Law Firm Data Security: Ethics and Risk Mitigation

Lawyers need to protect client’s sensitive information, but ensuring data security at law firms is not without its challenges and risks. But data security is also everyone’s responsibility at a law firm. 

From increasingly sophisticated cybercriminals to a rise in using mobile devices due to remote work, keeping data secure can feel like a fine balance for legal professionals, but the right strategies, safeguards, and tools can go a long way to reducing your risk of a data breach.

With this in mind, we’ve put together a guide to the essential things you need to know about law firm data security in 2023—from the ethical considerations surrounding law firm data security to effective risk mitigation strategies to safeguard client data.

What is a law firm’s data security risk?

Failing to keep data secure is more than just a huge risk for you and your firm—it can also have incredibly negative consequences for your clients, who trust you with their confidential information and data.

To hackers and criminals, law firms are remarkably interesting. Valuable information—that may include trade secrets, intellectual property, merger and acquisition details, personally identifiable information (PII), and confidential attorney-client-privileged data—attracts the ill-intentioned to your firm.

In addition to outside parties aiming to compromise law firm data, it’s also important to remember that user error can also lead to data security risks. Verizon’s 2023 Data Breach Investigations Report, for example, found that “74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.”

Despite these risks, law firms are obligated to protect their clients’ information. If criminals penetrate your firm’s security, the consequences can be extensive—ranging from minor embarrassments to serious legal issues, including:

• Compromised communications due to phished or compromised email accounts
• Inability to access firm information due to ransomware (i.e., where hackers encrypt files and demand money to restore access)
• Public leaks of personal or business information (e.g., on social media)
• Loss of public and client trust in your firm
• Malpractice allegations and lawsuits

What are your ethical and regulatory obligations?

Ethically (and professionally), it’s your duty to protect client data and to disclose your error if a breach does occur. 

According to the American Bar Association (ABA) Rule 1.6 (c): Confidentiality of Information, lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” 

Additionally, the ABA has also released several Ethics Opinions (such as “Securing Communication of Protected Client Information,” “Lawyers Obligations After an Electronic Data Breach or Cyberattack,” and “Virtual Practice”), which provide guidance for lawyers on how to address cyber security. 

Moreover, the legal obligation for law firms to protect private data continues to grow. As outlined in Forbes, a September 2, 2022 decision by the U.S. Federal Appeals Court means that the requirements for class-action suits over data breaches are loosening, and “no longer require proof of actual harm.”

Risk mitigation

To comply with your professional obligations and ABA standards, you must make reasonable efforts to protect your law firm’s data. Some key strategies for mitigating data security risk for law firms include:

• Implementing a cyber security plan. This can also include a documented technology policy (which may outline best practices for things like remote access, email, and social media). You can learn more about developing a cyber security policy and incident response plan at your firm in our post on cyber security for law firms.
• Securing your mobile devices. Using mobile devices securely is about more than simply not shouting private information into your phone while in a busy coffee shop. From strong password protection to multi-factor authentication, there are multiple steps lawyers can take to help secure their mobile devices.
• Improving communication practices through email. Standard email can be especially vulnerable to data breaches, but there are ways to help lessen the risk. Learn about how lawyers should use email to communicate here. 
• Vetting legal tech providers. There’s a seemingly endless array of tech options for lawyers, but not all are created equal. It’s your responsibility to protect your firm and client data, so be sure to vet any potential tech tools and providers for their security before using them. This Cloud Due Diligence Checklist can be a helpful starting point when evaluating cloud tech providers.  
• Implementing strong technical safeguards. One of the best ways to mitigate risk and help protect data is to put technical safeguards—such as user authentication requirements and limited user access—in place. 
• Practicing ongoing training and awareness. Hackers and cybercriminals are constantly finding new ways to put law firm and client data at risk, so it’s important that lawyers keep up-to-date on data security and cyber security with regular training. When hired at the firm and then ideally at least once a year, if not more often, staff and lawyers should take part in data security training, which could also include data privacy CLEs. It may also be beneficial to consider getting your firm ISO 27001 certified.

It’s also your ethical obligation as a lawyer—according to ABA Model Rule 1.1 Competence, Comment [8], lawyers “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology….” 

You’ll also want to keep these ethical responsibilities and best practices in mind when adding legal technology to your firm’s toolkit. In many cases, legal technology can help you meet your regulatory obligations by better protecting your data, and therefore client data, via streamlined processes (with less room for manual error), enhanced security infrastructure, and encryption.

For more topics like this, be sure to check out our cybersecurity hub.

HIPAA, GDPR, CCPA, SHIELD, and state-specific breach notification laws

Data security laws can vary with location. It’s your firm’s responsibility to understand your legal responsibilities in the event of a breach.

HIPAA: HIPAA, a federal law, requires health care providers and “business associates” to protect PHI from inadvertent disclosure. Since law firms are considered business associates, they must comply with HIPAA when handling PHI on behalf of their clients. Check out our blog post on understanding HIPAA compliance for more information.

GDPR: To help address global needs for enhanced data security, in 2018, Europe introduced a unified data protection law, the General Data Protection Regulations (GDPR). GDPR—which strives to unify the regulatory environment for businesses handling personal data—requires enhanced protection of personal data belonging to EU individuals. While GDPR currently applies to firms in Europe, its regulations could affect your firm, so it may be a good idea to learn more about GDPR.

