Data Security is Essential to Expanded Judicial Access

For cybersecurity professionals, law and the nonprofit sector do not immediately come to mind as high-risk industries for data security. Finance, health care, manufacturing, utilities, and consumer privacy perennially top the “most threatened industries” lists. However, because law firms and nonprofits handle highly sensitive personal data, as well as confidential client and donor information, they face unique security threats. The overlap of law and nonprofits creates a specific set of cybersecurity risks for legal aid organizations and their professionals, as well as opportunities for data security managers.

A Double Set of Exposures for an Essential Service

Legal aid organizations occupy a unique spot on the spectrum of professional organizations. They consist of both paid and volunteer legal professionals who assist clients with issues such as family law, housing, and consumer matters. Law firms and legal aid offices handle sensitive, confidential personal data to support their clients’ cases, such as medical and financial information. However, unlike traditional law firms, their clients often lack access to legal representation, and they cannot afford private counsel. 

Most legal aid organizations are nonprofits, receiving funding from donations, grants, Congress, and pro bono support. Like other nonprofits, legal aid offices are often resource-restricted and must seek out cost-effective data management tools and external providers to best serve their clients. 

Legal Aid’s Legacy Risk Profiles

Law has traditionally been slow to change its data security posture. The profession is run by lawyers who, quite naturally, focus on practicing law. Law is also a relatively conservative industry, leery of and slower to implement unproven technologies. The profession, however, is target-rich for bad actors. All data related to cases and clients is vulnerable, including financial transactions, private communications, account balances, health information, intellectual property, privileged information, sensitive family matters, and criminal histories. A firm’s business communications and operations are equally at risk. 

We are seeing some state and local bar associations understand the threat of cyber intrusion. In 2016, Florida became the first state bar to require lawyers to receive continuing education in technology. But a few hours of general technology education or training on cyber threats isn’t enough to combat the rapidly evolving landscape of bad actors. 

Nonprofits are notoriously underfunded and sometimes struggle to access adequate resources for many non-mission-critical programs, including information technology. Sensitive donor data can reveal net worth, estate plans, account details, and financial holdings, among other information. Grant data (both public and private) often outlines salaries, job qualifications, and other sensitive employment information. As for nonprofits, operations and finances must have a higher degree of transparency, reducing many of the protections afforded to private corporations.

Legal aid organizations operate on tight budgets. Like many small businesses, legal aid offices often outsource their data and operational management tasks to software-as-a-service (SaaS) providers, creating additional access points and necessitating the need for added layers of security. For instance, at our office, we rely on several cloud-based systems to help manage case flow. While this may ease our local data storage and security requirements, it impacts our overall risk posture and underscores our need to fully understand our partners’ terms of service and how our data will be used. 

Given that legal aid organizations are both nonprofits and law firms, they sit at the intersection of this Venn diagram of cyber threats, possessing all the privileges and sensitive information of a law firm, yet with the budget constraints of a nonprofit. Another frequent hurdle to security for legal aid and other nonprofits is the reliance on volunteers. At a private company, employees and contractors can be thoroughly vetted and have their backgrounds checked. While many legal aid organizations vet volunteers, not all mission-driven organizations have the time or staff to achieve this step effectively. This can create exposure to either intentional bad actors masquerading as volunteers or the inadvertent disclosure of sensitive data from a well-meaning but ill-equipped volunteer. From issues within the professional culture to restricted budgets to unstructured volunteer controls, legal aid organizations face a variety of unique challenges in securing their data.

AI, ADR and AJT: Tech Tools Hold Opportunity – and Carry Risk

Like everyone in the industry, data security professionals in the legal field are directly impacted by the promise and perils of artificial intelligence (AI). The legal industry faces the same daily phishing attempts and lack of awareness among users as those in other industries do. Large language models (LLMs) pose a particularly significant threat, as their ability to generate language and context becomes increasingly sophisticated. Spear phishing has arrived, and unprepared firms may find themselves faced with business-crippling data breaches. Additionally, cybersecurity professionals and in-house counsel must have a robust understanding of how third-party AI systems utilize proprietary data. Is it self-contained, or are there internet access points? Will it be used for training, analysis, or research by the potential provider? Who has access, and what is the cyber incident response plan?

Alternative dispute resolution (ADR) is an innovative way for plaintiffs to avoid litigation by resolving their issues through one of several outside-the-court means, including arbitration, mediation, negotiation, and conciliation. ADR’s primary benefit is that it keeps “settleable” matters out of an already overburdened court system, saving parties valuable time and money. AI-based technology increasingly plays a role in making the process more efficient, providing document analysis, case scheduling and even virtual mediation. For those of us in legal aid, we’re watching the ADR landscape as court systems begin to experiment with similar systems for small claims and simple divorces. 

Access-to-justice technology (AJT) refers to the tools and software that enhance the accessibility of the legal system to individuals without representation. Examples of AJT include document assembly software, case management tools, online intake, and AI-powered legal assistance. Additionally, automated pro bono “matching” between legal aid organizations and attorneys streamlines the process for both parties, helping to place lawyers while considering factors such as case practice area, location, and type of volunteer participation. Many legal aid organizations are building ATJ technology or experimenting with these systems. As with any developing technology, data safety considerations should be at the top of the security and legal professionals’ checklist.

Data Security is Fueling Access to Justice

Over the past decade, legal aid has led the legal industry in embracing technology, with a particular focus on the use of artificial intelligence (AI). From e-filing to case management software to document assembly, legal aid has been an early adopter and advocate for intelligent data management solutions. For our organization and others like it, today’s rapidly evolving technologies are an accelerator for our mission. AI and machine learning present unique challenges for our field, but they also create significant opportunities, both in terms of cybersecurity and increased access to the judicial system. Now, more than ever, it is essential for legal aid professionals and the data security industry to collaborate on developing innovative solutions to address cyber risk.