Back to Top

Part of the ‘Lawyerist Healthy Law Firm’

Learn more

Chapter 3/6

Understanding Legal Tech With Sound Ethics and Data Security

Legal Tech

4 min read

Understanding Legal Tech: Ethics and Law Firm Data Security

It is easy to get overwhelmed with all the technology we’ve discussed in the previous chapters. It’s one thing to understand that your office could benefit from tech, but it’s another to understand how and when to use it. On top of this, your office will need to use tech safely, and implement thoughtful law firm data security.

In this chapter, we’ll discuss the basic tech competencies you’ll need to run your firm. We’ll talk about data and information security for your law firm, automation concepts, knowledge management ideas, and communication concerns. We’ll discuss ethical considerations when using technology and client expectations in the modern law firm.

Tech Competencies

Lawyers’ basic technology competencies can be broken into four main categories: (1) automation, (2) knowledge management, (3) communication, and (4) data security. You don’t, however, need to understand these on a graduate level. A deeper knowledge of these principles will likely yield positive results. But, our client expectations and ethical standards generally only need a basic level of understanding.

Automation Basics

Automation comes in many forms. Automation can send email responses when you’re on vacation or effortlessly direct unwanted email to your junk folder. It can create and send an engagement letter the moment you accept a new client or it can brew coffee for you at 6:00 am every morning. The combinations and assistance of automation are endless and can become quite complex.

At its core, however, automation is a combination of a trigger and an action. If (or when) a particular event occurs, a specific action is taken (or not taken). It’s that simple. The difficulty is in finding an application that will recognize your event as a trigger and one that will execute your action.

Knowledge Management

Knowledge management, for lawyers, is really about the organization of information (and the data security surrounding it, but we’ll go into that later). It is how you store your client files, how you keep information about your matters, and even how and where you document the systems and processes of your organization.

The goals of knowledge management are to balance quick and efficient access to information with secure and appropriate security for that data. Using consistent file structure and naming conventions, we want to make sure the right people can find the right information.

This can be as simple as a well-curated OneDrive. But some organizations find a need for meta-data, optical character recognition (OCR), and a higher degree of user restrictions. Additionally, some organizations have information or knowledge that doesn’t exist in discrete files. In these cases, a database might be used to organize and store specific reusable clauses for contracts or information about which clerks prefer which standardized documents.


Although it may not always seem like it (Hello, fax machines!) lawyers want to use the best method of communication for the job. We make phone calls when necessary, email in the right circumstances, and even text clients non-confidential information. But with so many methods of communication out there, how do we keep track of which to use? More importantly, how do we know which are safe for our law firm to use from an information security standpoint?

For our purposes, this last question is the most important. More than anything, data security should drive a lawyer’s choice of communication methods. The more sensitive, confidential, or privileged a communication, the more secure the method of communication should be.

More than anything, data security should drive a lawyer’s choice of communication methods.

Luckily, there is a distinction between certain methods of communication. When we’re looking to communicate securely, both sides of the conversation, and any area in between, to be encrypted. This is commonly referred to as end-to-end encryption (E2EE). If one side or one portion of the conversation is not encrypted, then it is not secure. Client portals that use secure transfer (SSL) and specifically encrypted (on both sides) email and text messages are advisable for any sensitive communications. 

Data Security

Law firm data security is about restricting access to information and ensuring that information is encrypted for anyone without access. In order to do this, we use storage facilities that encrypt data while it is in their possession—encrypted at rest. And we use methods of transfer that encrypt the data while it goes from place to place—encrypted in transit.

Once we do this, we need to confirm that only authorized users can access the unencrypted information. This is the most important part of the data security equation for law firms and the part on which lawyers are often apathetic. 

The first step toward restricting access is requiring and using strong passwords for each user. Password managers like LastPass, Dashlane, and 1Password can create and secure strong passwords.

Any person can lose their password or fall victim to a phishing attack. The next step toward law firm data security is to require two-factor (or multi-factor) authentication anywhere your office stores sensitive information. Although this will occasionally create an additional step to log in, the added level of security will prevent potential breaches.

The Ethics of Technology Competency

Some states still do not have a duty to maintain competency in technology as a specific rule of professional conduct. But we can easily argue that it already exists in any set of rules. Maintaining the security and integrity of your client files, and a certain amount of tech competency is inherent to compliance with the rules.

The rules, like in ABA Model Rule 1.6(c), usually require a lawyer to act “reasonably.” But, what is reasonable one year may be considered antiquated and insecure the next.

Go Deeper: Podcast Episode #332

The Modern Lawyer: Ethics and Technology, with Megan Zavieh

Listen to Episode

Client Expectations

Our technology competencies should also be driven by our client expectations. Prior to 2020, many clients were reluctant to meet with their lawyers via video conferencing. Now, virtual communication is considered the norm. Often, clients expect a higher degree of communication or even a secure client portal where they can track their matters. 

Although we don’t want our clients’ expectations to completely dictate our practices, law firms should consider their needs. As clients expect more control over their matters, we may consider incorporating self-serve offerings into our practice or educational opportunities for our clients.

We’ve covered what you should know about basic law firm data security and your professional responsibility to understand technology. Let’s move to the fun—and sometimes intimidating—step: choosing your tech.