Compliance
How small law firms actually protect attorney-client privileged communications, work product, and sealed court records in 2026 — the technical controls, the process controls, and the ABA-aligned stack.
Attorney-client privilege is not a forcefield. It is a doctrine that protects communications on the condition that the lawyer took reasonable steps to keep them confidential. When the confidentiality practices fail, courts have shown — increasingly often — that privilege can fail with them.
In 2026, "reasonable steps" is no longer a password on the firm's WiFi. It is a stack.
The law-firm cybersecurity calls that come into our practice are mostly from firms with eight to forty lawyers, where a partner's personal iPad just synced protective-order material into iCloud, or where the office manager's Microsoft 365 mailbox got hit with the same AiTM phishing kit that hits every small business in the country.
The pattern that gets a small firm in trouble is almost never sophisticated — a missing baseline, a partner reading matter documents on a personal device, or a sealed filing that never quite got sealed. This article walks through the confidentiality stack a firm of that size should actually build.
Four things are worth understanding before you spend a dollar on tools.
ABA Model Rule 1.6 establishes the duty of confidentiality; subsection (c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. Most states have adopted Rule 1.6 or a close analog.
ABA Formal Opinion 477R, issued in 2017 and revisited since, addresses electronic communication of client information. The headline: ordinary email is generally acceptable for non-sensitive matters paired with reasonable security controls, but some matters require stronger measures — encrypted channels, secure portals, or end-to-end-encrypted email. It is framed as a sliding scale, because matters and risks vary.
Privilege case law is trending. Without quoting any decision as binding precedent, the direction across federal and state opinions in recent years has been to look harder at the lawyer's confidentiality practices when deciding whether privilege was waived — particularly for email on shared systems, documents on personal devices, and unencrypted channels for sensitive matters. The doctrine has not changed; the application has gotten stricter.
Sealed records. Many jurisdictions explicitly require encryption or secure handling of sealed documents, and violation can be treated as contempt rather than a privilege issue. Read your local rules.
Not every matter needs the same security posture, and pretending otherwise is how firms end up paying for encryption on real-estate closings while sealed filings sit in a partner's personal Dropbox. The model that holds up in practice is a three-tier sliding scale.
Routine matters. Standard real estate, estate planning, routine commercial, basic litigation without protective orders. Ordinary Microsoft 365 or Google Workspace email, MFA on every mailbox, baseline managed EDR on every endpoint. No special controls beyond the firm's documented baseline.
Sensitive matters. M&A, IP, trade secrets, sensitive personal injury, regulatory matters, anything with a confidentiality agreement attached. Encrypted email or a secure portal for document exchange. Restricted access in the DMS so only matter-team members see the workspace. Reasonable scrutiny on outside-vendor data handling.
Highest-sensitivity. Sealed records, certain juvenile and family matters, qui tam, government investigations, any matter under an unusually strict protective order. Named-access only — the matter team is an explicit list, not "everyone with a litigation department login." Encrypted at rest with separated key management where the DMS supports it. Audit log review per access, not per quarter.
Write this scale down in the firm's information security plan and tie each tier to the actual controls. Untiered policies fail because lawyers cannot tell when to apply them.
Encryption gets disproportionate attention because it is concrete and measurable. It also does less than people think.
Encryption in transit — TLS 1.2+ on email, DMS access, every cloud service — is table stakes. If anything in the stack is still on plain HTTP or unencrypted SMTP, that is the first fix.
Encryption at rest is BitLocker on every Windows endpoint, FileVault on every Mac, and at-rest encryption on the DMS (most cloud DMS vendors include this — confirm rather than assume). Endpoint encryption is what turns a stolen laptop into a paperweight rather than a privilege incident.
End-to-end encrypted email is what you reach for on highest-sensitivity matters: ProtonMail Business for firms whose practice is built around it, Microsoft Purview Message Encryption inside an M365 tenant for occasional sensitive sends, or pushing content through a portal instead of email.
The part the encryption discussion glosses over: encryption does nothing when the credential is stolen. If an adversary-in-the-middle kit has captured a partner's M365 session cookie, every encrypted email and at-rest-encrypted document is fully readable to the attacker, because the system treats them as the partner. This is why Managed ITDR sits next to encryption in the stack, not as an alternative to it.
