It seems as though every lawyer has a story about a data breach, client information that gets lost forever, or, more commonly, a ransomware attack. It may not have happened to their law firm directly, but data security issues were law firm adjacent, let’s say. And adjacent is usually, way too close for comfort.
Even with these cautionary tales, many lawyers still only take data security seriously after-the-fact. It’s extremely common to see lawyers who fail to encrypt their sensitive emails, or who still reuse simplistic passwords. Don’t get us started on attorneys who fail to enable two-factor authentication, or, those who share client information (usually photos) through text message (MMS).
None of this (or, at least, very little) is because lawyers are lazy. There’s just a finite amount of time in the day. And, in that time, there’s a lot of information out there to distill. Where does one start? How do we separate the wheat from the chaff?
Our lawyer data security resources are here to help. Whether you’re an attorney who hasn’t started their journey, or you’re looking to dive-in further, you’re in the right place. This article, and the corresponding resources, will lay-out data security practices for lawyers. We’ll explore the basic concepts of data security, why lawyers need to take information protection seriously, and how you can go about protecting yourself and your clients from internal and external issues.
For those of you who need a bit more than just information articles, we do a lot of teaching about data security practices in our Lawyers Lab program and include questions about these issues in our Small Firm Scorecard.
On this Page
Why Lawyers need Data Security
Obviously, no professional wants unauthorized third-parties to access their data. It doesn’t really matter what sort of business they’re in. Nor, do they want to inexplicably lose important business information. But, for lawyers, this isn’t just good business practice, generally the relevant rules of professional conduct require it. Put simply, it’s an ethical obligation.
Although the language of the rules of professional conduct can vary by jurisdiction (as you likely know), the resulting obligations are generally the same. For our purposes, then, we’ll use the ABA Model Rules of Professional Responsibility, specifically, Rules 1.6 (Confidentiality) & 1.15 (Safekeeping Client Property).
Confidentiality – Rule 1.6(c)
All of Model Rule 1.6 is relevant to protecting client information, however, for our purposes, section (c) is the most on-point. As you can see from the text, lawyers have an obligation to protect their client data from unauthorized third-party access. We can argue over the lengths a lawyer should go to (which is discussed in Comment ) in securing information. However, in a general sense, the easier the practice, or the more sensitive the information, the more likely it’s required.
Model Rule 1.6(c)
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Safekeeping Client Property
In addition to limiting access to client data, a lawyer must also keep client data safe from unintended destruction. This isn’t always the first thing that a lawyer thinks of in regard to data security. But, since a client file (and the information within) is the client’s property, Model Rule 1.15 applies. Therefore, lawyers have a duty to keep client files safe. This includes destruction, loss, corruption, and even loss of access (a ransomware attack).
Model Rule 1.15(a):
(a) A lawyer shall hold property of clients or third persons that is in a lawyer’s possession in connection with a representation separate from the lawyer’s own property. Funds shall be kept in a separate account maintained in the state where the lawyer’s office is situated, or elsewhere with the consent of the client or third person. Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.
Law Firm Data Security Basics
At its core, data security comes down to two, somewhat competing, concepts: limiting access, and conserving information. On one hand, if all we wanted to do was limit access to client information, we could easily just keep paper copies of our information in a locked file cabinet, in a secure room, in a bunker, in the desert. Alternatively, if we were only concerned with ensuring that we didn’t lose data, we’d digitize it, copy it thousands of times, and send it off to various parts of the internet for storage. But we can’t do either of those. We must walk a line between the two ideas.
We can further distill limiting access to data into Authentication and Encryption. Authentication is the process of keeping unauthorized users out of where your data is currently stored. While, Encryption is the act of obfuscating the contents of the data even when a party gets access to it.
When most of us think of Authentication, we think of password protection. But authentication can take many forms and varies widely in complexity, We use FaceID to get into our phones, fingerprint scanning to access a 24/7 gym, a physical key to lock our offices, and two-factor authentication (2FA) to view our bank accounts. All of this is intended to validate that an individual (a user) has permission to access where they are going. The level of security should match the importance of the data being secured.
Tools & Tips for Authentication
- Turn on 2FA where available
- Lock your phone with a PIN code
- Require a Password on your Computer
- Use a Password Manager
Encryption, for our purposes, is the act of obfuscating information that an unauthorized user might gain access to. Generally, one party will use a cipher to encrypt a file, an email, or other information, and a second user will decrypt that file before viewing it. For law firm data security purposes, we use this encryption in two distinct places: when the data is at-rest, and while it is in-transit. As you’ll see below, we utilize different mechanisms to protect our data in these separate places.
1. Data at-rest
Data at-rest refers to client information while it is just sitting somewhere—anywhere, really. It can be on your computer, in a cloud server, on your phone, or in your Law Practice Management System. More importantly, it can be in all of those places at once. And if it’s confidential or sensitive information (i.e. Client Data, PHI, SSNs, etc . . .), you need to protect it in all of those places.
Tools & Tips to protect data at-rest
- Limit User access to files
- Encrypt Sensitive Files
- Encrypt Folders that contain Client Data
2. Data in-transit
Data in-transit is information moving over your local network, or across the internet at-large. Although you should always encrypt sensitive files at a file-level (as above), the track over which the data is travelling should also be encrypted. Think of it as an outer shell of protection in the “tube” your information is travelling through.
Tools & Tips for Protecting Data in-Transit
- Use SSL when transferring information (HTTPS websites)
- VPNs for whenever you are on a public network
- Encrypt the contents and attachments of sensitive email.
In addition to maintaining the confidentiality of our client files, lawyers also must maintain the integrity of them, as well. This means not losing or corrupting the data, whether through unplanned deletion, or simply losing access.
In law firm data security, protecting the integrity of your client information takes two form, for the most part. But both of those break-down to simply creating copies of your data and storing them in thoughtful places. Although you can store them in as many places as you would like (provided they are secure) you’ll want to at least maintain a local back-up and and off-site back-up.
Tools & Tips for Data Integrity
- Maintain a local, real-time backup
- Use an offsite back-up
- Periodically test your back-ups