Law Firm Data Encryption: What Lawyers Need to Know

With great data comes great responsibility—that’s why law firm data encryption is integral. Data breaches, hacking attempts, and embarrassing leaks due to human error are commonplace. And unfortunately, the legal sector is particularly vulnerable due to the highly sensitive client data that lawyers traffic in. 

In fact, when the American Bar Association (ABA) asked survey respondents: “Has your firm ever experienced a security breach (e.g. lost/stolen computer or smartphone, hacker, break-in, website exploit)?”, 27% of respondents answered in the affirmative.

What is encryption? Encryption is the act of taking data, and “scrambling” it so that no one else can read it without the key.

Law firm data encryption can be applied to everything from cloud applications to internet browsers to local hard drives to email. In order to keep your law firm’s data secure, you’ll need to encrypt everything, including your laptop, email communications, and any data stored in the cloud. Below, we’ll review the places you’ll need to encrypt your firm’s data to ensure your information is safe.

The different kinds of data encryption for law firms to know 

1. Cloud encryption

First, the good news: If you’re using cloud-based Software as a Service (SaaS) services in your practice, they’re probably already taking care of encryption on their end. (If you’re unsure, ask.)

When you connect to a website via a web browser, you can connect via one of two protocols: HTTP or HTTPS. When connecting via HTTPS, all data is transmitted between your web browser and the web server using encryption. No one can intercept or view the information you are sending, whether you’re at home, at the office, or using a public network such as a one in a coffee shop.

When connecting via HTTP, however, you may as well be transmitting information via megaphone. Third parties, government agencies, or even your internet service provider can intercept this information.

These days nearly every website is secured using HTTPS, and it’s easy to tell.

On most modern browsers, there will be a small padlock icon next to the web address. Clicking the icon should reveal the security certificates for the website you’re visiting and whether they’re valid.

Of course, at Clio, we ensure our security certificates and encryption standards are always easily accessible.

If you don’t see the icon or security certificates available in the browser, you may want to reach out to the cloud vendor to confirm that they’re using encryption—and to find out how you can confirm this on your end. If they aren’t using encryption, run, don’t walk, the other way.

2. Laptop encryption

Now, the bad news: If you’re storing data locally on your hard drive, you’re on the hook for encrypting it yourself.

Don’t despair, though; as long as you’re using a Mac OSX or Windows computer, you just need to turn on a setting to enable encryption on your laptop (instructions here for Mac users and here for PC users). 

Once you’ve encrypted the files on your computer, that’s it. All you have to do is make sure your device is password protected (using strong passwords), and your data should be safe in the event of theft or loss. Just don’t store your password on the computer itself.

3. iPhone and Android encryption

More good news—if you’re using a mobile device that was built in the past few years, it should have encryption enabled out of the box. If not, you can follow the directions for iOS encryption here and Android encryption here.

Then, there’s one key step you’ll need to take—password protect your device with a relatively complex passcode. Failing to do so will render any encryption useless.

4. Email encryption

Only one-third of lawyers use email encryption when sending confidential or privileged documents to their clients. The other two-thirds? They exclusively rely on a confidentiality statement to protect sensitive data.

That’s right: If you’re receiving sensitive data from a lawyer, a meaningless block of text is all that’s preventing malicious parties from accessing it.

If you want to level up your email data security, you’re in luck: Most web email providers such as Gmail now include encryption on all messages by default. If you’re an Outlook user, you may need to enable encryption manually depending on which version you’re using. Office 365 users may have to pay an additional surcharge to receive email encryption rights.

For even greater protection, go beyond email encryption with Clio’s legal client portal. Instead of relying on potentially vulnerable inboxes, clients can securely access messages and documents via a protected email link—and once set up, they can log in with Face ID, Touch ID, or fingerprint recognition in the mobile app. By keeping all communications within the portal, you ensure sensitive information stays private, protected, and out of reach from prying eyes.

Ensure your third-party vendors are secure 

It’s integral to evaluate the security practices of your vendors. For example, if you use Clio Manage as your practice management software, you can rest assured given their industry-leading security: 

• Clio applies both in-transit and at-rest encryption using industry best practices (such as HTTPS and TLS) to ensure your firm’s data is stored and transmitted securely.
• Hosting facilities are audited annually for security certifications (such as SOC 2 and ISO27001) to ensure Clio’s employing advanced physical security measures such as biometrics, CCTV cameras, and 24×7 on-site security.
• Clio’s web interfaces are verified by DigiCert, a trusted certificate authority.
• Offering two-factor authentication and login safeguards, it’s no wonder Clio is recommended by over 70+ bar associations and law societies. 

What comes after learning about law firm data encryption 

To recap, these are the steps you need to take to secure your firm’s data:

1. Confirm your cloud services utilize HTTPS.
2. Encrypt your laptop.
3. Encrypt your mobile device.
4. Encrypt your email.

When encrypting your devices, we can’t stress this enough: Make sure you use a strong password. A strong password contains more than 12 characters, no dictionary words, and a mix of numbers and upper and lower case letters.