Gimmal Blog

Read the latest thought leadership and industry news from the experts at Gimmal!

All Posts

Law Firms Exposed to Data Privacy Issues

As we all know, data privacy and data breaches have become commonplace in the corporate and retail world. A recent article from JD Supra goes into detail on how these same issues are affecting law firms. Ironically, law firms are the ones providing guidance to their corporate clients while at the same time, not following the proper data privacy and compliance rules. Firms are responsible for their clients' data as well as their employees. There are a few key areas that every law firm can focus on to ensure a more comprehensive plan.

Storage and Retention

As with any business, firms must work to keep data protected from physical threats such as power loss, disasters or theft. Obviously, various options for storage exist including on-premise and cloud and this decision depends on the needs of the particular firm. Often, clients will want to know the process and procedures their data goes through, so making that information available to everyone prevents any misunderstanding.

Throughout the period this data is stored, there may be various individuals who need authorized access when necessary. Whether by setting up a VLAN or simply encrypting the data before sending outside, it is imperative to protect this data at all costs. All employees handling any client data should be trained on proper procedure to prevent any human error that could not only be damaging financially, but to the reputation of the law firm.

As we have discussed here in the past, disposition is as important as the other parts of your information governance program. This is an especially complicated and important process in the legal world and must involve the buy-in of the partners, client and everyone involved in the case. The disposition workflow should be spelled out in detail so that no records are erroneously deleted.

Mobile Device Management

Theft or loss of any device like a laptop or smartphone can be especially damaging if it contains sensitive information. Requiring difficult and ever-changing passwords on all devices is a requirement. Additionally, encrypting communications whenever possible adds another layer of data privacy.

Law firms especially must consider any devices that may not be a part of their regular inventory such as client or third-party devices. When in your possession, they become your responsibility and should be explicitly documented and tracked.

Finally, Bring Your Own Device (BYOD) policies have become commonplace in the corporate world and a clear policy should be defined for any law firm. If a law firm would like to allow employees to access data on their personal devices, they must meet a set of predefined requirements up to and including installing Mobile Device Management (MDM) software to track the device and ensure its security. This prevents unauthorized access and protects both the employee and the law firm itself.


Unfortunately, not all data privacy incidents are due to poor process or human error. Hackers are continually trying to gain access to any business that has valuable information. There are a number of ways this can be done including social engineering, where the hacker pretends to be someone who needs credentials to access data such as IT staff or a client. Therefore, it is crucial that employees know to never send usernames and/or passwords via email or any other un-encrypted form of communication.

Additionally, phishing attacks are more broad and sent to many more individuals but can be just as damaging. This could be anything from the payment or payroll portal that the firm uses to something as seemingly benign as a social media account. However, any breach of this sort can have consequences for the employee and the firm. For example, the "reset password" link could in fact be malware that could infect the entire firm.


Even a robust information governance plan can be compromised by a data privacy breach. The overall cybersecurity of the law firm should be one of the first steps when considering the information governance environment and where potential gaps might exist.

Related Posts

[INFOGRAPHIC] Be a Records Management Hero!

Earlier this year, we unveiled our superhero theme, inviting records managers to join us at their regional ARMA events (as well as ARMA Live!) and answer the question: "what kind of records management hero are you?"

Intelligent Records Management Requires a New Way of Thinking

Technology is an enabler for sure. But without the right resources and direction, it can also be an inhibiter. Once an enterprise decides that all corporate information has the potential of being a corporate asset, the next step is to establish a continuous program to identify, improve, and protect this asset just like any other. 

Conquering Chaos in Process Implementation

Below is a blog post by Gimmal Director of Services Karen Goode. Karen is a valuable leader within our Services organization whose passion for process and project execution has driven some of our most successful implementations. Below, she discusses how an effective project execution framework can help organizations see through the chaos of project management and ensure consistency, efficiency, and repeatability throughout all of their processes.