notify the Garante Privacy, and in certain cases you also have to inform the people affected. This isn't optional and it isn't negotiable. We've covered the timeline and practical steps in what to do in the 72 hours after a data breach and what it means legally in what counts as a data breach under GDPR.

GDPR fines run up to €20 million or 4% of worldwide annual turnover. For a practice, the realistic risk isn't the maximum fine, it's a combination of a fine, client compensation claims, and reputational damage, which for a trust-based business can be devastating.

Illustration of different cyber threats converging on a professional practice: phishing, data leaks, and supplier risk

The real threats in 2026 (not theory, actual cases)

Ransomware: the number-one risk for professional practices

Ransomware encrypts your files and demands a ransom. For a practice that means losing access to case files, financial statements, tax deadlines, often right when you need them most. The 2026 evolution is even nastier: it's moving toward double and triple extortion (first they encrypt you, then they threaten to publish the stolen data, then they contact your clients directly). The average cost for an SME hit by ransomware runs between €35,000 and €250,000, factoring in downtime, recovery, and legal fallout. For defenses and a response plan, see our guide on how to protect yourself from ransomware.

Phishing and AI-powered fraud

Phishing emails today are written in flawless Italian and impersonate the tax agency, the bank, or an actual client. Even more dangerous is vishing, voice-based fraud: audio deepfakes in Italy have grown by more than 300% since 2023. A real case in Lombardy: an SME wired €28,000 after a call from a fake "CFO" with a cloned voice. For a practice, picture a call from a "client" urgently requesting a wire transfer or confidential documents. Knowing how to spot corporate phishing and how to defend against deepfake scams is no longer specialist knowledge, it's baseline training for anyone working at a practice.

Shadow AI: the risk you're probably ignoring

This is the most underrated issue. Do your staff use ChatGPT, Gemini, or Copilot to summarize a contract, rewrite a letter, or tidy up a financial statement? 38% of employees admit to having shared confidential data with these tools, and 78% use unauthorized AI tools of their own choosing. When a staff member pastes a client's contract clause or tax statement into a public AI tool, that sensitive data leaves your control. That's a potential GDPR violation and a real data-leak risk. We've dedicated a full piece to what Shadow AI is and what risks it carries: for a professional practice, it's required reading.

The answer isn't banning AI (that lasts about as long as a coffee break), but setting clear rules on what can and can't be fed into these tools, and evaluating tools with contractual guarantees on data processing.

Want to know exactly where your practice is exposed and which GDPR obligations you're not meeting? Request a tailored security assessment: we start from your sensitive data, not a generic scan.

Reputational risk: the damage a backup can't fix

A professional practice runs on trust. A client hands you their numbers, their disputes, their financial weak points. If a data breach exposes that data, the technical damage gets fixed in a few days, but the reputational damage lasts for years. A business owner who finds out their financial statements ended up online because of their accountant doesn't come back, and they tell others about it.

There's also a professional-conduct dimension. For lawyers, professional secrecy is a bar-association duty, not just a privacy rule. A breach that exposes privileged data can trigger disciplinary consequences on top of regulatory penalties. That's why cybersecurity at a practice isn't an IT cost, it's part of professional responsibility itself.

What's changing with NIS2 and the AI Act (and whether they apply to you)

Two regulations are reshaping cybersecurity obligations in Italy in 2026.

NIS2 (the EU directive as transposed into Italian law) imposes security measures and an incident-notification duty on entities operating in critical sectors. Most small professional practices don't fall directly within the NIS2 perimeter, but they're touched indirectly: if one of your clients is subject to NIS2, that client will have to assess you as a supplier (supply-chain security obligation). In practice, your more structured clients will start asking you for security guarantees. To check whether you're in scope, read whether NIS2 applies to your business and the 2026 NIS2 deadlines.

The AI Act (EU Regulation 2024/1689) enters its operational phase on August 2, 2026, with oversight from ACN (Italy's National Cybersecurity Agency) and fines of up to €35 million or 7% of turnover for the most serious violations. If your practice uses AI tools, this ties directly into the Shadow AI issue: you need to know which systems you use and how they handle data. We've summarized the AI Act obligations for SMEs in the AI Act obligations for SMEs.