Most modern law-firm DMS platforms include a client portal — NetDocuments ndShare, iManage Share, Clio for Clients, MyCase's client portal. If the firm pays for a DMS, the portal is usually already in the license. It just is not turned on.
The pattern that works:
The portal does three things at once: keeps documents out of recipients' personal email archives, gives the firm a real audit trail, and lets the firm revoke access when the matter closes. None of those is possible when a PDF gets emailed.
Sealed material does not belong in the firm's general DMS workspace with the rest of the matter. It belongs in a restricted-access container.
The pattern we deploy for firms handling sealed work:
If the firm cannot operationally meet that bar, it should not be holding sealed work — sometimes the honest answer for a small firm taking on a matter it is not built for.
Partners are going to read matter documents on iPads at home, on phones in airports, on personal laptops over the weekend, whether the firm has a policy or not. The question is whether they do it inside a controlled container or outside it.
The compliant pattern is Intune App Protection Policies — mobile application management (MAM), as opposed to full mobile device management. MAM puts the firm's apps (Outlook, the DMS client, Teams) inside an encrypted container on the personal device. The firm can wipe the container without wiping the device. The partner keeps personal photos and apps; the firm keeps matter data out of personal iCloud.
The non-compliant pattern is the partner downloading the PDF to the iPad's Files app, where it syncs to personal iCloud and lives in iCloud backups. Or matter documents in personal Gmail "because it was easier." Or trial-prep notes in WhatsApp.
This is the single most common failure mode in small-firm confidentiality. The fix is not yelling at partners — it is rolling out the MAM container, telling partners "use these apps on your personal device and you are covered," and training them on what not to do outside it. Managed SAT is the program that makes that training repeatable rather than a one-time email everyone deletes.
Per Opinion 477R, ordinary email with MFA and a sensible baseline is acceptable for non-sensitive matters — most of what a small firm does.
The triggers for moving up the scale are consistent across case law and ethics opinions: trade secrets or competitively sensitive commercial information; sealed information of any kind; certain family-law matters; sensitive criminal-defense work; M&A or regulatory work in regulated industries; anything under a court-ordered protective regime.
When those triggers fire, the firm switches channels — encrypted email, the secure portal, or another end-to-end channel — and the matter file documents the choice. The written information security plan should articulate the classification policy so that "is this matter sensitive enough to use the portal?" does not depend on which partner is asking.
Privilege travels with the document, and so does liability when it leaks. Three patterns matter.
Co-counsel. Either confirm equivalent security (MFA, encryption, EDR, written plan), or use the secure portal as the channel rather than direct email. If you are co-counseling with a solo running on consumer Gmail, the portal is non-negotiable.
Expert witnesses. Written engagement letter specifying data handling, retention, and return or destruction at matter close. Experts are notoriously casual about confidentiality — the letter gives the firm leverage if something goes wrong.
e-Discovery vendors. Contractual data-handling requirements, breach-notification obligations, audit rights. Reputable vendors will sign this; if a vendor will not, that itself is data.
Court reporters. Written agreement on encrypted handling of transcripts, particularly in sealed proceedings.
PACER and state e-filing systems are the channels through which a litigation firm's most sensitive documents travel. Two practical controls matter.
First, enable MFA on the firm's filer accounts wherever the system supports it; PACER has expanded its support meaningfully in recent years.
Second, use dedicated filer accounts tied to the firm, not personal accounts attached to a single partner. When a partner leaves, the audit trail should not leave with them. Review filing privileges at least annually.
For sealed filings, verify after submission that the seal actually applied. The mechanism is generally robust, but operational mistakes happen, and a sealed document filed un-sealed is a problem the firm wants to catch in minutes, not weeks.
For a small firm that wants to get from "we have a password on the WiFi" to a defensible posture without setting six months of partner billable time on fire:
Days 1-30. BitLocker or FileVault on every endpoint. MFA enforced firm-wide on M365 or Google Workspace. Baseline managed EDR on every endpoint. The foundation that "reasonable efforts" rests on.
Days 31-60. Turn on the DMS secure portal and roll it out for sensitive matters. Deploy Intune App Protection Policies for personal devices authorized to hold matter data. Draft the matter-classification policy as part of the written information security plan.
Days 61-90. Run a tabletop on a privileged-data leak scenario — stolen laptop, compromised mailbox, sealed document produced unsealed. Build the co-counsel and vendor agreement template. Roll BYOD norms into the firm's training program.
