Estimated Reading Time: 5 Minutes
As the digital landscape grows more complex every year, law firms dealing with high volumes of business-critical client information and court documents face a more significant challenge than ever before.
Today, law firms depend on emails and cloud-based platforms for file storage, document creation, and communication. These tools allow law firms to reach out and collaborate with their clients and streamline daily operations.
While these tools bring conveniences, legal file management is also becoming more complex for law firms – an industry that is required to store records for at least seven years. The potential volatility of digital tools brings new challenges related to electronic legal document storage. These include ransomware threats, accidental or malicious deletions, and regulations such as GDPR, SHIELD, and the Colorado Privacy Act. For law firms’ clients, this also means that electronic data, documents, and correspondences may now form part of the evidence.
This scenario calls for the implementation of a backup and archiving solution. An effective archiving solution will ensure secure file sharing for law firms and protect them from potential accidental/malicious deletion of files or cyberattacks.
Significant Threats to the Digital Files of Law Firms
Electronic legal file management can introduce the risk of unintentional data loss. For law firms, this may also mean a loss of evidence. And in many US states, law firms will be held accountable for losing pieces of evidence and could face sanctions.
There are multiple ways that digital files of law firms can be lost, including the corruption of storage hardware (such as USBs, hard drives, or laptops) or cyberattack-induced computer virus infection.
According to the American Bar Association (ABA), law firms are becoming targets of cybersecurity attacks since they carry and store client information and may have safeguards that are “inferior to those deployed by the client.” The legal body, therefore, suggests that law firms must assess every access point and device for security compliance.
ABA’s most recent Legal Technology Survey Report found concerning results that illustrate how most law firms are heavily prone to cyber threats:
- 25% of respondents said their firms had experienced a data breach.
Of this number, 35% were from law firms with 10 to 49 attorneys, 46% with 50 to 99 attorneys, and 35% with over 100 attorneys.
- 17% do not have security policies in place.
- 8% do not know about security policies.
- 29% reported infections from computer viruses.
- 33% do not know about backup.
In April 2022, two US-based mid-sized law firms, McCarter & English and Stevens & Lee, were reported to have suffered data breaches that “impacted the availability of [their] computer systems.” For McCarter & English, they had already deployed their layer of cybersecurity, which included two-factor authentication, but attackers still found a way to breach their data. For Stevens & Lee, the breach happened back in June 2021, to the detriment of 23,066 individuals whose personal data were potentially compromised.
In another example, the criminal defense law firm Tuckers Solicitors was fined £98,000 for failing to protect volumes of sensitive court information later published on the dark web. The Information Commissioners Office (ICO), the UK’s data protection authority, said in their decision notice:
“The commissioner considers that Tuckers’ failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack.”
The attack resulted in the exposure of more than 900,000 files, 24,712 of which were related to court bundles. The bundles contained sensitive personal data from clients, some of which were victims of murder and rape, while others were in vulnerable physical and mental states.
These instances of poor legal file management are bad news for law firms — aside from a damaged reputation, a breach also means financial losses.
The ABA’s Model Rules of Professional Conduct
In the US, the American Bar Association has implemented Model Rules of Professional Conduct that lawyers and law firms must follow for client representation, including legal file management in the current digital landscape. These rules include:
- Competence. This rule mainly requires lawyers to provide competent representation to the client, but to address the changing technological landscape, the ABA had a clause added requiring lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks of technology.”
- Confidentiality of information. Lawyers are bound to client-lawyer confidentiality, which means that lawyers and the law firm they represent have the duty to protect client-related information. Under this clause, lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
- Safekeeping property. The rule expects law firms to keep and preserve information related to clients’ properties for five years after termination of the representation.
The ABA also published opinions about handling client data digitally, such as:
- ABA Formal Opinion 477R, “Securing Communication of Protected Client Information.” This opinion calls for law firms’ implementation of “strong protective measures” to guard against the disclosure of sensitive matters related to clients. The legal organization recognizes that due to the changing landscape, using unencrypted email or other forms of electronic communication via unsecured networks “may lack the basic expectation of privacy.”
- ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.” This opinion underscores a lawyer’s duty to inform clients when client confidential information becomes misappropriated, destroyed, or compromised. The lawyer also needs to educate clients on their firm’s actions to stop the breach and mitigate damage resulting from the breach.
According to Rule 1.4(a)(3), a lawyer must “keep the client reasonably informed about the status of the [data breach].” Rule 1.4(b) also states: “A lawyer shall explain [the data breach] to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”
- ABA Formal Opinion 498, “Virtual Practice.” This opinion recognizes the acceleration of law firms’ virtual practice and underscores the need to be competent and diligent in practicing virtually. It also states that lawyers must “fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information.”
On top of the US’ legal body, law firms in the US are also answerable to various data privacy state laws. Examples are:
- Stop Hacks and Improve Electronic Data Security Act (SHIELD) – A law in New York that requires businesses, including law firms, to notify affected parties after discovering a computer system breach that affects private information.
- Colorado Privacy Act – A law that imposes responsibility on companies to protect personal data and authorizes the state attorney general and district attorneys to take enforcement action for violations.
Law firms in the European Union have to abide by the General Data Protection Regulation (GDPR), which is responsible for data handling and security of personal information. The regulation expects companies to put organizational and technical measures in place to ensure secure file sharing for law firms.
Backup and Archiving for Law Firms
Law firms can accrue hundreds of thousands of client files and records, and they can all be at risk during a data breach. These volumes of sensitive digital data, coupled with the increasing challenges of securing them, call for an effective backup and archiving solution for legal document storage needs.
Backup and archiving provide law firms with an additional layer of security against data loss from either hardware malfunction or cyberattacks, allowing them to meet state and national regulatory requirements.
Dropsuite specializes in helping law firms keep highly-sensitive data safe, secure, and protected. Law firms can efficiently backup, store, preserve and, if necessary, quickly restore data at a moment’s notice with Dropsuite’s cloud-based solution built from the ground up by engineers. Our solution works across many email ecosystems and business platforms, from Microsoft 365 to Google Workspace, IMAP-POP, and Hosted Exchange.
Moreover, the following features and benefits address legal file management challenges:
- Evidence preservation – Preserving evidence is a top priority for law firms. Loss of evidence can trigger courts to impose monetary sanctions, exclude evidence, disallow witness testimony, dismiss cases, or hold an attorney summarily liable. Dropsuite’s backup and archiving ensure business continuity for law firms and enables them to perform their critical duty of preserving evidence for as long as necessary.
- Legal Hold – Clients must ensure that all evidence is discoverable in a lawsuit, including paper records and electronic files – from emails to calendars, attachments, tasks, and collaborations in the cloud, on your desktop, or any data buried within the company’s computer network. Our state-of-the-art archiving capabilities help the client provide forensically compliant records of all e-communications marked for legal hold (tamper-proof preservation and retrieval).
- Retention Rate Setting – Dropsuite provides business compliance and continuity by allowing law firms to set retention rates that are as long as necessary to maintain compliance legally. With this flexible retention rate setting, firms can easily ensure that records will stay secure for as many years as a given piece of legislation requires.
- Litigation preparedness – Most litigants are not prepared to handle the electronic preservation requests that might result from an audit or lawsuit. State-of-the-art security and advanced search features in Dropsuite protect sensitive files against data loss. Law firms, as a result, can quickly comply with data access requests, meet regulatory requirements, and ensure litigation preparedness.
Talk to our experts here to learn more about how Dropsuite secures business-critical communications for the legal industry.