Are your lawyer-client communications safe?

For lawyers practising in the cyber security space, there has been no slowing down this year, with one BigLaw partner predicting that 2025 would be “full steam ahead”. This has most certainly been borne out, with numerous high-profile cyber attacks being faced by prominent Australian businesses – most notably, in recent weeks, the attack on our national airline, Qantas, from which millions of customers could potentially seek compensation.

However, despite bearing witness to attacks on businesses big and small across the country (and observing numerous firms undertake class action investigations into those companies that have fallen victim, such as Optus and Medibank), legal professionals – both in private practice and in-house – remain, broadly speaking, underprepared.

Recent research has shown that 3 in 5 in-house leaders say it would take a cyber incident to improve processes, while 1 in 2 law firms are not ready to handle a cyber incident. Such a lack of readiness will, ultimately, cost law firms more than money.

The profession has witnessed its colleagues in firms fall prey to attacks, such as BigLaw practices HWL Ebsworth and IPH – and, as one expert said, such attacks on legal practices are not going to decline.

One aspect of firm operations that is garnering greater attention is communication with clients: how secure are lawyers’ interactions with their clientele, be it over email, consumer messaging apps, or even social media?

As John Reeman, director of Cyooda Security, put it, “while clients often dictate these channels, lawyers must understand their security implications to protect sensitive data and privilege”.

VIEW ALL

To this end, Jason Symons, Mills Oakley’s cyber risk and insurance team lead partner, and Mitchell Riley-Meijer, cyber security and incident response manager in the firm’s cyber risk and insurance team, said that as the current professional services marketplace becomes increasingly digitised, “winning client trust, and more importantly keeping it, hinges on information security and digital integrity”.

Issues

It is neither new nor surprising, Symons and Riley-Meijer said, that law firms will hold volumes of sensitive information about their clients and active matters, “from commercial information or intellectual property, to deeply personal information arising from family law matters or complex estate planning”.

“The ‘way’ law firms communicate this information is what requires new attention – it is no longer a matter of convenience, but a matter of risk,” the pair said.

NSB Cyber co-founder and chief executive Shane Bell reflected that, prior to COVID-19, “we were still in the world of in-person interactions where we all carried notebooks, occasional teleconference bridges where we all took our own notes, and formal correspondence attached to email, where the digital medium was the transport vehicle only”.

Now, he said, “often the email or the text message is the formal artefact capturing advice or outcomes, video calls cross a raft of different platforms, everything has chat functionality, and we even have AI notetakers producing automated transcripts of everything that we say and do in meetings”.

We create so much more digital content now, Bell observed, scattered across a raft of platforms and locations.

Such abundant content opens the door, of course, to attacks from malicious actors, who are intent on leveraging such personal and professional information.

Law firms that are not investing in appropriate cyber security systems, Hall & Wilcox partner Eden Winokur said, “leave themselves and their clients vulnerable”.

“Common communication methods like email, SMS, and messaging apps can expose law firms and their clients to various cyber risks, including phishing, data breaches, and malware. When confidential or personal information is impacted in a cyber incident, it can cause various legal risks and reputational damage. These risks include loss of business, regulatory investigations, and claims from third parties,” he said.

Cybertify chief executive Ramtin Diznab added that lawyers handle highly sensitive information, yet many still rely on communication channels like SMS and WhatsApp that lack enterprise-grade security.

“These platforms, while convenient, do not offer the encryption or governance controls required to protect client data,” he said.

“In today’s threat landscape, lawyers must be more vigilant.

“Communication security can no longer be left to individual discretion.”

Communication channels

Law firms, Symons and Riley-Meijer said, need to move beyond “ad hoc” channels of communication and towards secure, auditable platforms purpose-built for professional communications.

“That means encrypted client portals, enterprise messaging tools with granular access controls, and policies that align with legal privilege, professional standards, and regulatory expectations,“ they said.

