The publicized breaches of major law firms last year served as a wake-up call for the legal industry, signaling the importance of having effective cybersecurity measures in place. On the heels of these breaches, the Association of Corporate Counsel released a set of model cybersecurity practices to help in-house counsel set expectations with respect to the data-security practices of their outside counsel and serve as a benchmark for best practices. But how realistic are those guidelines? Justin Hectus, the CIO and CISO of Keesal, Young and Logan, told the Cybersecurity Law Report that “the reality is that it’s a buyer's market right now in legal. If a law firm is not willing to do these kinds of things in order to keep the clients’ data safe, then another firm will be willing to do it, as there are plenty of firms that take these steps even absent client pressure.” We analyze the guidelines’ recommendations with input from Hectus on the practicality of their implementation. See also “Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel” (Jun. 8, 2016); and “How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients” (Mar. 30, 2016).