Even after high-profile law firm data breaches, limited resources and the assumption that hackers wouldn’t possibly target them is still a persuasive belief among some firms, observers say.