Back to Top

Part of the ‘Lawyerist Healthy Law Firm’

Learn more

Chapter 3/6

Understanding Legal Tech With Sound Ethics and Data Security

Legal Tech

4 min read

Understanding Legal Tech: Ethics and Law Firm Data Security

It is easy to get overwhelmed with all of the technology we’ve discussed in the previous chapters. It’s one thing to understand that your office could benefit from tech, but it’s another to understand how and when to use it. We also want to make sure we’re using these platforms ethically and securely.

In this chapter, we’ll discuss the basic tech competencies you’ll need to run your firm. We’ll talk about data and information security for your law firm, automation concepts, knowledge management ideas, and communication concerns. We’ll discuss ethical considerations when using technology and client expectations in the modern law firm.

Tech Competencies

For lawyers, your basic technology competencies can be broken into four main categories: (1) automation, (2) knowledge management, (3) communication, and (4) data security. You don’t, however, need to understand these on a graduate level. Although a deeper knowledge of these principles will likely yield positive results, our client expectations and ethical standards generally only need a basic level of understanding. 

Automation Basics

Automation comes in many forms. Automation can send email responses when you’re on vacation or effortlessly direct unwanted email to your junk folder. It can create and send an engagement letter at the moment you accept a new client or it can brew coffee for you at 6:00 am every morning. The combinations and assistance of automation are endless and can become quite complex.

At its core, however, automation is a combination of a trigger and an action. If (or when) a particular event occurs, a specific action is taken (or not taken). It’s that simple. The difficulty is in finding an application that will recognize your event as a trigger and one that will execute your action.

Knowledge Management

Knowledge management, for lawyers, is really about the organization of information (and the data security surrounding it, but we’ll go into that later). It is the way in which you store your client files, how you keep information about your matters, and even how and where you document the systems and processes of your organization.

The goals of knowledge management are to balance quick and efficient access to information with secure and appropriate security of that data. Using consistent file structure and naming conventions, we want to make sure the right people can find the right information. 

Although this can be as simple as a well-curated OneDrive, some organizations find a need for meta-data, optical character recognition (OCR), and a higher degree of user restrictions. Additionally, some organizations have information or knowledge that doesn’t exist in discrete files. In these cases, a database might be used to organize and store specific reusable clauses for contracts or information about which clerks prefer which standardized documents.


Although it may not always seem like it (Hello, fax machines!) lawyers want to use the best method of communication for the job. We make phone calls when necessary, email in the right circumstances, and even text message our clients non-confidential information. But with so many methods of communication out there, how do we keep track of which ones to use? More importantly, how do we know which ones are safe for our law firm to use from an information security standpoint?

For our purposes, this last question is the most important. More than anything, data security should drive a lawyer’s choice of communication methods. The more sensitive, confidential, or privileged a communication is, the more secure the method of communication should be.

More than anything, data security should drive a lawyer’s choice of communication methods.

Luckily, there is a distinct difference between certain methods of communication. When we’re looking to communicate securely, we want both sides of the conversation, and any area in between, to be encrypted. This is commonly referred to as end-to-end-encryption (E2EE). If one side, or one portion of the conversation is not encrypted, then it is not secure. Client portals that use secure transfer (SSL) and specifically encrypted (on both sides) email and text messages are advisable for any sensitive communications. 

Data Security

Law firm data security is about restricting access to information and ensuring that the information is encrypted for anyone without access. In order to do this, we use storage facilities that encrypt data while it is in their possession (encrypted at rest), and methods of transfer that encrypt the data while it goes from place to place (encrypted in transit). 

Once we do this, we need to confirm that only authorized users can access the unencrypted information. This is the most important part of the data security equation for law firms and the part on which lawyers are often apathetic. 

The first step toward restricting access is requiring and using strong passwords for each user. Password managers like LastPass, Dashlane, and 1Password can help create and secure strong passwords.

Since any person could potentially lose their password or fall victim to a phishing attack, the next step toward law firm data security is to require two-factor (or multi-factor) authentication anywhere your office stores sensitive information. Although this will occasionally create an additional step to log in, the added level of security will prevent potential breaches.

The Ethics of Technology Competency

Although some states still do not have a duty to maintain competency in technology as a specific rule of professional conduct, it can easily be argued that it already exists in any set of rules. Whether it’s providing appropriate pricing for your services, maintaining the security and integrity of your client files, or advocating for your client, a certain amount of tech competency is inherent to compliance with the rules.

The rules, like in ABA Model Rule 1.6(c), usually require a lawyer to act “reasonably.” But, what is reasonable one year may be considered antiquated and insecure the next.

Go Deeper: Podcast Episode #332

The Modern Lawyer: Ethics and Technology, with Megan Zavieh

Listen to Episode

Client Expectations

Our technology competencies should also be driven by our client expectations. Prior to 2020, many clients were reluctant to meet with their lawyers via video conferencing. Now, virtual communication is considered the norm. Often, clients expect a higher degree of communication or even a secure client portal where they can track their matters. 

Although we don’t want our client expectations to completely dictate our practices, law firms should consider their needs. As clients expect more control over their matters, we may consider incorporating self-serve offerings into our practice or educational opportunities for our clients.

Now that we’ve covered what you should know about tech, let’s move to the fun—and sometimes intimidating—step: Choosing your tech.