Data Security and Privacy Implications in Law Firms

By Madison Blevins

With a world ever changing with new technological advances and breakthroughs, it comes as no surprise that with these advances come new security concerns and challenges.[1] Important work product, information, and confidential client data are now available at many firms in a convenient digital location.[2] Clients and attorneys alike want to be able to have quick access to their information and be able to work efficiently from anywhere necessary.[3] Additionally, with the COVID-19 pandemic, Zoom and digital copies of important and secure files became prevalent nationwide. However, with the ease and upsides of the ability to access most hard files online also comes serious security and privacy implications.[4] Over the years, law firms have become “prime targets for cybercriminals seeking to steal, expose, sell, or otherwise extort confidential information.  Both the digitalization of law firms’ sensitive documents and the increase in means available to perpetrate an online crime exacerbate these risks.”[5]

These privacy issues can be troubling for law firms, since there is often not a wide regulatory scheme within a private firm like there might be in a government agency, and these data breaches can be committed by both internal and external actors.[6] Examples of issues that law firms should be specifically aware of include data breaches, ransomware, phishing, cyberthreats, and encryption issues.[7] Despite these concerns, there are concrete steps firms are able to take to combat data security breaches.[8]

These data security breaches, as noted above, became increasingly concerning with the rise of COVID and remote work over the last year and a half.[9] Heightened security risks came with the move to virtual work as many law firms completely went remote, and confidential client data moved online with them.[10] Although it was, in many cases, completely necessary that these client files and other secure and confidential information be moved to the virtual space instead of only physically in offices, a majority of firms in late 2020 were not using all of the prevention measures available to them.[11]  While there are many safety measures available such as file encryption, email encryption, whole/full disk encryption, two-factor authentication, intrusion prevention, intrusion detection, remote device management and wiping, device recovery, web filtering, employee monitoring, and biometric login, there is a rather poor showing across the board for these measures.[12] In short, less than half of the respondents in the 2020 ABA Legal Technology Survey Report used the above precautions, with use greatly declining as the list goes on.[13]

Moreover, there are ethical concerns associated with cybersecurity.[14] Lawyers must take reasonable efforts to ensure that a data breach has not occurred or to detect an intrusion, and a lack of this reasonable effort constitutes an ethical violation.[15] To reflect preparation and best practices, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.[16]

While it may be burdensome and take more time, effort, and money to implement these procedures, client security and data privacy should be a key concern of all firms. As the law firm Grubman Shire Meiselas & Sacks has seen, when there are confidential data breaches (especially with high profile clients), there is a price to pay, and law firms can feel the repercussions firsthand.[17]

In conclusion, the world of technology brings many advantageous results to law firms and clients alike, but the ethical and practical concerns of these technological advances need to be taken seriously in private practice.[18] Without a common regulatory scheme or participation in accessible prevention techniques, law firms could find themselves in hot water over data security and privacy concerns.[19]

[1] See generally Teresa Matich, 2021 L. Firm Security Guide: How to Keep Your L. Firm Secure, Clio (Oct. 1, 2021, 9:38 AM), https://www.clio.com/blog/data-security-law-firms/ (discussing how technological concerns relate to private firms).

[2] See id.

[3] See id.

[4] See Dr. Nick Oberheiden, 5 Cybersecurity Risks and 3 Obligations for Law Firms, XI Nat. L. Rev. 274 (2021).

[5] Id.

[6] Id.

[7] Id.

[8] John G. Loughnane, 2020 Cybersecurity, ABA Techreport 2020, (Oct. 1, 2021, 9:46 AM), https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/.

[9] Experts Warn Lawyers of Cyber Risks to Remote Work, American Bar Association, (Oct. 1, 2021, 9:48 AM), https://www.americanbar.org/news/abanews/aba-news-archives/2020/03/cyber-risks-to-working-remote-b/.

[10] Id.

[11] See Loughnane, supra note 8.  

[12] See id.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] See Loughnane, supra note 8; Vincent Mislos, REvil Hackers Threaten to Expose Secrets of LeBron James, Nicki Minaj in Crypto Ransom, International Business Times, (Oct. 1, 2021, 9:53 AM), https://www.ibtimes.com/revil-hackers-threaten-expose-secrets-lebron-james-nicki-minaj-crypto-ransom-3000366.

[18] See Oberhedien, supra note 4.

[19] See id.

Image Source: https://www.managedsolution.com/wp-content/uploads/2018/09/Data-Security-vs.-Data-Privacy-Why-it-Matters.jpg