Law Firms: Are your clients most confidential materials at risk in your DMS?

As the guardians of their clients’ most valuable and potentially damaging information, law firms continue to be targeted by bad actors and hackers worldwide. And notwithstanding valiant efforts to implement the latest cyberthreat systems, we’ve seen three well-respected firms lose access to their email, document management, and other core systems at the hands of hackers in just the last 90 days. While we don’t know the details of these firms’ breaches, data from the World Economic Forum suggests our people continue to be the weakest part of any security program.

The Document Management System (“DMS,” for short) is where documents and communications related to client matters are stored for record-keeping purposes. The information stored in these core firm systems can include a range of materials: potentially privileged legal advice delivered to the client in the form of memos and email correspondence, work product, copies of discovery materials, potential trial evidence, and other company confidential materials.

Each group of materials carries with it different risk were it to find its way into the wrong hands – ranging from expensive breaches, damage to the client and thus firm’s reputation, to full-fledged malpractice. Law firms use a variety of controls to manage this risk: policies about where materials can be stored; technical controls limiting who has access to materials; and strong security perimeters around the firm’s architecture. But what if those controls have become outdated, leaving both the firm and its clients most critical data at risk?

Have you reviewed the controls that secure your DMS this decade?

If your firm has been actively using a DMS for more than 10 years, it’s likely that some of your controls are out of date. An audit of and some simple updates to your DMS policies and controls will ensure they appropriately protect privileged communications and company confidential information. A thorough audit should include a variety of assessments, including a review of your firm’s data classification policies (which tells your professionals what type of information is appropriate to store where), training your legal professionals on those updated policies, and considering your overall risk tolerance against those policies.

A simple first step is to meet with your DMS administrators to understand how many people currently have access to your client matters. Limiting the number of people who have access to client materials can greatly reduce the risk by reducing the number of people whose simple mistake can cost your firm millions.

What’s The Risk?

If you're reading this, I probably don't need to tell you what's at stake. The risks are broad, expansive, and some aren’t insurable.

First and foremost, attorneys have ethical, common-law, contractual, and regulatory duties when using technology, including:

1. Employing competent and reasonable measures to safeguard the confidentiality of information relating to clients,
2. Communicating with clients about the attorneys’ use of technology and obtain informed consent from clients when appropriate, and
3. Supervising subordinate attorneys, law firm staff, and service providers to make sure that they comply with these duties.

Keep in mind that many of the people who manage your firm’s core systems have no legal experience and may not be aware of your ethical and legal obligations. It’s critical that lawyers regularly review security controls with its technical, information governance, cybersecurity, and privacy professionals to ensure they’re appropriately protecting you and your clients’ interests.

There’s also the expense. In 2021, the average cost of a data breach was $4.24 million according to a study cited by the America Bar Association . One of the worst data breaches, suffered by Equifax, cost the company as much as $1.4 billion. And the risk doesn’t end there. There have been several suits brought where the plaintiff claims that the firm has failed to take adequate steps to protect the data on its servers – initiating legal action before any breach ever occurred.

Quick Wins

There are well-documented best practices for securing not only your DMS, but other firm resources. The International Bar Association offers a great guide that you might consider reviewing with your information governance, cybersecurity, and data privacy professionals. But, there are some rather simple changes you can make this week that will exponentially reduce the risk associated with your document management system.

Limit access to client matters.

The ABA’s 2021 Legal Technology Survey Report included a startling statistic – 25% of law firm respondents reported that their firms had experienced a data breach. But, law firms haven’t always received the best advice about who should have access to client materials in the DMS. In the past, it could be difficult to limit the level of access that the firm’s technical professionals had to the DMS, while still allowing them to support lawyers when an urgent call comes in. The good news is that you can make some simple changes – today – that will greatly improve the security of materials stored in your DMS. As a first step, focus on limiting the number of people who get access to client materials in your DMS.

Keep It Simple

As important as controlling access is, you don’t want someone on your payroll just adding and removing people to and from your DMS all day. While more conservative security models offer their own unique challenges and benefits, firms can keep access control simple by using a list of people that already exists. For instance, maybe it makes sense to give everyone who’s on your “all lawyers” and “all paralegals” distribution lists access to DMS client matters by default. You can then add other individuals who need access to a particular client matter on an as-needed basis. Wondering how to deal with rights for your support professionals? Read on…

Establish privileged credentials.

Your firm probably has a support team, senior paralegals, or other professionals who have need to access client matters in the DMS on short notice. Instead of giving these team members permanent rights to access whatever they want whenever they want, you can create an alternate usernames and passwords which will allow these team members to temporarily elevate their rights (or “privileges”) when needed. Ensure that John’s day-to-day network credentials (his username and password) only allow him access to those client matters he’s actually working on. You can then provide these professionals with a second, “privileged” username and password for those special circumstances when more access is needed.

95% of all cybersecurity issues can be traced to human error, according to the World Economic Forum

Why is this a better overall approach?

When a user has permanent access to everything in the DMS, it’s nearly impossible to detect unusual behavior until it’s much too late. After all, if it’s not unusual for paralegal John to download 200 documents from a seemingly random client file on behalf of a partner on his way out the door, you won’t be able to tell when John’s account has been hacked. This limits your firm’s ability to cut off access and control how widespread or significant the breach is.

Keep It Simple

Privileged accounts, those accounts that have broad access rights and less restrictions, are the most desirable for hackers and bad actors. They could allow a hacker full access to everything in your DMS (and potentially to other integrated systems, like time and billing). For this reason, consider starting with a blank page when deciding who needs a privileged account. That is, instead of looking at the current list and removing people who don’t need privileged access, start by assuming no one needs this level of access and prove that each person or role needs to be added to the list. I always recommend planning a 4-8 week pilot period where you track requests for add/removes to the DMS in general as well as privileged access requests and review and adjust your approach at the end of the pilot based on what you learn.

About the Author

Cheryl Wilson Griffin is a strategic consultant with 20+ years’ experience leading innovation in the legal tech space. I help high-growth companies scale their technologies, talent, and tactics to realize their most ambitious goals. As a certified Project Management Professional (PMP) with extensive experience in strategic planning, project management, change management, business transformation, and process improvement, I solve problems by collaborating across traditional boundaries and leveraging natural human tendencies to reduce friction and put people first. I’m passionate about equality and human rights, expanding opportunities to create generational wealth for women, the Chicago Cubs, and funny looking dogs (especially dachshunds).