CTO Perspective: Outdated Software, Real Liability

Why outdated software raises law firm risk, and the action plan to reduce it

Jim Garrett, CTO, Assembly Software



I often hear a version of the same line from firm leaders: “Our systems are old, but they still get the job done.” I understand the instinct. Lawyers focus on client work, not patches and platforms. But the reality has changed. Running outdated software is no longer an inconvenience. It is a direct risk to client confidentiality, operations, and reputation.

For clarity, when I say, “outdated software,” I mean systems that are out of vendor support, are two or more major versions behind, have critical patches outstanding for more than 30 days, or rely on unsupported plugins or drivers.

A concrete example makes this clear. On October 14, 2025, support for Windows 10 ends. Any device that remains on an unsupported operating system will drift outside a defensible security posture. The same pattern applies to browsers, collaboration tools, document systems, and practice management software that are several versions behind. Treat the Windows 10 end of support milestone as a forcing function, not a one off.



Why delay raises risk and cost

• Cybersecurity exposure. Unsupported systems miss critical patches and modern controls. Attackers look for that gap first because it is predictable. The 2017 WannaCry ransomware outbreak spread quickly by exploiting older Windows systems that lacked fixes many organizations had deferred. The lesson holds: unpatched is an open door. CISA’s analysis is a useful summary: CISA report on WannaCry
• Ethics and compliance. More than 40 states have adopted a duty of technological competence anchored in ABA Model Rule 1.1, Comment 8. Continuing to use unsupported or unpatched systems can be viewed as a failure to safeguard client information and may trigger reporting duties under state privacy laws or sector rules such as HIPAA or GLBA when applicable. Read the rule text: ABA Model Rule 1.1, Comment 8
• Operations and finance. Legacy platforms increase downtime risk and support burden. Your IT staff spends more time on ad hoc fixes and one-off integrations and less time on improvements that matter. Incidents also take longer to contain on older stacks, which drives higher remediation and business interruption costs. For a structured way to weigh costs and benefits as Windows 10 support ends, see Forrester’s TEI overview: Forrester TEI: Windows 10 End of Support
• Innovation readiness. Outdated systems limit secure adoption of the tools that now shape legal work, from modern collaboration to analytics and AI assisted drafting. Firms that maintain current platforms can evaluate and control these capabilities. Firms that lag are forced to choose between unsafe adoption and standing still.
• Reputation. Clients assume you will protect their data with current, well-supported systems. A preventable incident can damage trust in a way that is hard to repair.



Actions items to lower risk

1. Inventory and classify. Build a complete list of operating systems and core applications. Mark what is end of support now, within 12 months, and within 24 months. Identify what touches client data or affects matter work. Microsoft’s page can help identify affected devices: Windows 10 end of support
2. Reduce the highest risk first. Retire or upgrade systems that handle sensitive data and those that are out of support. Treat unsupported endpoints and internet facing servers as priority one.
3. Strengthen the basics. Ensure multi factor authentication, endpoint detection and response, reliable backups with routine restore testing, and least privilege access are in place and monitored. These controls reduce incident likelihood and shorten recovery.
4. Plan the change, not just the technology. Lawyers need continuity. Phase upgrades by practice group or location. Schedule around peak filing periods. Communicate early and give people a single point of contact.
5. Educate and document. Brief partners and matter leads on why the changes are necessary, what will happen when, and how the firm is meeting its duty of technological competence. Document decisions and timelines. Cite your end of support sources and your policy updates to create a defensible record.



What to measure and report

• Percentage of devices and servers that are supported and fully patched
• Time to deploy critical patches across the fleet
• Incident frequency and mean time to recovery
• Backup success rate and restore success rate
• Unplanned downtime by practice group
• Percentage of systems with strong authentication and endpoint protection
• Percentage of high-risk legacy systems retired each quarter



The ethics dimension

Technological competence is part of modern practice. Lawyers do not need to be engineers, but they should understand the risk tradeoffs of running unsupported systems and the controls that reduce those risks. That includes patch cadence, access controls, encryption, and the firm’s incident response plan. The ABA’s commentary on competence is clear on this expectation: ABA Model Rule 1.1, Comment 8



Closing thoughts

In prior pieces, I have argued that the cloud can meet or exceed the security expectations of most firms, and that legal operations will continue to evolve toward more distributed and data driven work. The common thread is governance. Leaders who replace aging systems with supported, well managed platforms reduce breach likelihood, cut downtime, and create room for improvement that benefits clients.

The firms that thrive in the next decade will be the ones that treat technology not as a reluctant expense, but as a strategic asset. Delaying upgrades is no longer a minor inconvenience, it is a substantive risk to security, compliance, and reputation. Firms that proactively modernize their technology will not only reduce exposure but also position themselves for operational efficiency and competitive advantage.

Don’t wait until October 14, 2025, start your transition today to protect your clients, your firm, and your future. If you’re interested in learning more about the cloud-transition process, schedule a personalized consultation with our team of experts today.



Further reading:

• Jim Garrett, “For Security Conscious Law Firms, the Cloud Is a Better Option Than Ever” (Entrepreneur)
• Jim Garrett, “Ensuring Your Law Firm’s Digital Transformation Transition Goes Smoothly” (Law.com Legaltech News)
• Jim Garrett, “The Law Firms of the 2050s: Will We Even Recognize Them?” (Fast Company)
• Authority Magazine interview on AI and human oversight

Inline sources referenced above:

• Microsoft: Windows 10 end of support
• CISA: WannaCry analysis report
• ABA: Model Rule 1.1, Comment 8
• Forrester: TEI overview, Windows 10 E