How to set up a security audit built for your practice

The cheap automated scans that half the market sells you produce a report of technical vulnerabilities and not much else. A practice needs a review that starts from the data and the legal obligations, not just from open ports. Here's what a properly done audit should cover.

AreaWhat gets checkedWhy it matters for the practice
Data mapWhere sensitive data lives, who accesses it, which suppliers it's shared withThe basis for the processing record and for understanding real exposure
Access and MFAPasswords, multi-factor authentication on practice software, certified email, tax dashboardMost breaches start with weak or reused credentials
Backup and recoveryExistence, frequency, isolation, and actual restore testingThe only real defense against ransomware, if it's actually tested
Suppliers (Art. 28)Contracts with cloud, email, and external IT providersSupply-chain risk and shared liability
AI usageWhich tools staff use and with what dataShadow AI, data leaks, GDPR and AI Act compliance
TrainingAwareness of phishing, vishing, document handlingThe human factor remains the number-one entry point
Website and portalsVulnerabilities in the website (often WordPress) and client portalsAn exposed surface that gets attacked automatically

An audit like this produces two things: an honest snapshot of your risk (not a list of automated alerts) and a realistic priority list of what to fix first, and with what budget. If you want to understand how this kind of review works and what it costs, we've detailed the difference between a vulnerability assessment and a penetration test and the cost of a cybersecurity audit.

Five things you can do starting tomorrow morning

  1. Turn on multi-factor authentication on your practice software, certified email, email, and tax dashboard. It's the measure with the best effort-to-protection ratio.
  2. Test your backup. Having one isn't enough: try restoring a file. An untested backup often fails exactly when you need it.
  3. Set a rule on AI. No client data goes into public AI tools. Written down, shared, explained to the team.
  4. Check your supplier contracts. Cloud, email, external IT: they all need a data-processor appointment.
  5. Train your staff on phishing and vishing. One hands-on session is enough to drastically lower the most common risk.

Cybersecurity at a professional practice isn't something you buy once and it's never "done." It's a process that starts with awareness of the risk and gets built up by priority. The right starting point is knowing where you stand today: what data you hold, where it's exposed, and which obligations you're not meeting. From there, every euro you spend is aimed at something specific.

Frequently asked questions

Is a law firm or accounting practice legally required to have cybersecurity measures in place?

Yes. As a data controller, GDPR (Art. 32) requires security measures appropriate to the risk to protect client data. Since practices often handle special-category data (judicial, health, financial), the obligations are reinforced. Antivirus alone is not considered an adequate measure.

What do I need to do if my practice suffers a data breach?

You have 72 hours from the moment you become aware of it to notify the Garante Privacy, and in some cases you also have to inform the people affected. It's essential to have a procedure ready before it happens, because 72 hours leaves little room to improvise.

My staff use ChatGPT to work on documents. Is that a problem?

It can be. Pasting client data (contracts, financial statements, tax records) into public AI tools takes that data outside your control, with potential GDPR violations and a real data-leak risk. You don't need to ban AI, but you do need clear rules on what can be shared and to evaluate tools with contractual guarantees on data processing.

Does NIS2 apply to my professional practice?

Most small practices don't fall directly within the NIS2 perimeter. But they're touched indirectly: if you have clients subject to NIS2, those companies will have to assess you as a supplier and will ask you for security guarantees. It pays to be prepared.

How much can a ransomware attack cost a professional practice?

For an SME or practice, the average cost runs between €35,000 and €250,000, factoring in downtime, recovery, legal consulting, and fallout. On top of that comes reputational damage, often the most serious consequence for a trust-based business.

Is a cheap automated scan better, or a tailored audit?

Automated scans give you a list of technical vulnerabilities and not much else. A practice needs an audit that starts from sensitive data and GDPR obligations: data mapping, access control, tested backups, supplier contracts, AI usage, and staff training. It's a review that produces concrete priorities, not just alerts.

If you hold your clients' sensitive data, security is part of your professional responsibility. Talk to us and let's build a plan tailored to your practice.