After 90 days the firm is not at AmLaw-100 maturity, but it is meaningfully above the bar "reasonable efforts" requires, and it has the documentation to show its work.
We work with small law firms on the parts of this stack that are hardest to do alone. We deploy Huntress Managed Detection and Response on endpoints and Managed ITDR on the firm's M365 or Google Workspace tenant, because the credential-theft layer is what defeats encryption when nothing else does. We configure the tenant for the three-tier sensitivity scale, support the DMS secure-portal rollout, and run Managed SAT focused on BYOD and partner-laptop failure modes rather than generic phishing training. We deliver the written information security plan that articulates the firm's matter-classification policy and gives the carrier something to read at renewal time.
If the firm is approaching a cyber insurance renewal, has just taken on a sensitive matter the existing stack was not built for, or is starting to feel that "reasonable efforts" is getting harder to claim with a straight face, that is the conversation to have. Our law firm practice is built around exactly this.
Talk to us about the confidentiality stack for your firm or review your cyber insurance readiness before the next renewal.
Last updated: May 14, 2026.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes, both, and they protect against different attacks. Encryption in transit (TLS 1.2 or higher on email and DMS connections) protects data while it's moving between systems — someone sniffing the network can't read it. Encryption at rest (BitLocker on Windows, FileVault on Mac, at-rest encryption on your cloud DMS) protects data when it's sitting on a disk — a stolen laptop or a lost backup tape doesn't hand the attacker the documents. Most modern services do both by default, but a partner's home laptop usually does not have BitLocker turned on unless someone made sure of it.
Yes, for sensitive matters, materially so. A portal authenticates the recipient (with MFA where the matter warrants it), logs who viewed and downloaded what, lets you revoke access when the matter closes or the engagement changes, and never puts the document into a recipient's email account where it lives forever in their cloud backup. Email an unencrypted PDF and you have no idea whether it ended up on a personal device, in a family member's shared iCloud, or in a Gmail account that gets compromised three years later.
Only through a managed app container. The compliant pattern is Microsoft Intune App Protection Policies (also called MAM) on the firm's apps — the DMS app, Outlook, Teams — so that matter documents live inside an encrypted container the firm can wipe remotely. The non-compliant pattern is downloading the PDF to the device, opening it in the iPad's Files app, and letting it sync to personal iCloud. Same partner, same iPad, two very different exposure levels.
Per ABA Formal Opinion 477R, ordinary email — with MFA on the mailbox and the usual baseline security controls — is generally acceptable for routine matters. The trigger for stronger measures is matter sensitivity: trade secrets, sealed information, certain family and criminal matters, M&A in regulated industries, and anything under a protective order. For those, you move to encrypted email or a secure portal. The firm's written information security plan should document where the line sits.
Model Rule 1.6(c) says a lawyer must make reasonable efforts to prevent unauthorized disclosure of client information. 'Reasonable' is contextual — it depends on the sensitivity of the matter, the likelihood of disclosure without safeguards, the cost of safeguards, and the difficulty of implementing them. In practice, in 2026, this means MFA, endpoint encryption, EDR, a written policy, and stronger measures for sensitive matters. A firm that has none of that and suffers a leak is going to have a hard conversation about whether its efforts were reasonable.
Two reliable patterns. First, share through the firm's secure portal rather than through email — co-counsel authenticates, the audit trail is preserved, and the document doesn't end up in their general mailbox. Second, if you must use email, confirm co-counsel has equivalent security (MFA, encryption, EDR) and use encrypted email for sensitive content. Either way, get a written agreement on data handling and destruction at matter close. The privilege analysis later may turn on whether you took reasonable steps to control the document after it left your firm.
Sealed filings go through the e-filing system's sealing mechanism, which is generally robust — but you should verify the filing actually sealed correctly rather than assume. Confirm the filing's status in the system after submission. Use MFA on your e-filing accounts where the system supports it (PACER has rolled this out broadly). Use dedicated firm filer accounts rather than personal partner accounts so the audit trail is clean, and review who in the firm has filing privileges at least annually.
Related reading
What ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483 actually require of law firms in 2026 — reasonable efforts, breach response duties, supervisory obligations, and where most firms get it wrong.
Read articleWhat dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhat law firm cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read article