I just finished a class called "The Legal and Regulator Environment of Business Law". What it brought to mind are questions of liability.
You definitely need to come up with a contract. And ... since you are talking about matters of security for a law firm, you are probably going to need to have a lawyer look over a contract for you. You want to mention that you will make a "best effort" to install a secure solution. However, they need to realize and confirm they are aware that no solution is 100% secure - security can only deter people from attempting to violate the security.
Additionally, you may want to consult with them about data integrity, availability, and confidentiality. Access rights, redundant systems, and encryption and digital signatures. I would suspect these concepts are important to them since they are a law firm and their product is their intellectual capital which they must store and have access to while maintaining absolute confidentiality.
To recap, you need to cover your a$$ and make sure they sign releases which limit or eliminate your liability for a data security breach or loss.
Ps. You will definitely want to install a "real" firewall for them - a hardware platform such as a Pix or Checkpoint firewall. We've just begun installing Nokia firewall appliances running Checkpoint - they're cool!