Protecting Your Law Firm’s Data


Securing your law firm’s data entails both preserving and limiting access to it.

Limiting Access

This entails both authentication – keeping unauthorized users from accessing your firm’s data – and encryption – preventing unauthorized users who access your data, from reading it.


Authentication take many forms, from the code to have to enter to withdraw money from an ATM, the two-factor authentication (2FA) needed to view your bank account online, the ID card you have to swipe to gain entrance to your office building, etc. Each of these confirms that that user has permission to access the information or location they’re attempting to access.

Tools & Tips for Authentication

  • Turn on 2FA where available
  • Lock your phone with a PIN code
  • Require a a strong password on your Computer
  • Use a Password Manager, so you don’t have to memorize or write down your strong password.


To obfuscate information that an unauthorized user might gain access to, the sending party generally encrypt it with a cipher, and the recipient(s) will decrypt it to view it. Further, data has to be encrypted both when it’s at-rest, and while it is in-transit.

1. Data at-rest

Data at-rest refers to is ‘sitting’ on your computer, phone, cloud server, practice management system, etc. It may even be in all of those places at once. If it’s confidential or sensitive information  – client data, PHI, SSNs, etc. – you have to protect it in all of those places.

To protect data at-rest:

  • Limit User access to files
  • Encrypt Sensitive Files
  • Encrypt Folders that contain Client Data

2. Data in-transit

Data in-transit is moving over your local network, or across the internet. Encrypting it will thwart any party that intercepts it.

To protect data in-transit

  • Use SSL when transferring information (HTTPS websites)
  • Use a VPN whenever you’re on a public network, i.e., using your laptop at Starbuck’s or the airport
  • Encrypt the contents and attachments of sensitive emails.

Information Integrity

In addition to maintaining the confidentiality of client files, lawyers also must maintain the integrity of them, as well. This means not losing or corrupting the data, if it is stolen, lost or accidentally deleted.

This entails copying your firm’s data, and storing it in a secure place(s), which is/are easy for you to access (but hard for unauthorized users to access. You should maintain at least two backups, one local, i.e., a thumb or flash drive, and one off-site, i.e., a cloud storage facility.

To maintain data integrity:

  • Maintain a local, real-time backup
  • Use an offsite back-up
  • Periodically test your back-ups


What You Need to Know About Data Security for Law Firms

How to Protect Legal Clients’ Confidential Data | Digital Guardian

How to Close Your Law Firm’s Cybersecurity Gaps & Protect Client Data

FBI Internet Crime Complaint Center

ABA Model Rules Require Lawyers to Protect Client Data

Lawyers’ Duty to Prevent A Data Breach

No business wants to lose its operating, financial, and customers’ data. But for lawyers, preventing such a loss isn’t just a good business practice, its an obligation under the rules of professional conduct require it, i.e., an ethical obligation.

In Why Lawyers need Data Security, the Lawyerist blog cites the ABA Model Rules of Professional Responsibility, Rules 1.6 (Confidentiality) & 1.15 (Safekeeping Client Property):

Confidentiality – Rule 1.6(c)

All of Model Rule 1.6 is relevant to protecting client information, but section (c) is the most on-point. Lawyers have an obligation to protect their client data from unauthorized third-party access. The lengths a lawyer should go to do this are debatable (it’s discussed in Comment [18]). However,  the easier the practice, or the more sensitive the information, the more likely it’s required.

Model Rule 1.6(c)

(c)  A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Safekeeping Client Property (Rule 1.15)

In addition to limiting access to client data, a lawyer must also keep client data safe from unintended destruction. This isn’t always the first thing that a lawyer thinks of in regard to data security. But, since a client file (and the information within) is the client’s property, Model Rule 1.15 applies. Therefore, lawyers have a duty to keep client files safe. This includes destruction, loss, corruption, and even loss of access (a ransomware attack).

Model Rule 1.15(a):

(a) A lawyer shall hold property of clients or third persons that is in a lawyer’s possession in connection with a representation separate from the lawyer’s own property. Funds shall be kept in a separate account maintained in the state where the lawyer’s office is situated, or elsewhere with the consent of the client or third person. Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.

The Blanch Law Firm also cites other ABA Model Rules 1.1 and Opinions:

The ABA issued formal opinion 483 in October, 2018. It found that Model Rule 1.1 – which required duty of competence in the representation of a client (which includes legal knowledge, skill, thoroughness, and preparation) – imposes a mandate on the attorney to have a level of competence, not only in the areas of law but in the technology that it requires in order to provide the legal service to the client. 

In Opinion 95–398, the American Bar Association held that attorneys can and may be held liable for data breaches based upon hacking.   

That opinion is based on ABA Model Rules 1.4; 1.6; and 5.3. It concluded that the attorney has an ethical duty to protect a client confidential information which includes: 

  • discovery;
  • email communications;
  • credit card information;  
  • bank statements; and
  • any other information obtained from the client related to representation.

Further, because attorneys have an ethical duty to ensure that non-attorney staff and contractors conduct themselves in a manner consistent with the attorney’s ethical obligations, the attorney can also be held responsible for a data breach in the event that they do have an IT company or cyber security company who doesn’t properly conduct themselves, i.e. make reasonable efforts to protect the client’s information.

Blanch points out that “each state has adopted its own version of a professional code of conduct for attorneys”, but “we do not see much difference in the rules” vs. the ABA’s guidance, although “provisions in some states governing the issue may be inconsistent with” the ABA’s guidance.

Further Reading