Law firms are an attractive target because of the data, but also because it might be easier to breach a firm than it would be to hack the clients they represent. As the rest of the article goes on to describe, there are still too many firms without cybersecurity training, proper policies, or incident response plans. That is not going to keep things secure.
On top of that, as I’ve written before, the whole culture in firms is a problem. Anytime you have a large group of people in charge, (partners), who are often not to be questioned, social engineering gets a whole lot easier, and the likelihood that even some policy that exists might get ignored is pretty high.