According to Reeman, firms “increasingly rely” on consumer messaging apps for client communication, from SMS to WhatsApp, Telegram, and Teams.

“SMS remains particularly vulnerable, unencrypted, and susceptible to man-in-the-middle attacks and number porting. It’s suitable only for casual communications like meeting confirmations, never for sensitive information,” he said.

“Among messaging platforms, Signal offers the highest security for crisis communications, while Telegram requires caution as end-to-end encryption isn’t default. Google Chat, Slack, and Teams provide reasonable security when properly configured.”

“WhatsApp’s infrastructure raises privacy concerns, WeChat offers minimal security, and SMS ranks lowest for sensitive communications.”

Bell was more direct about such messaging channels: “I think we all know by now that using text messages isn’t acceptable for sensitive information sharing, neither is using free services or open forums. Practices like this really just need to stop.”

Email, “despite being the 30-year standard”, Reeman said, and despite it being “the industry default”, Symons and Riley-Meijer said, requires third-party encryption for true security and is inherently vulnerable to cyber attacks such as phishing and business email compromise.

Firms should, Diznab said, “instead transition to secure, end-to-end encrypted messaging solutions designed for professional use and ensure their email environments are safeguarded by advanced threat protection platforms that leverage behavioural AI to detect and neutralise sophisticated attacks in real time”.

Furthermore, he went on, “law firms are required to implement firm-wide communication policies, supported by structured onboarding and ongoing cyber security training across all staff levels, from junior legal assistants to managing partners”.

Best practice and safer platforms

When it comes to ensuring formal, reliable, and secure client communications and the risks we need to be aware of, Bell reflected that the pathway forward will depend on a firm’s risk appetite for their communication with clients.

“By that I mean, what is your appetite for (potentially) losing control of your information or using the wrong medium that isn’t fit for purpose, versus making your (and your client’s) life a little easier?

“When clients ask me which communication medium is ‘more secure’, I respond, ‘Are you saying that means it needs to be secure?’ If the answer is nothing, then the medium doesn’t really matter. But, if their answer is more complicated than that, then so is my answer,” he said.

Reeman, Diznab, Symons, and Riley-Meijer, between them, all suggested the following approaches to achieve best practice: assessing communication methods’ security levels, implementing appropriate encryption, controlling key management where possible, thoroughly reviewing service provider contracts, adopting a single, firm-managed communication platform, restricting use of unauthorised platforms, mandating multifactor authentication, monitoring for data loss risks, maintaining audit trails for sensitive exchanges, mobile-device management, and regular phishing simulations to harden endpoints.

“The devil is in the details, ensure you’re getting the security level you expect for your firm’s needs,” Reeman said.

For highly confidential and sensitive information, Winokur noted, best practice means using secure communications tools only from trusted providers.

“These tools should have end-to-end encryption that requires a one-time password to access the information with a link that expires within a short period of time,” he said.

In addition, Diznab said, firms must regularly assess their providers.

“The cyber security market evolves rapidly, and a solution that was best-in-class five years ago may no longer offer adequate protection,” he said.

“Strategic reviews, supported by security experts, ensure that communication tools remain current, effective, and aligned with today’s threat environment.”

Put simply, Bell surmised, “use robust, secure, properly maintained and fit-for-purpose platforms with security built in, and take time with understanding process, not just blindly trusting the technology and firing things off at pace”.

“Keeping it simple, using layers of security controls, and a well-thought-out process will get the job done every time,” he said.

Final word

Lawyers across the private practice and in-house realms have, of course, “heard these messages before”, Symons and Riley-Meijer mused. Moreover, they added, “understandably, uptake remains slow as firms juggle competing costs and expenses”.

“Perhaps what is necessary now, particularly as we enter into the next era of digital transformation (that being the era of AI adoption), is a reminder that secure communication is not just an IT issue, it’s a professional obligation and a strategic differentiator for firms committed to safeguarding client confidence and trust,” the pair said.