CCPA: In 2020, the state of California introduced the California Consumer Privacy Act (CCPA), which strives to mirror the GDPR and requires enhanced protection of personal data for California residents. 

SHIELD: Similarly, New York has introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which introduces a requirement to implement “reasonable” security safeguards for any business in possession of the personal data of New York residents. The SHIELD Act also enhanced New York’s existing data breach notification requirement (already one of the strictest in the United States).  

Learn more about state-specific data breach notification requirements.     

What to do if your law firm is hacked 

Of course, no one wants to believe their law firm could be hacked. Unfortunately, because of the valuable documents lawyers keep on hand, law firms are prime targets—in fact, according to the ABA’s 2022 Legal Technology Survey Report, 27% of law firms have suffered a security breach. Hackers might have the intent to steal your clients’ data to sell it off to third parties. Or, in rarer cases, they could opt to hold the information hostage until a ransom is paid. 

Your firm should have an incident response plan (IRP) for these situations, though, hopefully you’ll never have to use it. The below is a good starting point when it comes to creating an IRP checklist: 

• Contain the damage and begin any recovery protocol. 
• Connect with a data breach expert.
• Notify your insurance provider (and if you don’t already have cyber security insurance, check out our post on cyber security insurance for law firms). 
• Report the incident to law enforcement.
• Ensure all third parties are notified. 
• Make compliance a top priority. 

It’s important to review and update your IRP plan regularly to avoid making a bad situation worse. You can run your checklist by an IT consultant as they might have additional recommendations.

Tools to make law firm cyber security simpler

Even if you know that data security is vitally important to your law firm, there’s still the potential for you to overlook something, especially if you handle a lot of data. After all, the majority of lawyers are working overtime to get everything done—according to the 2022 Legal Trends Report, 86% of lawyers report working outside of regular business hours—which means important issues like data security could potentially slip through the cracks.

Luckily, in an era where some technology can instill fear, you can also use tech to combat risk and make it easier to protect your firm’s data. As the ABA’s Technology Survey Report outlines, most of today’s law firms use a variety of tools to help protect data, including spam filters (84%), software firewalls (79%), mandatory passwords (74%), anti-spyware (73%), and email virus scanning (72%).

Here are a few more tools to consider:

Signal: For safer communication

Communication is key, but sending unprotected messages can put data at risk. The Signal app—which is available for Android, iPhone, or your desktop computer—lets you send secure, high-quality, end-to-end encrypted communications (including group, text, voice, video, document, and picture messages) anywhere in the world.

For an added element of security, you can also set your messages to disappear after a specified interval of time—eliminating the risk of your messages ever being read without your consent in the future.

Another bonus? Signal is free.

There are plenty of other communication options in the Clio App Directory as well. As a reminder, law firms should always do their own due diligence and choose a tool that is best for their firm’s needs.

Trustifi: For email encryption

Emails are a prime target for cyber attacks, with ransomware cases threatening devastating consequences for law firms and their clients. Trustifi, which integrates with Clio, is an email encryption security solution that lets you track, postmark, and encrypt your email communications in a click.

LastPass: For password management

Weak or stolen passwords are a prime point of entry for data breaches, which makes a password management tools key for law firms—in fact, 32% of law firms now use a password management tool, according to the ABA’s 2022 Technology Survey Report.

LastPass helps eliminate password reuse, while its zero-knowledge security model helps keep data safe.

Box: For document protection

Lawyers work with sensitive documents every day, and, unfortunately, documents are prime targets for cyber criminals. Box, which syncs seamlessly with Clio, helps you protect your law firm’s documents and minimize risk of data loss with multiple layers of encryption and access controls.

Clio: For safer legal software solutions

Clio’s legal software takes protecting your clients’ information (and your firm’s data) seriously, with security measures designed to help you stay safe and compliant.

Clio’s advanced product features and controls work to secure your data, through features like:

• Role-based permissions: Visibility into sensitive case information is restricted to specific users at your firm.
• Password policies: Clio’s password policy settings allow you to enforce strong passwords and regular password resets at your firm.
• Session/Activity tracking: By logging the IP address of every login to your account, Clio helps you keep an eye out for suspicious account activity.
• Two-factor authentication: Enhance login security by verifying user identities via their mobile device.
• Login safeguards: Is someone trying to guess your login? Clio locks your account for some time—automatically—after too many failed login attempts. A secure client portal also keeps communications encrypted and secure.

Final thoughts on ethics and risk mitigation

While there’s no foolproof way to totally eliminate the risk of a data breach at your law firm, there are plenty of steps that you can—and, in order to meet your ethical obligations, should—take to reduce the risk and help keep client and firm data safe and secure. 

Start by understanding the data security rules that apply to your jurisdiction, then take steps to ensure you can stay compliant. Once you have a plan in place, look for secure tech tools that can help make it easier to keep data secure, with less human error. 

Though law firm data security continues to evolve, by proactively protecting firm data and staying on top of training and new learnings in the space, you can help keep client information safe—effectively building trust and best serving your clients.

Learn more about Clio’s industry-leading security.