According to a recent study of general counsel and corporate directors at public companies, the most widespread concern among both groups is no longer operational risk or reputation—as is frequently the case—but, instead, data security. 55% of the 1,957 general counsel polled cited cybersecurity as the biggest concern for their company, while 48% of the 11,340 directors said the same thing. The results of the survey demonstrate the increasing attention that companies must give to the privacy of their data given the increasing frequency of cyberattacks.

The risk of having sensitive or confidential data stolen is not unique to public companies. Law firms, which are in possession of valuable information and are professionally obligated to keep such information confidential, have faced a rising number of cyberattacks in recent years. And large law firms that handle high-profile mergers and acquisitions could be targets for hackers looking for insider trading secrets. Part of the problem increasing law firms’ cyber vulnerability is that lawyers conduct a significant amount of their business on email, smartphones, and other mobile devices, and hackers are adept at disguising their attacks. For example, a data breach at the Los Angeles, CA, law firm Gipson Hoffman & Pancione in 2010 resulted from a series of Trojan emails, which appeared to be from members of the firm but in reality were designed to steal data from the firm’s computer system.

In order to prevent data breaches, at law firms and public companies alike, the alertness of employees to possible cyberattacks is essential, but other procedures should be in place. Yet, of the general counsel and directors polled in the survey, only 42% reported that their company had a formal, written crisis management plan in the event of an attack, and another 31% responded that they did not know whether such a plan existed for their corporation. Nevertheless, 77% of the respondents indicated that their company would be able to detect a cyber breach should one occur—a disconnect that may cause companies to design a plan only after their security has been breached.

In light of the growing risks, companies are looking to change the standards for data security. Some bar associations across the country have told lawyers to keep up with technological advances and take reasonable steps to protect client information, and the American Bar Association may adopt such requirements into its model rules of professional conduct. And, in the future, large law firms and corporate legal departments might be required to report their security procedures to the federal government—an obligation that the Cybersecurity Act of 2012 (which was blocked by a Republican filibuster in early August 2012) could have put into place this year.