2023 Law Firm Data Security Guide:

How to Keep Your Law Firm Secure

Law firm data security should be a top priority for any practice, and here’s why: Clients trust you with their most confidential information. Since clients entrust lawyers with so much of their sensitive data, law firms make prime targets for cyber crime. According to the 2022 ABA Cybersecurity Tech Report, 27% of law firms experienced a form of security breach. You don’t want your law firm to become part of that statistic.

So how do you mitigate your firm’s risk of data breaches and keep your clients’ data as secure as possible? As a legal professional, it’s crucial to stay up to date with and understand the latest technology. But, with technology constantly evolving, where do you start?

Here, we’ll outline the fundamentals of law firm data security in 2023. Read on for an overview of some best practices for keeping your firm’s data secure, a summary of your ethical and regulatory obligations when it comes to tech, a look at the risks and rewards of cloud-based legal software, and a few resources that can help level-up the data security at your law firm.

Law Firm Data Security 101

Let’s start with the basics. We’ve put together the essential things you need to know about law firm data security in 2023.

What is a law firm’s data security risk?

Failing to keep data secure is more than just a huge risk for you and your firm—it can also have incredibly negative consequences for your clients.

To hackers and criminals, law firms are remarkably interesting. Valuable information—that may include trade secrets, intellectual property, merger and acquisition details, personally identifiable information (PII), and confidential attorney-client-privileged data—will attract the ill-intentioned to your firm.

Despite these risks, law firms are obligated to protect their clients’ information. If criminals penetrate your firm’s security, the consequences can be extensive—ranging from minor embarrassments to serious legal issues, including:

Compromised communications due to phished or compromised email accounts
Inability to access firm information due to ransomware (i.e., where hackers encrypt files and demand money to restore access)
Public leaks of personal or business information (e.g., on social media)
Loss of public and client trust in your firm
Malpractice allegations and lawsuits

What are your ethical and regulatory obligations?

Ethically (and professionally), it’s your duty to protect client data and to disclose your error if a breach does occur. According to the American Bar Association (ABA) Rule 1.6: Confidentiality of Information, lawyers should “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”. Additionally, the ABA has also released several Ethics Opinions (such as Securing Communication of Protected Client Information and Lawyers Obligations After an Electronic Data Breach or Cyberattack) which provide guidance for lawyers on how to address cybersecurity.

To comply with the obligations of the American Bar Association, you must make reasonable efforts to protect your law firm’s data—this could mean implementing a cybersecurity plan, securing your mobile devices, improving communication practices through email, and vetting legal tech providers.

It’s also important to keep these ethical responsibilities and best practices in mind when adding legal technology to your firm’s toolkit. In many cases, legal technology can help you meet your regulatory obligations by better protecting your data, and therefore client data, via streamlined processes (with less room for manual error), enhanced security infrastructure, and encryption.

HIPAA, GDPR, CCPA, SHIELD, and state-specific breach notification laws

Data security laws can vary with location. It’s your firm’s responsibility to understand your legal responsibilities in the event of a breach.

HIPAA: HIPAA, a federal law, requires health care providers and “business associates” to protect PHI from inadvertent disclosure. Since law firms are considered business associates, they must comply with HIPAA when handling PHI on behalf of their clients. Check out our blog post on understanding HIPAA compliance for more information.
GDPR: To help address global needs for enhanced data security, in 2018, Europe introduced a unified data protection law, the General Data Protection Regulations (GDPR). GDPR—which strives to unify the regulatory environment for businesses handling personal data—requires enhanced protection of personal data belonging to EU individuals. While GDPR currently applies to firms in Europe, its regulations could affect your firm, so it may be a good idea to learn more about GDPR.
CCPA: In 2020, the state of California introduced the California Consumer Privacy Act (CCPA), which strives to mirror the GDPR and requires enhanced protection of personal data for California residents.
SHIELD: Similarly, New York has introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which introduces a requirement to implement “reasonable” security safeguards for any business in possession of the personal data of New York residents. The SHIELD Act also enhanced New York’s existing data breach notification requirement (already one of the strictest in the United States).

Learn more about Arizona data breach notification requirements.

What to do if your law firm is hacked

Of course, no one wants to believe their law firm could be hacked. Unfortunately, because of the valuable documents lawyers keep on hand, law firms are prime targets. Hackers might have the intent to steal your clients’ data to sell it off to third parties. Or, in rarer cases, they could opt to hold the information hostage until a ransom is paid.

Your firm should have an incident response plan (IRP) for these situations, though, hopefully you’ll never have to use it. The below is a good starting point when it comes to creating an IRP checklist:

Contain the damage and begin any recovery protocol.
Connect with a data breach expert.
Notify your insurance provider (and if you don’t already have cyber security insurance, check out our post on cyber security insurance for law firms).
Report the incident to law enforcement.
Ensure all third parties are notified.
Make compliance a top priority.

It’s important to review and update your IRP plan regularly to avoid making a bad situation worse. You can run your checklist by an IT consultant as they might have additional recommendations.