Lawyers who cannot account for their clients’ data are not upholding their confidentiality obligations
Every lawyer understands that confidentiality is sacred. Far fewer can tell you, right now, exactly where all their clients’ data resides, who has access to it, and what would happen if any of those systems were compromised.
That gap between the principle lawyers hold dear and their actual command of the digital infrastructure that stores and transmits client information is the central vulnerability of modern legal practice. And it is one that too many firms are failing to address.
The instinct at most firms is to treat cybersecurity as a technical problem and delegate it accordingly. As Borden Ladner Gervais partner Eric Charleston observes in Canadian Lawyer's cover story on law firm cybersecurity, “Cybersecurity is still treated by a lot of firms as an IT issue, rather than a firm-wide risk management priority.” The result, he tells Jessica Mach, is control gaps that leave firms exposed – not because their IT teams are incompetent, but because the lawyers and leaders who should be overseeing them lack the knowledge to evaluate whether the protection is adequate.
Mach’s reporting lays bare how far that exposure extends. Firms are failing to audit third-party vendors with whom they share sensitive client data. Others cling to on-premise servers in the belief that maintaining their own infrastructure is safer than relying on major cloud providers – a conviction the experts she speaks to argue is dangerously misplaced. And when a vendor suffers a breach, it is the law firm that remains accountable to the client.
The risk does not stop at any single firm. As cybersecurity consultant Mazdak Araghrez points out, “If the weakest link in that chain is a smaller law firm which hasn’t got the right cybersecurity protections in place, it opens up the threat profile to everybody in that chain.” Every firm you work with, and every firm opposing counsel works with, becomes part of your security perimeter.
None of this is merely a technology problem. It is a professional obligation. The lawyer who cannot account for the security of their clients’ data is not meeting the standard that confidentiality demands. The digital age has not changed that duty. It has simply made it far harder to fulfil.
