Document Security: A Law Firm Guide to Protecting the Confidentiality of Shared Client Files

Document Security

File-Sharing in the Legal Industry

Survey uncovers disconnect between security fears and the everyday practices that can leave firms open to breaches

About the Survey

The file-sharing survey by LexisNexis was conducted to develop a greater understanding of legal professionals’ views on the importance of file-sharing security, and the collaboration tools used by U.S.-based law firms today. It was conducted online March 5-19, 2014 and only respondents who identified themselves as practicing attorneys or legal professionals were allowed to participate. 

A total of 282 respondents from more than 15 practice areas participated, representing 40 states and two territories including the District of Columbia. Respondents were provided an incentive to complete the survey: the chance to be entered in a random drawing for one of 14 prizes.

Survey Demographics

Practicing attorneys were best represented in the survey: 

  • 77% of respondents self-identified as practicing attorneys
  • 7% identified themselves as paralegals 
  • 6% identified as administrative support

The majority of respondents were professionals from small firms: 

  • 73% of respondents reported working at firms with 10 or fewer attorneys
  • Of that 73%, 49% identified themselves as representing solo or two-attorney firms

Broad practice areas represented: 

  • 17% of respondents reported working for firms focused on litigation 
  • 14% said they worked for family law firms
  • 13% identified their firms as general practice
  • The rest represented more than a dozen additional practice areas

Executive Summary

Maintaining client confidentiality has always been a cornerstone of ABA rules, addressed in the Model Rules of Professional Conduct 1.6: Confidentiality of Information (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

According to this 2014 LexisNexis survey of attorneys and other legal professionals, the majority of respondents appear to take their confidentiality responsibilities seriously. When asked about the possible outcome of having an unauthorized third party gain access to shared documents, more than 80% considered the possibility of such a breach consequential or very consequential to their firms.

On the other hand, when asked how they collaborate with clients or privileged third parties on matters, almost 90 percent answered that their firms used email – a file-sharing method that can be vulnerable to security breaches – almost three-quarters using it on a daily basis.

Why the disconnect? It’s entirely possible that many legal professionals simply aren’t aware of how vulnerable email communications can be to potential security breaches. Or perhaps they do realize it and consider themselves protected by the additional precautions they take, among them:

  • Including a confidentiality statement in the message body – 77%
  • Encrypting emails – 22% 
  • Including a confidentiality statement in the subject line – 21.6%

Maybe the question isn’t whether law firms consider such steps sufficient, but whether: 

  1. Their clients would feel safer if the lawyer used more hardy means of protecting confidential data 
  2. They’re meeting their obligations under the Model Rules to take reasonable care of their clients’ confidential data

The disconnect between what firms say about security and what they do

fig1

fig2

fig3

fig4 

Email confidentiality statements: Are they enough to protect firms? What about their clients?

According to survey respondents who do use email to send client-privileged communications, the great majority depend on confidentiality statements – either in the body copy of the email or in the subject line – to protect their communications, which begs further questions. Do law firms consider confidentiality statements a viable way to protect privileged communications, or are they merely including them to protect themselves?

According to LexisNexis Senior Product Manager Christopher T. Anderson, who maintains law licenses in Georgia and New York, “The use of the confidentiality statement conflates the duties to maintain client-attorney privilege, and the duty to protect client confidential information. On the one hand, privilege is not something the attorney can unilaterally waive (though through careless practice involving the client, they certainly can). On the other hand, confidences, once let into an unsafe ether, are put at risk, and no ‘confidentiality statement’ can mitigate that.”

Also of note on the “precautions” question, it’s worth pointing out that on a previous question, 32.3% of respondents indicated that their firm used encrypted email to collaborate with clients, while only 22% indicated that they use encrypted email as a precaution in this question. The difference may indicate some degree of confusion as to the definition of “encrypted email” or whether respondents’ firms actually do encrypt emails.

Again, we asked Christopher Anderson to weigh in on the question of how the definition of “encrypted email” might be a source of confusion for some firms. “I am confident that when put to the test, far fewer than 22% of respondents would be able to convey an accurate, complete understanding of what ‘encrypted email’ is. Some may encrypt attachments, some may be sending email over an encrypted SSL or VPN connection, but many without realizing that the emails, once moving from sender to recipient, are transmitted without encryption (though encrypted attachments retain their protections). Use of actual encrypted email systems are not nearly high enough to translate to use by 22% of law firms.”


fig5 

More than half of respondents put confidential client information on free consumer file-sharing sites.

While there is nothing in the Model Rules that prohibits the use of any particular type of file-sharing site, it’s important for attorneys to understand that solutions created specifically for protecting privacy can give them, and their clients, a greater shield against potential security breaches.

Christopher Anderson is especially wary over the use of consumer file-sharing sites by his fellow attorneys: “Ease-of-use and mass appeal trump security. Attorneys need to look for clues in “Terms and Conditions” and in the architecture of systems,” Mr. Anderson said. “While ease of use is certainly important to law firms and other enterprises who need to share confidential data, a primary focus on security and maintaining confidences would seem more appropriate to
our needs.”

