Since 2011, the U.S. Government has recognized the tremendous gap in data protection facing the country’s top businesses in nearly every field, and the legal industry is no exception. Law firms, even mid-size and boutique firms, present an appealing target for cyber criminals seeking valuable corporate or personal information. But an even larger threat comes from within the law firm itself.

All too often law firms have no mechanisms in place to protect access to confidential and proprietary information. Everyone in the firm, from the most senior partner to the lowliest administrative assistant can access any client data. Worse still, law firms may not be aware of a data breach until years after it occurs, if at all. For example, an associate could have been uploading files to a personal cloud account for years, but without the correct data protection measures in place, the firm would be none the wiser.

The Model Rules of Professional Conduct Rule 1.6 (c) requires that lawyers “…make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The delineation between reasonable and unreasonable efforts is a hard one to make, but no effort is clearly a violation of this rule. Beyond that, there is a multitude of steps that the prudent attorney can take to protect client information.

At a minimum, controlling access to data, requiring strong passwords, and encryption of the most highly classified information should be the floor. Firms should also consider data loss prevention solutions which allow them to control data egress. A brief evaluation period could expose the senior partners at a firm to a freighting array of insider threats. Even then, protection from insider threats is only one facet of effective data protection for law firms; solutions for protecting against advanced cyber threats – such as spearphishing attacks that employ sophisticated malware – should also be considered for firms that want to show that they’re taking client data security seriously.

As the old adage goes, an ounce of prevention is worth a pound of cure. The only thing more valuable to a client than its funds is its confidential information, and in many cases the same can be said for cyber criminals targeting those clients. Once lost, confidential and proprietary information is not recoupable. Just as attorneys have IOLTA accounts to protect client funds, they should be considering the protection of client data.