Law firm data protection, matter segregation and encryption practices

Law firms have always been data custodians. Client files, litigation records, deal documents, privileged communications, intellectual property. What has changed in the last several years is the scrutiny those custodial obligations now face from clients, regulators and adversaries.

Enterprise clients increasingly audit their outside counsel’s cybersecurity posture before sending sensitive matters, and sometimes after. State bars have updated the rules of professional conduct to reflect the cybersecurity obligations baked into competence and confidentiality. Threat actors have identified law firms as concentrated, high-value targets where a single intrusion can expose the sensitive data of hundreds of clients.

The result is that the modern law firm runs an IT and cybersecurity program that looks more like a small financial services firm than like the law office of a decade ago. Here is what a credible program actually looks like at the mid-sized firm level, where the obligations are real but the dedicated compliance function that larger firms operate is not realistic.

The professional responsibility baseline

ABA Model Rule 1.1, Competence, has been interpreted since 2012 to include a duty of technological competence. ABA Model Rule 1.6, Confidentiality, imposes an affirmative obligation to make reasonable efforts to prevent unauthorized access to client information. Nearly every state bar has adopted variants of these rules.

The practical meaning:

• A lawyer who does not understand the basics of how client data is stored, transmitted and protected is failing the competence duty
• A firm that does not implement reasonable safeguards against unauthorized access is failing the confidentiality duty
• The standard is not strict liability; it is a reasonable-efforts standard measured against what a competent attorney of similar practice would do

Bar guidance increasingly looks to external frameworks (NIST, CIS Controls, ISO 27001) to define what reasonable means. A firm that can document alignment to a recognized framework has an easier argument to make in a bar inquiry than a firm that cannot.

Matter segregation, the distinctive law firm requirement

The single most distinctive data-protection requirement at a law firm is matter segregation. Different clients have different interests, and some clients are adverse to others. Information barriers between matters (ethical walls, Chinese walls, information barriers) are often contractually required, bar-rule required or conflicts-required.

The technical implementation has to reflect this.

• Document management segregation. The DMS must support matter-level access controls. A paralegal working on Matter A should not be able to access Matter B if there is an information barrier.
• Access audit capability. The firm must be able to demonstrate who accessed what matter and when, usually on demand during an internal conflicts review or a client audit.
• Conflicts integration. The document management system’s access controls should integrate with the firm’s conflicts system, so that a new matter properly sets up access rights from day one.
• Departing attorney controls. When an attorney leaves the firm, their access to client matters has to terminate on a defined timeline. When an attorney arrives from another firm, their prior-firm conflicts have to be reflected in access controls immediately.

Most mid-sized firms discover on the first real audit that their matter segregation has gaps. Universal access for administrative staff, legacy matters with incorrect access lists, departed attorneys with lingering access. Closing these gaps is often the highest-impact project inside a firm’s data protection program.

Encryption, at rest and in transit

Encryption is the easiest-to-explain requirement and one of the more frequently misimplemented.

• Data at rest. Full-disk encryption on every workstation and laptop (BitLocker, FileVault, or equivalent). Server encryption on systems that hold client data. Cloud-hosted DMS vendors typically handle at-rest encryption as a service; firms need to verify this in vendor documentation rather than assume.
• Data in transit. TLS 1.2 or higher on every external communication. HTTPS-only email portals where available. Encrypted email for sensitive communications, either through the firm’s email platform (Microsoft 365 with message encryption) or through a purpose-built secure email gateway.
• Secure file transfer. A secure file transfer mechanism for large or sensitive attachments. Sending a 200MB deal document as an email attachment is both a deliverability problem and a security problem.
• Removable media. Encryption of any removable media (rare in 2026 but not zero, especially in firms with occasional paper-to-digital conversion projects).

Encryption gaps that commonly surface:

• Personal laptops used occasionally for firm work, without full-disk encryption verified
• Older Mac laptops where FileVault was never enabled
• Backup media stored offsite without encryption verified
• A document scanner that emails scanned images in cleartext

Each of these is a specific failure mode, each is fixable and each is worth a documented inventory pass.

Access controls and identity

The access control model at a law firm has to reconcile several competing pressures.

• Attorneys need fast access to matter files during active work
• Administrative staff need access to many matters for operational support
• Conflicts and information barriers constrain access
• Client audits expect evidence of least-privilege implementation

The practical model:

• Matter team memberships. Each matter has a defined team; access flows from team membership.
• Role-based access for administrative functions. Billing, conflicts, records, IT, each with defined access scope.
• Quarterly access reviews. Documented review of privileged and high-risk accounts.
• MFA on everything. Mail, DMS, remote access, VPN, cloud file share. Phishing-resistant factors for administrative and privileged accounts.
• Departing attorney runbook. On day of departure, access terminates across all systems within 24 hours. Evidence that this happened is documented.

The client audit

An increasing share of law firm clients now conduct outside-counsel security audits. Banks, insurance companies, healthcare systems, technology companies, PE portfolio operators. The audit typically includes a questionnaire (often based on SIG or a proprietary variant), a discussion of controls, sometimes a physical site visit and often an expectation of SOC 2 or an equivalent attestation over time.

What clients commonly require:

• A written information security policy
• A documented risk assessment, refreshed annually
• MFA on attorney and staff access to systems holding client data
• EDR on all devices accessing client data
• Backup with documented recovery capability
• Incident response plan with specific client notification obligations
• Cyber insurance at agreed minimum limits
• Employee training on phishing and confidentiality
• Vendor management documentation
• SOC 2 Type II or equivalent, sometimes with a defined timeline if not yet in place

Firms that can produce the evidence in under 2 weeks when a client audit arrives are in good shape. Firms that cannot often lose the matter or take a contract modification that imposes controls on a compressed timeline.

What a working program looks like

At a 40 to 200-attorney mid-sized firm, the program typically includes:

• Identity and access. Microsoft 365 or similar with MFA universal. Conditional access blocking legacy authentication. Quarterly access reviews. Fast offboarding.
• Matter segregation. DMS with matter-level access controls, integrated with the conflicts system. Documented information barriers where required.
• Endpoints. Company-owned devices with full-disk encryption, EDR and managed response from an MDR provider.
• Email. DMARC enforcement, phishing protection, message encryption for sensitive communications.
• Backup. Immutable backup of DMS data, email archives, financial records. Documented restore testing.
• Network. Segmentation between attorney, administrative and guest networks. Controlled remote access.
• Vendor management. Maintained inventory of material vendors with annual review.
• Compliance and documentation. Written information security program. Annual risk assessment. Named cybersecurity officer (often fractional). Documented incident response plan with client notification obligations.
• Training. Annual confidentiality, cybersecurity and conflicts training with documented completion.
• Cyber insurance. Current policy at adequate limits.

Typical annual investment at this scale: $150,000 to $450,000, including MSP services, tooling and cyber insurance. For a firm billing $30 million to $150 million annually, this is a small fraction of operating expense and a large fraction of reputational and professional-responsibility risk reduction.

Where we fit

We work with law firms at the mid-market level as the IT and cybersecurity partner that builds and operates the program. The practical engagement reflects the firm’s unique data handling obligations. Matter segregation is designed in, not retrofitted. Client audit response is prepared before the audit arrives. Bar compliance and professional responsibility obligations are reflected in documented practices that would stand up to inquiry.

If your firm is facing client security audits, preparing for a bar cybersecurity review or simply catching up on controls that have not been reviewed in several years, schedule a discovery call. We can walk through the current posture, identify the specific matter-segregation and access-control gaps and scope a working program.