The DocketWise Breach Is a Wake-Up Call: A Practice Management Vendor Security Checklist for Every Law Firm

The April 2026 DocketWise breach exposed 116,000 records using valid credentials. Here's the 10-point practice management vendor security checklist every law firm needs, and why platform foundation matters after the breach.

Published: 2026-04-20T14:22:30.104Z ยท Category: Industry News ยท 8 min read

The DocketWise Breach Is a Wake-Up Call: A Practice Management Vendor Security Checklist for Every Law Firm
๐Ÿ’ก IN SHORT
The April 2026 DocketWise breach exposed 116,000 records โ€” including Social Security numbers, passport data, and client trust account information โ€” because an attacker used valid credentials to quietly copy law-firm files. Every law firm now owes itself a hard look at the security posture of its practice management vendor, and platforms built on Salesforce infrastructure (like CaseQube) offer a materially different risk profile than standalone legal-tech apps.
๐Ÿ‘ฅ Who should read this: Managing Partners Firm Administrators IT & Security Leads Immigration Attorneys

On April 3, 2026, notification letters started landing in law-firm mailboxes across the country. Immigration software vendor DocketWise confirmed an unauthorized actor had used valid credentials to copy files containing client names, addresses, Social Security numbers, dates of birth, driver's license and passport numbers, financial account information, government IDs, medical data, and login credentials for non-financial accounts. An estimated 116,000 people were affected โ€” and because DocketWise is a practice management tool, every one of those records sat inside files belonging to law firms.

The legal profession has been softened up for this moment. LexisNexis confirmed its own breach weeks earlier, with hackers claiming access to government and law-firm user data. Jones Day disclosed a phishing incident affecting 10 clients. Above the Law has been sounding the alarm that average ransom demands against law firms are now above $4 million. And the DocketWise breach didn't involve exotic malware โ€” it involved valid credentials being misused, which is exactly the attack pattern that generic SaaS apps struggle to contain.

๐Ÿšจ Why the DocketWise Breach Matters Beyond Immigration

Immigration firms felt this one first because DocketWise is an immigration-only platform, but the pattern is not category-specific. Any standalone practice management tool that handles sensitive data โ€” PI settlements, family-law discovery, corporate trust ledgers, estate files โ€” can suffer the same class of incident. The uncomfortable reality is that most law firms vet their practice management vendor on features, not on threat modeling.

๐Ÿšซ Red Flag
If your vendor's last SOC 2 Type II report is older than 12 months, or they have never shared the executive summary with you, your firm is effectively accepting their security on faith. After DocketWise, that is not a defensible posture.

๐Ÿ” The Practice Management Vendor Security Checklist

Every managing partner or firm administrator should run the following 10-point check on their current practice management and legal accounting vendors before the next partner meeting:

๐Ÿ“œ

Current SOC 2 Type II

Is the report less than 12 months old? Has your firm actually read it?

๐Ÿ”‘

MFA Enforcement

Is multi-factor authentication required โ€” not optional โ€” for every user, including admin accounts?

๐Ÿ›ก๏ธ

Credential Anomaly Detection

Does the platform detect abnormal login patterns (geography, time, device) and lock down sessions automatically?

๐Ÿ—‚๏ธ

Field-Level Encryption

Are SSNs, passport numbers, and financial fields encrypted separately from the broader database?

๐Ÿ‘๏ธ

Full Audit Trails

Can you see who viewed, downloaded, or exported any record โ€” and run that report yourself?

๐Ÿง‘โ€โš–๏ธ

Role-Based Permissions

Is the principle of least privilege actually enforced, or do paralegals see everything?

๐ŸŒ

Data Residency

Where does client data live, and is that location covered by your engagement letters and malpractice carrier?

โ™ป๏ธ

Incident Response SLA

Does the vendor commit in writing to notifying your firm within 72 hours of a confirmed incident?

๐Ÿ—๏ธ Why Platform Foundation Is a Security Decision

CaseQube and LawAccounting are built on Salesforce โ€” not as a CRM bolt-on, but as the core platform underneath practice management, billing, and legal accounting. That means every law firm inherits the same enterprise security infrastructure that banks, healthcare systems, and the U.S. federal government already rely on: field-level encryption, event monitoring, shield platform encryption, login anomaly detection, and Salesforce's dedicated Trust team.

For a standalone legal-tech startup, shipping that same control stack is measured in years and tens of millions of dollars. For platforms that inherit it from day one, it's measured in configuration.

๐Ÿ“Š Did You Know?
The DocketWise attack succeeded because valid credentials were used to copy data โ€” a pattern Salesforce Shield's Event Monitoring is specifically designed to flag through User Behavior Analytics. CaseQube firms can turn on that layer without re-architecting their platform.

โš™๏ธ How CaseQube and LawAccounting Reduce This Risk Class

Three concrete differences matter after the DocketWise breach:

Unified audit trail, not vendor-by-vendor logs. When intake, matter, billing, accounting, documents, and trust all live on one platform, there is one audit trail to monitor โ€” not five. That closes the gap attackers exploit when they jump between loosely integrated systems.

Role-based permissions designed for law firms. CaseQube ships with legal-specific permission sets: attorneys, paralegals, billing admins, trust admins, and client-portal users each see only what they need. Exporting a client list becomes an auditable, permissioned action rather than a click anyone can make.

Trust account separation by design. LawAccounting keeps operating and IOLTA data logically separated with independent reconciliation and reporting paths. Even in a worst-case credential-compromise scenario, the trust side has an additional audit and reconciliation layer on top of the platform's native security.

๐Ÿงญ What to Do This Week

Three steps every firm should take in the next five business days:

๐Ÿ’ก Pro Tip
Ask your current vendor, in writing: "Have you been notified of, or detected, any unauthorized access to firm data in the last 24 months?" A vendor that cannot answer crisply in writing is telling you something.

First, inventory every piece of software that holds client data โ€” not just practice management, but scanning tools, document assembly plug-ins, e-signature, and intake capture. Each is a potential DocketWise. Second, confirm MFA is actually turned on for every user โ€” not just policy, but configuration. Third, schedule a formal vendor security review at your next partner meeting and document who owns it.

โœ… Key Takeaways
  1. The April 2026 DocketWise breach exposed 116,000 records using valid credentials โ€” this is the new baseline threat model, not an outlier.
  2. Law firms must vet practice management vendors on security as rigorously as they vet them on features.
  3. Platforms built on Salesforce (like CaseQube and LawAccounting) inherit enterprise-grade security controls that standalone legal-tech apps usually can't match.
  4. Unified platforms reduce the attack surface by consolidating audit trails, permissions, and data residency.
  5. Run a 10-point vendor security check this quarter โ€” and get answers in writing.

Security That Comes Built In โ€” Not Bolted On

See how CaseQube and LawAccounting deliver enterprise-grade security, unified audit trails, and role-based permissions on a Salesforce foundation trusted by regulated industries.

Schedule Your Security Demo โ†’

Related Articles

โ† Back to Blog