Law firms are obligated to protect their client's data, as dictated by federal and state laws as well as local jurisdictional ethics rules. You'll read and understand the relevant rules—you're a lawyer, that's basically what you do. Technical compliance, however, is where the rubber meets the road. Leaving aside the matter of data breach reporting, to focus on the preliminary issue of data protection, questions of technical compliance, at a number of levels, come to the fore.

Data hackers are relentlessly poking at systems, in order to find weaknesses. It's telling that a common technique is known as a brute force attack. Throwing everything they have in a concentrated blast at one part of the wall before moving on to the next is basic siege mechanics for hackers. So, in order to effectively track your data, it's important to protect it at all levels— and, there are a lot of layers here to look after.

Take the humble Microsoft Word document, and consider the myriad ways it might be subject to exposure. At the document level, you've got the potential for exposed metadata (essentially buried information about edits), as well as questions about restrictions on document access: Is it encrypted? Do viewers have “read-only” access, or which ones have read-only access? Can the document be forwarded, or printed? Will access to the document expire after a set time period? You can trigger basic protections like those alluded to above within Microsoft Word, or even via conversion to a PDF management program, like Adobe Acrobat; but, unless you're asking relevant questions related to data security, and acting on those, you're potentially exposing sensitive data.

But, a document does not exist in a vacuum; and, as soon as that document is available within a particular system, it is also exposed to any loopholes inherent in or created by, that system. So, consider whether the document is encrypted as it resides on the system. Does the case management system you use, for example, encrypt all data at rest, including documents? Do you trust that protection alone, or will you encrypt your documents first, before uploading them, or making them available, within a system, to add another layer of security? In terms of personnel management, do those staff persons accessing your systems only have access to the files and documents they need access to? With the availability of granular access options, including down to the document level, it pays to be thoughtful about who gets to see what, to secure your information from overexposure. If you use integrated systems—perhaps you link a document repository, like Microsoft OneDrive, to a case management system—are all of the integration points encrypted, and does each system you use apply viable security measures? If you choose to share documents with clients and colleagues, do you utilize client portals or sharing protocols within the systems you use? Do you have a single process or workflow for how you share information that all employees adhere to?

And, if you're not sharing a document within a system architecture, but prefer email as a transit method, there are other issues to address, since you can't know the security protocols for every server an email passes through. Do you consider an email encryption service, which allows you to send a document to a third party, secure inbox for access by a recipient? And, will you turn that feature on manually or use automated triggers, e.g.—the presence of information sets protected by your state's data security laws? If you decide that an email system is too costly, or that you don't send enough documents via email to justify the use of such a system, do you then encrypt documents on an ad hoc basis, using a productivity or PDF software, only when you need to?

Even at this late date, hardware has not been totally eliminated. And, even if you're not accessing documents directly via your laptop or tablet or smartphone, you're using that hardware to access the systems where you get those documents. Therefore, it's also imperative that you appropriately secure the devices you use to access the software you use to access the documents you need. This includes, for most modern law firms, the creation and maintenance of a BYOD (bring your own device) regime.

Most law firm managers, and especially law firm IT people, blanch at the sheer breadth of data security requirements in the legal environment. And, managing that effectively does require a thoughtful and systematic approach. But, the implementation strategies built around such an approach will significantly reduce any law firm's risk profile.

Jared D. Correia is the founder and CEO of Red Cave Law Firm Consulting, which offers subscription-based law firm business management consulting and technology services for solo and small law firms. Red Cave also works with legal institutions and legal-facing corporations to develop programming and content.