TEST to main content First level navigation Menu
Coworkers discussing documents

Four steps to improve digital data security at law firms 

by ​Stephanie Kurtz
Small law firms tend to think that they’re safe from becoming the target of hackers. Unfortunately, that assumption is wrong.

In fact, hackers are attacking small- and medium-sized businesses (SMBs) precisely because they usually don’t defend themselves as well as large enterprises. Whether it’s the lack of IT resources or budget constraints, SMBs — including law firms — need to confront today’s threats head on.

Breaches at law firms are not uncommon. An American Bar Association survey1 last year found that one in four law firms with at least 100 attorneys had experienced a data breach due to a hacker, website attack, break-in, or lost or stolen computer or smartphone. Meanwhile, the consequences of weak security could impact your firm’s business, as more corporate clients insist that their outside firms do more to safeguard sensitive information.

Law firms are taking note. In a 2015 ILTA/InsideLegal Technology Purchasing survey,2 59 percent of respondents said security management was their top IT challenge. The issue topped the list, knocking email management out of the number one spot for the first time in eight years.


To build a better defense, firms should review their data retention and security policies, ensure that both firm-owned and personally owned hardware and software is well protected, and educate their attorneys on IT security best practices.

To build a better defense, your firm should review your data retention and security policies, ensure that both firm-owned and personally-owned hardware and software is well protected, and educate your attorneys on IT security best practices.

Step one

Make sure your firm has, and adheres to, an appropriate data retention policy.

In its code of conduct, the American Bar Association (ABA) has published general guidelines on how long attorneys should hold documents (see Model Rule 1.15, 1.16 (d) and DR 2-110 (A)(2)). Unlike most businesses, which typically retain documents for seven to 10 years, law firms have complex retention policies because of their fiduciary duty to store, manage and maintain certain types of documents, such as wills and living trusts, for specific periods of time.

The duties can also vary according to the type of law practiced and the jurisdiction where the firm operates. Above and beyond the ABA rules, for example, each state has model rules on records to retain and for how long.

An important part of data security is carefully monitoring when documents and email may be deleted, because hackers can’t steal data that your firm no longer has. Another benefit is that it limits the information that may be subject to a discovery motion. If your firm retains information beyond what’s required, it can create additional risks.

Your retention policy should also follow best practices about data storage. Sensitive data should never be transferred onto thumb drives, which someone can easily drop in their pocket and walk out the door. Nor should it be kept on the hard drives of attorneys’ individual PCs. Rather, sensitive data should be stored only on secure servers at the firm or your vendor.

Step two

Ensure end-point security.

In an ideal world, all sensitive data would be kept only on secure servers and never on individual devices or end points. In practice, however, attorneys carry important documents on and access potentially sensitive email using desktops, laptops, tablets and phones. Each device should have anti-virus and intrusion-detection software. The IT department should make sure that all application software, operating systems and browsers are kept up to date and incorporate the latest patches issued by their vendors. Each device should include encryption capabilities both for storing and transmitting data.

People using personal devices

Step three

Make sure to address the weakest link in your data security — human beings.

Teach them when and how to encrypt data. According to the ILTA survey, nearly 35 percent of firms had no standard policy or requirement to encrypt data when it was transferred out of their litigation/practice support group. Educate everyone in the firm, including staff, attorneys and senior partners, on end-point security best practices. Everyone should understand, for example, why you should never click on links or attachments unless you know who is sending them. Even senior business executives or law partners are susceptible to social engineering hacks such as phishing, as the horror story described in step four illustrates.

Step four

Design, implement and enforce a bring-your-own-device (BYOD) policy that lays out what type of devices are allowed and how IT will secure them.

Increasing use of personal mobile devices for work has opened up a new threat to security. Especially when using tablets or phones, attorneys may not realize they are exposing sensitive data. If their phone is lost or stolen, a bad actor could potentially use the attorney’s login credentials to access the firm’s network and install a Trojan horse undetected. Once in, the thief can steal information immediately or just lurk in the background and cherry-pick specific data.

In the ILTA study, some 28 percent of firms said they had no BYOD policy. Of those that did have a policy, 71 percent covered smartphones, 59 percent covered tablets and only 28 percent covered laptops.

Without a rigorously enforced BYOD policy, bad things happen. For example, a C-level executive recently shared this personal horror story: He and a fellow executive both received the same email saying that there was a problem with the firm’s payroll. Each logged into the system using their own personal, unsecured mobile devices. The e-mail turned out to be a cleverly constructed phishing adventure that redirected the executives to a site that captured their logins and passwords. The hackers then used those credentials to redirect the executives’ paychecks to an account in Grand Cayman. The company had no idea its payroll had been hacked until two weeks later, when the executives’ paychecks never showed up. 
What’s next?

By bringing a fresh eyes, an outside technology consultant can be helpful in reviewing your retention policy and evaluating your security. Through vulnerability testing and gap analysis, a consultant often identifies areas that have been overlooked or need updating to the latest technology. It can re-mediate problems, recommend improvements and help you deploy a sound security strategy — using the proper tools to protect your digital data from increasingly inventive hackers. 

Improve your digital security 

Gain a deeper understanding of how legal support services can help your firm. 
Stephanie Kurtz
Stephanie Kurtz, Senior Manager, Advanced Services Strategy, Ricoh USA, Inc. is a technology innovator and leader with a sophisticated grasp on emerging and existing technology and its application to drive business performance improvement and strategy. Kurtz has over 25 years experience in Information Technology specializing in governance, risk, compliance and information security. She teaches technology, governance and risk courses at the graduate and under graduate level, and has CGEIT, CRISC, ECMp certifications. 
1 Melissa Maleske. "1 In 4 Law Firms Are Victims Of A Data Breach." Law360. September 22, 2015. http://www.law360.com/articles/705657/1-in-4-law-firms-are-victims-of-a-data-breach 
2 2015 ILTA/InsideLegal Technology Purchasing Survey. http://insidelegal.typepad.com/files/2015/08/2015_ILTA_InsideLegal_Technology_Purchasing_Survey.pdf