This is an old revision of the document!
Table of Contents
Thinking about security
Key points:
You are never going to be “perfectly secure”
Even if it was possible to protect against every possible attack while still being able to do your job – and I suspect that, technically, that’s simply not the case — it is not going to be affordable to do so.
If anyone insists that you must be perfectly or absolutely secure, they are asking you to do something which is unachievable.
What's important is that you are adequately protected against the realistic risks facing you.
Be realistic, and think about client experience
Security is important. So is client experience.
Some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience.
There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
Talk to your clients
If your clients are themselves experts, consider letting them take the lead.
If you act for a tech-aware client, who you know uses encryption for some communications, and they send instructions by unencrypted email, it may be reasonable for you to respond in kind.
Likewise, if they send encrypted attachments, you likely want to do so as well.
(You might always want to offer encrypted communications, so that less tech-aware clients realise that this is an option.)
Security is ongoing
Threats change, and the means of protecting against those threats changes. Security is an issue which you are going to need to continue to address, as one of the many ongoing responsibilities of being a lawyer.
If you are hoping that you can do something, put a tick in a box, and move on, never to think about it again, you’re going to be disappointed.
If you can get to a place where you are routinely identifying the threats which you are most likely to face, and taking precautions against them so that you remain “secure enough”, you are probably doing pretty well.
If you get nothing else from this site, hopefully it will be an encouragement to think about the kind of threats that you and your clients might face, and the types of mitigations and defences which might be available to you.