Confidentiality is the profession. A breach isn't just IT — it's an ethics problem.
Privileged matter data lives in your email, your document management system, and the cloud tools around them. Trust accounts and settlement funds move through the same systems. When either one fails, the exposure isn't only technical — it's a client-notification problem, a malpractice question, and a bar-duty question, all at once.
30 minutes, in plain English. Bring your questions; skip the jargon.
The duty of confidentiality doesn't pause for an IT gap
Attackers targeting a law firm want one of two things: the privileged, confidential matter data sitting in email and document management, or the money moving through the firm on a closing, a settlement, or a trust-account disbursement.
The common path to both is business email compromise. A convincing email, a spoofed domain, or a compromised inbox is usually all it takes — no exotic hacking required, just a moment where someone acted on an email that looked routine.
None of that pauses the ethical obligation. A firm's duty to protect client information doesn't have an exception for "we hadn't gotten to that yet." The breach and the duty happen on the same day.
Privileged data and client funds move through more systems than most firms track
Email and business email compromise
The single most common way privileged data and firm money leave a firm's control. A partner's compromised inbox, a spoofed domain, or a well-timed impersonation can move both without anyone noticing until the money's gone.
Document management systems
Where the matters actually live — pleadings, contracts, discovery, client communications. Access that's broader than it needs to be is an open door that never announces itself.
Trust-account and wire paths
Real estate closings, settlements, and disbursements move through IOLTA and trust accounts — exactly the kind of large, time-pressured transfer that a fraudulent wire instruction is built to intercept.
Personal devices, co-counsel, and backups
Attorneys' phones and laptops, outside co-counsel and vendors on shared matters, and the backups behind all of it — each one a path into the same privileged data, managed by someone outside the firm's direct control.
Signs it's time
- Wire instructions for a closing or settlement get confirmed by email alone.
- Document management permissions haven't been reviewed since the system was set up.
- Attorneys work from personal phones and laptops with no device management in place.
- Outside co-counsel or vendors have access to matters that closed months ago.
- MFA is on for some systems, not all. Nobody's sure which.
- Your cyber insurance renewal asked questions the firm had to guess at.
Two or more sound familiar? That's exactly the firm this work is for.
What working with Droptine covers
- MFA and identity controls on email and the document management system
- Wire-fraud protections and out-of-band verification for trust-account transfers
- Managed, monitored devices for attorneys and staff, on-site and remote
- A review of co-counsel and vendor access, matter by matter
- Security documentation aligned with the firm's confidentiality obligations
- Backups that are protected, tested, and ready when a system or device fails
- Monitoring and maintenance after setup — because firms change, and security drifts
The Droptine plan, for law firms
Find the exposure
We trace where privileged matter data actually sits and how trust-account wires actually get approved — the document management permissions, the co-counsel access, the confirmation step that only exists on paper.
Lock down what matters
Email and wire-transfer verification come first, since that's where business email compromise does its damage. Then document access, devices, and the backups underneath all of it.
Maintain the program
New matters, new co-counsel, and new staff change the access map constantly. We keep the controls and documentation current, so the firm's confidentiality obligations stay backed by real controls, not a policy from two years ago.
Common questions
Isn't our practice-management vendor handling security?
They secure their own platform — the login, the hosting, the software itself. They don't manage the firm's email, the attorneys' personal devices, or the co-counsel and vendors who also touch a matter. Most incidents start in exactly that gap, outside the vendor's job.
What do the bar rules actually require?
Lawyers have a duty of competence and a duty of confidentiality that extend to how client information is safeguarded, including technology used to store and transmit it. Specific obligations — and any breach-notification duties — vary by state bar and jurisdiction. This isn't legal advice; confirm exact requirements with your bar and counsel.
We're a small firm — are we a target?
Small firms handle the same privileged data and the same size wires as large ones, often with far less protecting them. That gap is exactly what makes a firm attractive to attack, regardless of headcount.
Can you help protect trust-account wires?
Yes. Out-of-band verification — a phone call to a known number, not a reply to the same email thread — is the core control, along with the access and monitoring that make a fraudulent instruction easier to catch before funds move.
We already have IT — why isn't that enough?
Most firm IT support is built to fix what breaks — email, printers, slow laptops. Security is a different job: deciding who can access which matters, verifying wires before they go out, and maintaining documentation that holds up under scrutiny. We can work alongside your current IT or handle both.
Confidentiality is the promise. Make sure the systems behind it can keep it.
Clients hand you their most sensitive matters on trust. A 30-minute conversation will tell you whether the systems holding that trust deserve it.