Why You Shouldn’t Trust Your Lawyer with Your Most Valuable Information



As law firms continued to be targeted by cyber criminals, those firms must demonstrate to clients that their sensitive data is safe.

Since 2011, the U.S. Government has recognized the tremendous gap in data protection facing the country’s top businesses in nearly every field, and the legal industry is no exception. Law firms, even mid-size and boutique firms, present an appealing target for cyber criminals seeking valuable corporate or personal information. But an even larger threat comes from within the law firm itself.

All too often law firms have no mechanisms in place to protect access to confidential and proprietary information. Everyone in the firm, from the most senior partner to the lowliest administrative assistant can access any client data. Worse still, law firms may not be aware of a data breach until years after it occurs, if at all. For example, an associate could have been uploading files to a personal cloud account for years, but without the correct data protection measures in place, the firm would be none the wiser.

The Model Rules of Professional Conduct Rule 1.6 (c) requires that lawyers “…make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The delineation between reasonable and unreasonable efforts is a hard one to make, but no effort is clearly a violation of this rule. Beyond that, there is a multitude of steps that the prudent attorney can take to protect client information.

At a minimum, controlling access to data, requiring strong passwords, and encryption of the most highly classified information should be the floor. Firms should also consider data loss prevention solutions which allow them to control data egress. A brief evaluation period could expose the senior partners at a firm to a freighting array of insider threats. Even then, protection from insider threats is only one facet of effective data protection for law firms; solutions for protecting against advanced cyber threats – such as spearphishing attacks that employ sophisticated malware – should also be considered for firms that want to show that they’re taking client data security seriously.

As the old adage goes, an ounce of prevention is worth a pound of cure. The only thing more valuable to a client than its funds is its confidential information, and in many cases the same can be said for cyber criminals targeting those clients. Once lost, confidential and proprietary information is not recoupable. Just as attorneys have IOLTA accounts to protect client funds, they should be considering the protection of client data.

Darren Greaney

Pam (not verified) | April 23, 2015 3:25 pm

Informative. Thanks for sharing.

Please post your comments here

5 Steps to Secure Sensitive Data at the Law Firm

Don’t lose clients because you can’t protect their data. Five steps any law firm can take to prevent sensitive client data from getting out. 

Read now

Related Articles
Et tu, Q? CIA Chief’s AOL Account Underscores Security Culture Gap

The claim by a self-described teenage “stoner” that he was able to compromise the personal email account of CIA chief John Brennan underscores the huge cultural challenge that even security-conscious organizations face.

What Threats are Masquerading in Your Environment this Halloween?

Halloween is almost here – while this weekend will be full of ghosts and ghouls, the threats that may already exist in your IT environment can be even scarier. Here are the top threats that could be lurking in your environment and how to defend against them.

Using Dark Web Data and Intelligence to Trace Payment Card Fraud

At Black Hat on Thursday two researchers described how they were able to use intelligence, transactional data, and predictive analytics to help identify payment card fraud victims.