Everything You Need to Know About Protecting Legal Files but Were Afraid to Ask 

Legal files documents are among the most privileged data items the world has ever seen. Security is not a wish, but a command.  

Numerous industries have privacy and confidentiality requirements, and for legal entities, these go back centuries. Today, a majority of, if not all, legal information is in the form of electronic documents and files.

For a multitude of reasons, these legal documents must be completely confidential: lawyer-client privilege, confidential depositions and interviews and gag orders all point to the absolute need for secrecy.

Increasingly, legal files are being electronically stored and keeping them safe is equally challenging.  These documents are constantly sent around via email and transferred from one party to another. However, during these processes, confidential material becomes the most vulnerable. Minor errors, such as the wrong person receiving the file can occur or in a worst-case scenario, a criminal can intercept the file.  

How are these files protected when Legal firms have more to lose than most? Clients and a firm’s good reputation can vanish in a heartbeat. Even worse, if a practicing attorney in the US, you can run afoul of the American Bar Association (ABA). 

Because legal data is so valuable, the level of threat is so high and relative defenses are so low, law firms need to rapidly scale their ability to defend themselves. 

If you are an attorney or working at a law firm of any size, here are seven issues to be aware of.

1. Firms are Legally Bound to Secure Files and Documents

File mistakes and interception happen so often the American Bar Association has a rule for such circumstances:

“[2] Paragraph (b) recognizes that lawyers sometimes receive a document or electronically stored information that was mistakenly sent or produced by opposing parties or their lawyers. A document or electronically stored information is inadvertently sent when it is accidentally transmitted, such as when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that was intentionally transmitted,” the ABA explained. “If a lawyer knows or reasonably should know that such a document or electronically stored information was sent inadvertently, then this Rule requires the lawyer to promptly notify the sender in order to permit that person to take protective measures.”

2. Why Legal File Security is Crucial

Wouldn’t it be better to avoid file loss and data leakage in the first place? Since COVID led to more and more remote legal work, the chances of a file inadvertently going to the wrong place have multiplied. Instead of sharing or transferring files through a central office network, it’s done at home. share and transfer files from home rather than through the central office network. Meanwhile, the days of having a messenger deliver all files in person are gone and physical files are reserved for certain situations like in the office or court, and physical archiving.

Lawyers create massive amounts of files regardless of the size of the case they are working on.  Think about all the stacks of folders or boxes full of physical files accompanying an attorney in the courtroom for an important case. Today, these files all largely exist in digital form as well, where they are not kept secured in a locked room or protected file cabinet.

3. Email Clearly Not the Answer

Many offices, even large law firms, simply email these files and documents around and too rarely encrypt them. The ABA TECHREPORT analyzed how small law firms and solo practitioners handle document and record management and whether they apply file sharing software to this use. Solo practitioners rarely use such software solutions, with only 37% saying that they did so. The story at small firms was an improvement but not by much; only 55% of these organizations use file transfer or record management software.

The sad fact is as insecure as email is, it remains the predominant way confidential files are shared.

“Email has become the business standard for communication with colleagues and customers. In legal institutions, email can be an efficient and important conduit for conducting attorney-client communications. However, law firms can be caught between a proverbial ‘rock and a hard place’ with regard to this form of correspondence. While clients demand an easier way to work together, it is essential that electronic communication does not lead to security risks: i.e., someone other than the client or privileged third party obtaining confidential documents,” argued an article on LegalITProfessionals.com. “While this may seem obvious, a recent study of law firms’ file sharing processes revealed that a minority of law firms are using security technology to protect electronic communications: email encryption (22%), password-protected documents (14%), use a secure file sharing site (13%).”

Knowing email is vulnerable, 75% of firms simply apply statements of confidentiality rather than lockdown their files. “A study by LexisNexis finds that file sharing is an integral part of a law firm’s day-to-day operations. Yet, while firms are keenly aware of the consequences of IT security risks, unencrypted emails, which are merely reinforced by a statement of confidentiality, remain the primary line of defense when sharing confidential files.

4. The Credential Theft Concern

According to the ABA,  57% of law firms use Microsoft Outlook as their primary practice management tool. From a practical standpoint, what this means is that all your most important documents may be stored as attachments in Outlook. This means that attackers only need to steal login credentials for Microsoft Outlook – usually via phishing — to create a dire breach.

5. Unpatched Vulnerabilities Lead to File Loss

Patch management can be a problem for any business. With law firms, the problem can have greater consequences. Routine maintenance tasks can remain unfinished for years due to a lack of funding for IT. In the case of Mossack Fonseca – a textbook example of a law firm data breach – unpatched vulnerabilities in WordPress and Drupal made it startlingly easy for attackers to get away with the Panama Papers.

6. The Problem with Insecure Access Controls

Only 68% of law firms report using mandatory passwords, and only 24% use password management tools. These are dismal figures. Passwords are a defense against attackers, but they’re not necessarily a strong one. However, the use of password management tools – alongside tools like multi-factor authentication – can greatly reinforce security.  But the statistics above suggest their passwords are easier to break, multiplying the risk from every other attack vector.

7. The Need for ABA Compliance

In the wake of multiple successful cyberattacks against law firms, the ABA Standing Committee on Ethics and Professional Responsibility has released Formal Opinion 483. This states that “Lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources and external vendors providing services relating to data and the use of data.” If you are based in the US and do not take proactive steps to monitor and mitigate data breaches, your firm will find itself in trouble with the law’s most powerful governing body.