Why You Shouldn’t Trust Your Lawyer with Your Most Valuable Information



As law firms continued to be targeted by cyber criminals, those firms must demonstrate to clients that their sensitive data is safe.

Since 2011, the U.S. Government has recognized the tremendous gap in data protection facing the country’s top businesses in nearly every field, and the legal industry is no exception. Law firms, even mid-size and boutique firms, present an appealing target for cyber criminals seeking valuable corporate or personal information. But an even larger threat comes from within the law firm itself.

All too often law firms have no mechanisms in place to protect access to confidential and proprietary information. Everyone in the firm, from the most senior partner to the lowliest administrative assistant can access any client data. Worse still, law firms may not be aware of a data breach until years after it occurs, if at all. For example, an associate could have been uploading files to a personal cloud account for years, but without the correct data protection measures in place, the firm would be none the wiser.

The Model Rules of Professional Conduct Rule 1.6 (c) requires that lawyers “…make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The delineation between reasonable and unreasonable efforts is a hard one to make, but no effort is clearly a violation of this rule. Beyond that, there is a multitude of steps that the prudent attorney can take to protect client information.

At a minimum, controlling access to data, requiring strong passwords, and encryption of the most highly classified information should be the floor. Firms should also consider data loss prevention solutions which allow them to control data egress. A brief evaluation period could expose the senior partners at a firm to a freighting array of insider threats. Even then, protection from insider threats is only one facet of effective data protection for law firms; solutions for protecting against advanced cyber threats – such as spearphishing attacks that employ sophisticated malware – should also be considered for firms that want to show that they’re taking client data security seriously.

As the old adage goes, an ounce of prevention is worth a pound of cure. The only thing more valuable to a client than its funds is its confidential information, and in many cases the same can be said for cyber criminals targeting those clients. Once lost, confidential and proprietary information is not recoupable. Just as attorneys have IOLTA accounts to protect client funds, they should be considering the protection of client data.

Darren Greaney

Pam (not verified) | April 23, 2015 3:25 pm

Informative. Thanks for sharing.

Please post your comments here

5 Steps to Secure Sensitive Data at the Law Firm

Don’t lose clients because you can’t protect their data. Five steps any law firm can take to prevent sensitive client data from getting out. 

Read now

Related Articles
Red Flag: Pentagon Contractors Get Two Year Extension on Data Protection Rule

In a worrying sign, Department of Defense Contractors requested and won an almost two year extension on new rules that would require them to protect sensitive information stored on their networks.

Oversharing: Your Biggest Security Risk Could be You (Infographic)

Are your social media habits putting your private data - or your company's - at risk? Learn about the risks of oversharing and get tips for using social media securely in this infographic.

Criminalizing the Crime: Punishing Data Theft

A convicted hacker in Turkey received a 334-year sentence for data theft, while a UK official calls for stronger sentences there.