When a prospective client fills out your intake form, they're trusting you with some of the most sensitive information they possess. Financial details. Family circumstances. Health information. Business strategies. Legal history.
That trust is the foundation of the attorney-client relationship — and it comes with obligations. Professional responsibility rules in every state require attorneys to take reasonable measures to protect client information from unauthorized disclosure. Failure to meet this obligation isn't just an ethical problem. It's a malpractice and disciplinary risk.
Here's what law firms need to know about securing client intake data.
Why Law Firm Intake Data Is Particularly Valuable
Law firms are attractive targets for data breaches, ransomware attacks, and unauthorized access. The reasons are straightforward:
- High-value client information — Legal matters often involve significant financial transactions, business disputes, or personal vulnerabilities. This information is valuable to adversaries, competitors, and fraudsters.
- Client confidentiality creates leverage — A ransomware attacker who steals client files can threaten to publish them unless a ransom is paid. Attorneys face particular pressure because disclosure of client information could constitute an ethical violation on top of the breach.
- Law firms often have weaker security than their clients — A small law firm may handle sensitive matters for large corporations or wealthy individuals, but operate with security practices more appropriate to a small business.
The risk is not theoretical. Law firm data breaches are well-documented, and the consequences — regulatory penalties, disciplinary complaints, client litigation, reputational damage — are severe.
Professional Obligations Around Data Security
Model Rules of Professional Conduct Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
Importantly, "reasonable efforts" is a standard that changes with technology. What was reasonable security in 2010 — a locked file cabinet and a password on your computer — is not reasonable security today. Courts and bar associations look at whether a firm's security practices were appropriate given current threats and available countermeasures.
Comment 18 to Rule 1.6 identifies factors relevant to what constitutes "reasonable measures":
- Sensitivity of the information
- Likelihood of disclosure without additional safeguards
- Cost of additional safeguards
- Difficulty of implementing the safeguards
- Extent to which they adversely affect the lawyer's ability to represent clients
Translation: you're required to think seriously about security and implement protections proportionate to the sensitivity of what you're protecting.
Security Vulnerabilities in Traditional Intake
Traditional intake processes have several inherent security vulnerabilities:
Paper intake forms: Physical forms containing sensitive information can be lost, misplaced, accessed by unauthorized staff, or stolen. Physical files have no audit trail of who accessed them.
Unencrypted email: Sending and receiving intake questionnaires as email attachments transmits sensitive information without encryption. Emails in transit can be intercepted. Email servers can be compromised. The client's email account may be accessed by a spouse or partner in a sensitive family law matter.
Shared drives and generic file storage: Saving intake documents to shared drives or general cloud storage (personal Google Drive, Dropbox) may not provide appropriate access controls or encryption.
Paper engagement letters: Signed paper engagement letters mailed to the firm pass through postal handling and sit in physical mailboxes before being collected.
Security Features to Look for in Intake Software
When evaluating digital intake platforms, security should be a core evaluation criterion. Look for:
Encryption in Transit and at Rest
All data transmitted between the client's device and the intake platform should be encrypted via HTTPS/TLS. Data stored on the platform's servers should also be encrypted at rest. These are baseline requirements — any reputable platform meets them. Verify rather than assume.
Access Controls
Who within your firm can access intake information? Good platforms allow role-based access control — attorneys can see everything, staff see only what they need, billing sees only billing-relevant information. Access logging shows who accessed what and when.
Audit Trails
The platform should maintain a complete log of: when the intake form was sent, when it was accessed, when it was completed, when it was modified, and by whom. These audit trails are valuable in disputes and in demonstrating reasonable security practices.
Data Minimization
Only collect what you actually need. An intake form that asks for full Social Security numbers, account numbers, and passwords is collecting more than necessary and creating more exposure than necessary. Collect what's needed for the matter; request additional details through secure channels as needed.
Secure Storage
Client intake data should be stored in a system with appropriate security certifications. For legal applications, look for SOC 2 Type II certification, which indicates the vendor has undergone independent security audits.
Business Associate Agreements (for health-related matters)
If your firm handles matters involving health information (personal injury, medical malpractice, disability), you may have HIPAA obligations. If your intake platform stores health information, confirm whether a Business Associate Agreement is needed and available.
Email Security for Intake Communications
Even with a secure intake platform, attorneys communicate with prospective clients via email. Basic email security measures:
Use firm-managed email, not personal accounts: Email on your firm's domain is easier to secure, control, and retrieve. Avoid using Gmail or other personal accounts for client communication.
Enable multi-factor authentication on email accounts: This is the single highest-impact step to prevent unauthorized email access. If an attacker gets your password, MFA stops them.
Don't send sensitive documents as unencrypted attachments: Use a secure portal or encrypted email for documents containing sensitive information. Most modern practice management and intake platforms include portal features for this purpose.
Train staff on phishing recognition: The most common entry point for email compromise is a phishing email that tricks a staff member into revealing their credentials. Regular training significantly reduces this risk.
Client Communication About Security
Clients have a reasonable interest in knowing how their information will be handled. Consider including a brief security statement in your intake process:
"Your information is transmitted using bank-level encryption and stored on secure servers. Only authorized members of our firm can access your intake information. Your privacy and confidentiality are our priority."
This isn't just reassuring — it's professionally appropriate. Clients who understand your security practices are less likely to share sensitive information through insecure channels (like personal email) and more likely to trust your platform.
Incident Response: When Something Goes Wrong
Despite best efforts, breaches happen. Having a response plan before you need one is essential.
Know your notification obligations: Many states have data breach notification laws. Bar associations also provide guidance on notification obligations to clients when their confidential information may have been compromised. Know your state's requirements before you need them.
Have a contact list: Know who to call — IT support, cyber liability insurer, bar ethics hotline — before an incident occurs.
Document your security practices: In the event of a breach, demonstrating that you had reasonable security practices in place significantly mitigates disciplinary and legal exposure. Keep records of your security policies and any security assessments you've undertaken.
Cyber liability insurance: Increasingly essential. Standard professional liability insurance typically does not cover data breach costs. Dedicated cyber liability coverage handles breach notification costs, forensic investigation, and related liabilities.
A Security Baseline for Law Firm Intake
At minimum, a law firm handling client intake should:
- Use a dedicated, encrypted intake platform — not email attachments or paper forms
- Require HTTPS for all web-based intake forms
- Enable multi-factor authentication on all accounts that access client data
- Use firm-managed email with MFA enabled
- Train all staff on basic phishing recognition
- Have a written data security policy
- Carry cyber liability insurance
- Know their state's breach notification requirements
This baseline doesn't require a large technology budget. It requires intentional choices and consistent enforcement.
MatterFlow uses encrypted transmission and secure storage for all client intake data. Learn about our security practices at matterflowlegal.com.