A recent article by Graham Cluley, who specializes in computer security issues, should also give attorneys reason for second thought.


fig6

Unauthorized use of consumer file-sharing: What your firm doesn’t know can hurt even more.

Even the most well-intentioned firms with strong policies against it may find reason for concern over the use of consumer file-sharing sites. Many surveyed legal professionals answering a follow-up question about whether their peers used such services indicates a lack of certainty.

In fact, the answers were split nearly evenly on whether respondents believed other employees were using free file-sharing services without the firm’s knowledge or approval.

  • 35.8% said yes
  • 31.2% said no
  • 33% answered that they were unsure

Having employees who do use such services without permission may make firms even more vulnerable to data breaches simply because it makes them unprepared to protect themselves in the event they’re challenged with a malpractice suit.

Attorney Christopher Anderson believes firms should take a strong stand against the use of consumer file-sharing services by putting in place and enforcing the policies that prohibit their use.

According to Mr. Anderson: “At the end of the day, your clients’ confidential information is kept only as secure as your weakest link. Failing to have clear and well-communicated policies all but guarantees that some members or staff of the firm will do what is most expedient, rather than what is in the clients’ best interest; not out of malice, or even neglect, but sometimes because they just don’t know better.”


Size does matter. But which firms are more vulnerable to security breaches: Large or small?

The survey uncovered several instances in which small firms appear to have fewer protections in place against file-sharing security breaches than larger ones.

On the question of whether the respondents’ firms provide “enterprise-grade file-sharing services,” about half of survey-takers from 50+-attorney firms said yes. The smaller the firm, though, the less likely the respondents were to answer positively, from 38.5 percent of those from 20-50 attorney firms who said yes, to only 10.8% of legal professionals from one- and two-attorney firms who said their firms provided enterprise-grade file-sharing services.

fig7

The same protection gap proved true for the use of encrypted email: 60% of respondents from law firms with 100+ attorneys reported using encrypted email. Within the solo- and duo-attorney firms, that percentage plummets to less than half the large-firm percentage: 28%.

fig8

The trend continues on the question of whether respondents’ firms have used free commercial file-sharing services. While fifty-three percent of surveyed legal professionals from solo- and duo-attorney firms said they have used free commercial file-sharing services, only 30% of those from 100+ attorney firms have.

fig9

Again, this suggests greater rigor in the IT governance policies at larger law firms. Attorney Christopher Anderson found the security differences between small and large firms predictable, but he still sees reason for optimism among small firms trying to play catch-up with their larger rivals.

“Smaller firms today have access to a variety of tools that can help them maintain their clients’ confidences in ways that are no longer cumbersome or difficult to enforce,” said Mr. Anderson. “Tools like Watchdox® once were available only to larger enterprises, but are now being made available to solos and really small law firms as well. Watchdox, for example, which is offered at no charge with a LexisNexis Firm Manager® subscription, allows for easy, but powerful file and workspace sharing, where the attorney can retain control of the document even after the recipient has downloaded it, and can restrict and track what the recipient does with the shared document, including watermarks, and prohibitions on printing and forwarding.”


fig10

Watermarks, permission changes and document-storage capabilities top list of most important file-sharing features.

The LexisNexis survey asked respondents to rank on a scale of one to five – with five being the most important – features they feel should top the list of file-sharing systems. By a significant margin, the surveyed professionals chose the ability to add a visual watermark unique to each user.

Watermarks can protect law firms by allowing them to detect the source of security breaches in the event a document is shared with an unauthorized third party.

Respondents also suggested a strong desire to be able to change document-viewing permissions in the event the firm finds reason to prevent viewing after a file has been shared.

In addition, they reacted positively to the idea of being able to use a file-sharing service for document storage.


In their own words: Law firms on file-sharing in 2014.

The final question of the survey was an open-ended question. The question was optional and of the 282 respondents
that completed the survey, 233 answered.

fig11 


The tag cloud below represents the words most frequently used when legal professionals think about file-sharing: The larger the word, the more often it was cited.

fig12 

About LexisNexis

LexisNexis® Legal & Professional is a leading global provider of content and technology solutions that enable professionals in legal, corporate, tax, government, academic and non-profit organizations to make informed decisions and achieve better business outcomes. As a digital pioneer, the company was the first to bring legal and business information online with its Lexis® and Nexis® services. Today, LexisNexis Legal & Professional harnesses leading-edge technology and world-class content, to help professionals work in faster, easier and more effective ways. Through close collaboration with its customers, the company ensures organizations can leverage its solutions to reduce risk, improve productivity, increase profitability and grow their business. Part of Reed Elsevier Inc., LexisNexis Legal & Professional serves customers in more than 100 countries with 10,000 employees worldwide.

LexisNexis helps professionals at law firms and legal departments of all sizes manage the business element of their practice or department with innovative software and mobile solutions for customer relationship management, competitive intelligence gathering and assessment, time and billing management, matter management, client analysis, legal holds and more.

Contact our experts now
  • Start your free trial
  • Schedule a demo
  • Get pricing
  • Sign up for a free consultation