Jul 27, 2023

Why Email Breaches Continue to Plague Lawyers … And What to do About it

The first email alarm bells sounded in the late 1990s, when it became the prevalent method of business communication. The ABA and innumerable internet security experts made it clear to lawyers: “Beware: email is not a private method of communication.”

Fast forward to 2023 and email represents 96% of all communications generated by law firms. And it’s still not private. The consequences have been telling:

  • 90% of CISOs (chief information security officers) say their firms’ email has been breached, ranking above financial institutions (85%) and health care organizations (75%)
  • 24% of law firm email data breaches are caused by unintentional errors by lawyers and staff
  • Email data breaches by remote workers are twice those of in-office staff
  • Indemnity claims by law firms for email-related fraud losses are at record levels in Ontario

Why are lawyers and law firms such juicy targets?

Law practices are a treasure trove of sensitive and valuable information, making them compelling targets. Among the subject matter attractive to cybercriminals:

  • M&A transactions
  • Financial information
  • Real estate deal details
  • Confidential litigation
  • Personal private information
  • Wills and estates details
  • Evidentiary artifacts
  • Trust accounts

All of them are beautifully gift wrapped, with names and details of parties and highly confidential legal information.

Law firms are literally victims in waiting, and unfortunately too often laggards in adopting helpful technologies, including email and network security solutions. Late adoption could be considered a failure to follow best practices. Malicious hackers know this and target law firms accordingly.

Lawyers know of the risks. In a Lexis Nexis survey, 90% agreed that the loss of client information to an unauthorized party would be “consequential.” Yet 89% of the same group admitted to using non-secure email when sending sensitive files to clients and other parties.

Solutions abound but aren’t used

Canadian provincial law societies and the American Bar Association have been consistently vocal to their respective members that the use of a secure document portal rather than email solves the issue of security when sending or receiving sensitive files.

Document exchange portals are ubiquitous, inexpensive and significantly easier to use today than the ‘90s era versions. Every Canadian bank uses them, as do most accounting firms and their clients.

So why not law firms? To be fair, many firms do use or have access to secure document portal services. Notably, however, usage patterns between firms of similar sizes and practice type are sharply divergent. Some use their secure document portal heavily and consistently, others only sporadically.

In an online survey conducted among users of our own secure document portal, xchangedocs, we discovered some revealing insights:

  • 60% of users habitually send files as email attachments
  • 31% would use the portal more if their management mandated it
  • 47% of users most value the portal for serving parties electronically
  • 31% of users most value the portal for sending files that are too big for email
  • 14% of users most value the portal because it keeps files confidential and secure

Law firm management takeaways

Hard-working support staff in law firms value perceived convenience and productivity above data security. Use of email attachments that put sensitive files at risk is an entrenched habit. If managing partners and their senior operations staff are serious about mitigating IT security risk at their firms, they need to mandate the use of effective solutions while also selling staff on the productivity benefits. If this approach seems draconian, keep in mind that adopting best practices in email security isn’t left to the discretion of individuals in well-run firms. Employees aren’t typically permitted to “opt out” of the firm’s chosen accounting or document management solutions. The same should apply to email security.

Senior partners often have purchasing authority for their firm’s technology. Understandably, the same individuals, being practitioners, don’t have the time or wherewithal to ensure post-purchase staff usage and compliance. The effective managing partner and their executive committee will sponsor and lead the decision to adopt technology, yet delegate to a staff representative to ensure ongoing usage. IT managers, in-house trainers, practice management specialists or the office administrator can be very effective in this compliance role.

The worst-case scenario for any firm would be to have ready access to a secure document portal, choose instead to use non-secure email out of habit, and suffer a costly data breach, consequent financial loss, and a professional indemnity claim. Sadly, that very scenario transpires with alarming frequency.

Share This