Risky Business: The Consequences of Handing Your Ediscovery Data to Law Firms

The Panama Papers leak that shuttered Mossack Fonseca. The Paradise Papers hack on elite law firm Appleby. And now a security firm has found over a million UK law firm email addresses — over 80% of them accompanied by their passwords — on the dark web.

Do you still think you should trust a law firm with your company’s most sensitive information?

Whatever data you’ve preserved in the course of discovery is bound to be important. Allowing it to be revealed to the world may destroy your case, your reputation, or even your entire business.

But if you’re sending that data to a law firm for processing and review, you’re not just paying more for discovery —  you’re opting for a security risk.


CIO reports that hackers are “aggressively targeting law firms.” There’s good reason for that: law firms concentrate critical business information from a wide range of clients. In other words, they have only the most important portions of your company’s information, along with the most sensitive portions of dozens or hundreds of other companies’ information.

But it’s more than the availability of monetizable information that draws hackers. It’s the embarrassing lack of basic security measures at most law firms. As the American Bar Association noted in its Formal Opinion 477, law firms are targets both because they distill critical business information and because their safeguards are “inferior to those deployed by the client.”

Yes, that means your data is better protected in your possession than it is once you send it to a law firm.

Why are law firms so miserable at data security? Perhaps because lawyers are notoriously technology-impaired; most do not understand the risks and vulnerabilities that they create through their poor data management practices. For example, the recent email and password leaks are believed to have originated from the LinkedIn hack, because lawyers used their professional email addresses on the social media site. Reusing passwords affords another weakness for hackers to gain entry to email accounts with sensitive documents.

You’d think those email accounts would at least be encrypted, but you’d be wrong. Only 36 percent of law firms reported using encrypted email even when they were sending privileged or sensitive communications to their clients.

This failure highlights law firms’ noncompliance with simple, easily implemented security measures. Even where law firms have created cybersecurity policies, the ABA reported that 95 percent of firms were not compliant with those policies. All of the responding firms indicated that their security measures failed to adhere to their clients’ policies.

Add to that lack of knowledge and compliance the standard challenges of legal professionals — heavy workloads, distraction, time pressure, and the need for on-the-go attorneys to access data from multiple points or devices — and law firms have generated a perfect storm for security breaches. Every access point creates a vulnerability, a potential point of ingress for a hacker. Remote data access, mobile device usage, Wi-Fi hotspots, unsecured company laptops, thumb drives…the number of vulnerabilities a law firm can create for your data is staggering.

To make matters worse, you may never know that the law firm you use has suffered a security breach. In fact, the firm itself may not know; 40 percent of law firms aren’t aware when they’ve been breached. And even if the firm does know, it may choose not to advise its clients. The American Bar Association’s 2017 Legal Technology Survey Report stated that only 11 percent of firms notified their clients about security breaches.


Anytime you transfer data outside of your control, of course, you introduce a risk. But sending data that you’ve cherry-picked as your most sensitive company information to a law firm with a hacker target on its back is an unnecessary risk today, given how easy it is to keep the entire ediscovery process in house.

Managing your own data in house using modern software-as-a-service (SaaS) ediscovery tools allows you to create, maintain, and enforce your own security standards. Working with trusted vendors who are SOC 2 Type 2-certified ensures that your data is secure, encrypted at rest and in transit, subject to regularly scheduled security audits and vulnerability scans, and monitored continuously for suspicious activity.

Keeping ediscovery in house doesn’t just save you money on data processing and document review. It allows you to proactively protect your data using a holistic data governance strategy that you can enforce compliance with — which might mean saving your entire business.