Back to Blog

Law Firms and Data Security



At some point during the creation and operation of a business, a company’s executive team will likely need the advice of corporate counsel. Of course, there may also come a time that a company becomes embroiled in some other legal matter and thus in need of a litigation team. Regardless of when or why a company requires legal services, there are data security considerations that both the company and its counsel should keep in mind. This is particularly true because of the nature of the information that is shared between attorneys and clients.

Although it is incumbent upon attorneys to maintain client confidentiality, it is wise for clients, especially corporate clients, to examine a law firm’s data security practices prior to retaining the firm’s services. And, in some cases, it may be appropriate or necessary to request specific processes or procedures with respect to the handling of certain company data. At a minimum, companies should inquire about the following security protocols, and hopefully, most law firms are employing these measures to some degree.

Internal and External Practices and Policies

Law firms large and small must craft and implement specific data security practices, and even more importantly, they must ensure that all staff and personnel understand and adhere to such procedures. In general, this should include:

  • Detailed rules regarding document storage retention, and destruction
  • Appropriate Internet and email conventions
  • Safeguarding of passwords for computers, email accounts, and any other password-protected systems.

For example, firms should delineate clear rules that address where and how to save confidential items as well as who may access such items, strict password requirements such as mandatory character length and/or inclusion of special characters, how frequently passwords must be changed, prohibitions on sharing passwords, even with co-workers, as well as restrictions on the types of documents that may be attached to emails. These sort of rules should be as specific as possible, formally written, accessible to staff, and routinely revisited through email reminders and trainings.

In addition to ensuring that internal employees comply with firm-specific data security practices, law firms must ensure that external individuals entrusted with client information also abide by certain security standards. For example, law firms regularly send documents to word processors for revisions, printing or copying companies for large printing requests, or binding services to prepare materials for arbitration or litigation. Law firms (as well as their corporate clients who may be sharing confidential information) should verify that any outside companies providing such support services respect and uphold the rules regarding confidentiality and take adequate precautions to protect transmitted information.

Document Storage, Retention, and Destruction

Obviously, implementing rules regarding a firm’s document storage, retention, and destruction procedures is key. However, the manner of storage, retention, and eventual destruction is important as well to ensure the security of those documents. Because many states have laws that require firms to retain documents for a certain number of years, a number of firms are turning to secure corporate repositories to house large volumes of documents, rather than allowing boxes and boxes of files to take up precious real estate. This is a necessary and appropriate virtual solution for document storage, provided that a sophisticated application with advanced security protocols is selected.

For any company that has had to furnish legal counsel with confidential business information, such as valuable IP or financial statements, it is vital to confirm that the firm storing such documentation is utilizing a highly secure storage system.

Device Management

Unfortunately, it has become incredibly easy for data to be compromised because of its availability on multiple devices. Fortunately, most firms are able to erase data from devices that are lost or stolen, although this may take place after the data has already been discovered. As a result, firms should only transmit confidential documents via mobile platforms if encryption is utilized or if the device has a special application that enables it to view transmitted documents securely.

Ultimately, law firms must pay special attention to the tablets and mobile phones that attorneys regularly use for work purposes and employ an apposite method of data protection, and of course, corporate clients should inquire about a firm's unique device protocols. Although firms may have to devote substantial research and investment to find the right product or solution, it will prevent unnecessary hassle and mitigate costs in the long run.

 Dropbox VS. Virtual data rooms