An independent review of email security across California’s top law firms shows wide variation in performance. While some firms demonstrate relatively strong controls, others — including several nationally prestigious firms — have significant gaps that increase risk of phishing, spoofing, and Business Email Compromise.
Email Security Scores of Top California Law Firms
Here are the results from recent audits:
| Rank | Law Firm | Overall Score | Performance | Notes |
|---|---|---|---|---|
| 1 | O’Melveny | 73% | Strong | Highest score among tested California firms |
| 2 | Latham & Watkins | 64% | Good | Strong email infrastructure |
| 3 | Kirkland & Ellis | 60% | Above Average | Solid but room for improvement |
| 4 | Wilson Sonsini | 58% | Average | Common gaps in transport security |
| 5 | Morrison & Foerster | 55% | Average | Moderate performance |
| 6 | Cooley | 54% | Average | Notable weaknesses in identity & spoofing |
| 6 | Paul Hastings | 54% | Average | Similar profile to Cooley |
| 8 | Baker Botts | 50% | Below Average | Significant gaps identified |
| 9 | Gibson, Dunn & Crutcher | 44% | Weak | Low score across multiple categories |
| 10 | Arnold & Porter | 38% | Weak | One of the lowest scores in California |
Key Findings
- Best Performer: O’Melveny leads California firms with a strong 73% score.
- Lowest Performers: Arnold & Porter (38%) and Gibson Dunn (44%) show critical weaknesses, particularly in DMARC enforcement and transport security.
- Many elite California firms are still scoring in the low-to-mid 50s, which is concerning given the high volume of sensitive client work and regulatory matters they handle.
- Common issues across lower-scoring firms include weak or missing DMARC policies, lack of MTA-STS, and insufficient website security headers (HSTS, CSP, X-Frame-Options).
Why This Matters in California
California law firms frequently handle high-stakes litigation, technology transactions, venture capital, and regulatory matters. Weak email security increases the risk of:
- Business Email Compromise and wire fraud
- Exposure of privileged client communications
- Reputational damage and potential professional liability
These risks are especially relevant under California’s strict privacy laws and growing expectations around cybersecurity diligence.
Recommendations
California law firms should prioritize:
- Implementing a strict DMARC policy (
p=reject) - Enabling MTA-STS and monitoring TLS reports
- Regularly auditing email and domain security configurations
- Conducting ongoing phishing and social engineering awareness training
Protect your firm.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com to see your firm’s current score and get specific, actionable recommendations.
Contact EmailMeNow IT Consulting for help improving your email security and overall compliance posture.
Even many of California’s most respected law firms still have meaningful opportunities to strengthen their email security foundations.