Industry News Legal Management Updates

Information Security in the Digital Age

 With numerous high-profile breaches and rapidly evolving global business environments, the way that law firms collect, store and destroy information is coming under increased scrutiny (much like a cross-examination). 
Ann Nickolas

As a result, many firms have taken action to refine their security protocols and create digital safeguards to assess the practices of their staff. However, as the legal industry continues to digitize, physical data security is increasingly becoming an afterthought when establishing an information security strategy.

Most law firms do not have a physical security plan in place to prevent and protect against the threat of negligent employee behavior ― which happens to be one of the main causes of data breaches.

With 25 percent of information breaches caused by employee error, law firms need employee training around the treatment of physical data. Yet one in four law firms admits they have never trained their staff on information security policies, nor do they have these policies in place.

To ensure that critical client and business information in all formats remains confidential and protected, law firms must establish an all-encompassing information security strategy that includes policies on physical data protection.


Data security is important to American consumers looking to work with a law firm — 83 percent of them feel that data protection is important when deciding which firm to hire. Furthermore, 40 percent are concerned that the security of their confidential information could be at risk when providing information to a lawyer. To maintain relationships with potential and existing clients, it’s critical that law firms are aware of consumers’ concerns and examine the factors that could pose a threat to their business. While outsider threats should certainly be considered when establishing a security strategy, law firms must also assess internal staff to mitigate the risk of a breach or theft.

Two in five law firms admit that their employees have lost items containing sensitive customer data, including company mobile phones and laptops, paper documents, and USB drives. As a result, 18 percent say that sensitive company data had been put at risk and a data breach occurred. Of course, mistakes are sometimes unavoidable, but law firms need to be proactive in establishing a culture that is committed to data security at all levels of the business. It’s helpful to continually remind employees about how to handle confidential information both inside and outside the office — whether that means simply encouraging employees to double-check that they have all notes and paperwork in their possession when traveling or advising that all confidential documents be securely locked away or shredded within the office.

With 25 percent of information breaches caused by employee error, law firms need employee training around the treatment of physical data.


While many functions within the legal industry have been digitized, law firms continue to produce and store confidential physical assets from client depositions, discovery documents, plaintiff statements and corporate information — which tend to pile up in the office. A cluttered workplace not only signals disorganization and sloppy business practices to potential clients, but also poses a threat to your businesses’ security and ability to comply with industry privacy laws and legislation. For example, the General Data Protection Regulation (GDPR) came into full effect for organizations with business dealings in the European Union on May 25, 2018; the regulation determines how long documents should be kept, making the retention and pileup of data even more risky.

One way to prevent breaches or theft within the office is to implement a Clean Desk Policy that specifies how employees should manage their workspace. The policy specifically instructs employees to clear their desks and offices of any visible information whenever they’re not physically there to protect it — computer monitors, paper documents, and even Post-it Notes must be securely cleared or locked away. Further, unused or dated documents must be securely shredded before being discarded.

Digital devices need to be monitored as well — technology gets dated quickly, and legacy equipment can increase a firm’s vulnerability to attacks. Keeping all equipment, from computers to mobile phones to hard drives, up to date is critical. It’s important to ensure that outdated equipment is securely destroyed before being discarded. Even if your hard drive disposal process includes erasing, reformatting, wiping or degaussing, you are still vulnerable. As long as the drives are physically intact, all private information can be retrieved — proper physical destruction is the only method that is effective.

At the end of the day, reputation is everything, especially in an industry where consumers have many options to choose from. Protecting your reputation means protecting your clients’ information, both digital and physical, through an all-encompassing information security strategy.