Data Security and the Law Firm’s Legal and Ethical Obligations

In years past, security at law firms simply meant putting files away and locking the door on your way out. Today, even taking the step to password protect desktops is not enough when it comes to security of client information. Law firms and lawyers are subject to obligations, rules and regulations at the State, Federal, and International level when it comes to safeguarding client information.

The ABA Model Rules of Professional Conduct 1.6.C states: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Here in Texas, attorneys are obligated by Rule 503(b) of the Texas Rules of Evidence to prevent against disclosing confidential information.

The new General Data Protection Regulation or GDPR, which affects any business that has contacts in, or data related to, the European Union, is the latest privacy regulation attorneys must understand and comply with. They also must ensure their data practices secure information that may fall under:

  • HIPAA: The Health Insurance Portability and Accountability Act
  • FINRA: The Financial Industry Regulatory Authority
  • SOX: The Sarbanes-Oxley Act
  • FISMA: The Federal Information Security Management Act
  • FTCA: The Federal Trade Commission Act
  • And many more …

Simply seeking to achieve the minimum data security compliance level and calling it a day is no longer acceptable. Clients are demanding that data security meets – or exceeds — their expectations. And attorneys need to understand that a single data breach could destroy the firm’s reputation.

When it comes to eDiscovery, law firms need to understand that hosting client data in-house is an enormous risk to the firm. Most law firms today do not have the highly skilled technical resources available to support the high levels of data security that some eDiscovery vendors deploy. Even those vendors that have the personnel have suffered breaches over the past decade.


As an example of the highest level of data security available from outside providers, Harbinger offers asset and endpoint discovery, vulnerability assessment, continuous network and security monitoring, threat and vulnerability protection, intrusion prevention, and full-disk encryption. We have two-factor authentication and a state-of-the-art data center with multiple layers of redundancy at all levels and drive level encryption. Harbinger’s data center is required to maintain Tier III standards, 2N redundancy, and be Internet carrier neutral. Our data center is staffed with armed guards 24/7/365 with keycard/biometric access coupled with mantraps and checkpoints at every entry. Harbinger’s data center is also required to maintain SSAE 16, ANSI/TIA-942, PCI-DSS, FISMA, CJIS, Sarbanes-Oxley, and HIPAA certifications.

Be careful where you outsource your eDiscovery, as not all providers are created equal. Larger law firms are sending templated security questionnaires to all vendors under consideration. If your firm has not yet developed its own questionnaire, there are many templates available on the internet. Our advice to you: know your obligations, ask questions, seek documentation on security practices and check references. Your firm is too important to you and your clients to risk a potential data breach.