Can You Keep a Secret? Ensuring Attorney-Client Privilege with Identity Security

The relationship between a client and attorney is predicated on trust. For law firms, information security is an ethical and legal obligation. With Model Rule 1.6 c, the American Bar Association clearly mandates lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

Attorney-client privilege has become more difficult to maintain since the advent of the internet. With ever more creative and destructive cyberattacks targeting law firms of every size, we must take tangible steps to secure sensitive client information, whether it’s in transit or at rest. The trust clients place in their legal counsel, and let’s be honest, the firm’s reputation, depends directly on the firm’s ability to safeguard invaluable client data.

10 Things to Know About Information Security for Law Firms

Cyber threats aren’t a hypothetical for law firms. The data is clear. Here are ten things to know about information security for law firms:

• Threat Landscape: The most common types of cyberattacks targeting law firms are phishing, insider threats, ransomware attacks, and DDoS.
• Rising Threat: According to the ABA, 42% of law firms with 100 or more employees have experienced a data breach 
• Tunnel Vision: In 2023, Tech Advisors reported that 80% of law firms were using spam filters as their primary cybersecurity tool, in an effort to repel phishing attacks. 
• Third Eye Blind: IBM's 2024 Cost of a Data Breach report revealed that fewer than half (42%) of data breaches were identified by in-house security teams, 34% were informed by third parties that they had been breached, and 24% of attackers were revealed by the attackers themselves. 
• The Bare Minimum: The ABA reports that fewer than half of law firms (43%) create online backups of their data, which is the bare minimum for protecting data.
• Worst Case Scenario: Integris’ 2025 Law Firm Cybersecurity Report, shared that 40% of law firm clients said they would fire or consider firing their legal firm if they experienced a breach, and more than a third (37% said they would warn others about it. 
• Pay Now or Pay Later: According to IBM’s Cost of a Data Breach report, the average financial cost of a law firm data breach in 2024 was more than 5 million dollars. 
• Security Gaps: The ABA’s 2024 Solo and Small Firm Tech Report revealed that solo and small firms lag behind larger firms in terms of security, with fewer than half protected by Multi-Factor Authentication (MFA). 
• Insurance ≠ Security: In 2023, the ABA found that 80% of law firms were covered by at least one cybersecurity insurance policy but incident response planning was severely lacking, with only 34% of firms having a plan for response and recovery.
• Client Expectations: According to Integris’ 2025 Law Firm Cybersecurity Report, 40% of respondents would pay a premium to be represented by a firm that uses modern technology, with 69% indicating that it is extremely important to them that their law firm uses a secure portal for document transfer, as opposed to email. 

How Identity & Access Management Benefits Law Firms

Spam filters are an important part of your overall security posture, but identity & access management (IAM) goes a step further by dictating who gets access, to which files, and under what conditions. 

It's the difference between just blocking suspicious mail and having a comprehensive security architecture that meticulously tracks and verifies the identity and permissions of everyone who interacts with your most confidential data. 

Automated Access Audits for Compliance: Modern IAM makes it simple to show auditors (or the bar association) who has access to sensitive client data, replacing a painful manual reporting process with an automated report.

Least Privilege for eDiscovery: IAM enforces least privilege, only granting access to authorized individuals and automatically revoking it when their need for access expires. Timely deprovisioning drastically reduces your risk surface.

Secure Client Portals: Stop sharing sensitive documents via email. IAM can protect your firm with secure client portals, providing a single, auditable place to share discovery documents, contracts, and case files with stakeholders and clients. 

IAM: Your Secret Weapon for Ensuring Client/Attorney Privilege

Is your firm truly secure? Your security is only as strong as your control over who can access what data, and when. 

Law firms have an ethical and contractual obligation to make reasonable efforts to prevent the loss or leakage of client data. Meeting this obligation requires more than spam filters. You need robust identity security to monitor, manage, and secure access to your firm’s valuable data assets.  

KeyData Cyber helps law firms with seamless, scalable, and streamlined Identity & Access Management solutions, including managed services that simplify identity security with a cloud-based subscription model designed to evolve with your firm’s needs and goals. 

Interested in a complimentary assessment of your security architecture? Contact us to schedule a consultation.