Mobile lawyering concerned only a small percentage of practicing attorneys when I commenced writing about it. As technology advanced, legal professionals increasingly transitioned to mobile and remote work environments. Imposing work-at-home edicts during the COVID-19 pandemic made the practice even more common. The convenience of accessing client files, legal databases, and communication tools on the go, in conjunction with the increasing power of technology, made it hard to get lawyers to return to brick-and-mortar offices. Even though the pandemic officially ended some time ago, many lawyers have not yet elected to return to traditional office environments. Perhaps many never will. Many attorneys continue to work in a non-traditional or hybrid environment, doing much of their work outside of a traditional office.
This trend comes with an increasing cybersecurity cost. Mobile lawyers—those who rely heavily on smartphones, tablets, and laptops to enable them to work outside traditional office settings effectively—face unique vulnerabilities to cybercrimes and scams. These threats range from phishing attacks and public WiFi intrusions to sophisticated man-in-the-middle exploits and ransomware. For many years and in many classes, books, and articles, I have described technology as a double-edged sword. This column will explore the increasing cybersecurity risks mobile lawyers encounter, focusing on those peculiar to mobile legal practice or exacerbated by its nature. It will also offer a strategic road map for legal professionals to safeguard sensitive data, maintain client confidentiality, and ensure compliance with legal and ethical obligations.
Rise of the Road Warrior
Today’s lawyers no longer confine themselves to the traditional brick-and-mortar office. Increasingly, they work on the go, responding to client emails from airports, accessing case files from mobile devices, and attending virtual hearings from remote locations using sometimes insecure Internet connections. This shift toward mobility, accelerated by the COVID-19 pandemic and the subsequent normalization of hybrid work models, has fundamentally transformed the legal landscape. Many predict that we will never return to the office structures of yesteryear. I belong to the cadre of pundits who believe mobile lawyering has gone mainstream and will remain so.
As mobility increases, so does our dependence on the Internet and mobile devices. As our dependence on mobile devices and the Internet increases, so do cybersecurity vulnerabilities. Attorneys carry on their mobile devices the digital equivalent of an open briefcase containing privileged client information, confidential case strategies, sensitive evidence, and a variety of private and confidential information, both personal and client-related. Likely, they also contain information sufficient to allow access to a great deal more private and confidential information stored in various online locations and facilities.
The mobile environment we work in today often lacks traditional law firm infrastructure’s physical and digital protections, such as secure networks, firewalls, and IT-managed systems, so common in the traditional office environment that we often take them for granted. The frequent use of unsecured networks and the broader threat exposure create a risky ecosystem for mobile lawyers. It should not surprise you that attorneys not associated with larger firms employing a more institutionalized approach to cybersecurity find themselves at even greater risk than their colleagues associated with larger firms.
Mobile devices face different security challenges than desktops or laptops, as they rely on various applications, often connect to public networks, and carry sensitive data in pockets and purses. Public WiFi networks are often (usually) unsecured, allowing hackers to intercept sensitive data, including login credentials and personal information. Mobile devices frequently use outdated software, making them susceptible to a growing number of cyber threats. Adopting personal mobile devices in law firms poses significant challenges and security risks. IT departments play a crucial role in managing these devices by implementing bring-your-own-device (BYOD) policies and mobile device management (MDM) systems, ensuring data security and privacy.
To give you some perspective, according to information collected for 2024 through Kaspersky security applications:
- There were more than 4,000,000 mobile-focused social engineering attacks.
- iOS devices experienced 100 percent more phishing interactions compared to Android devices.
- 427,000 malicious apps were detected on enterprise devices.
- 1,600,000 vulnerable app detections were reported.
- 33.3 million malware, adware, or unwanted mobile software attacks were prevented.
- 35 percent of total detections were adware, the most common mobile threat.
- 1.1 million malicious and potentially unwanted installation packages were detected, with almost 69,000 associated with mobile banking Trojan horse installations.
This information may reflect a serious underestimation due to its limitation to data collected by Kaspersky applications.
Given their professional obligations under the American Bar Association Model Rules of Professional Conduct, including Rules 1.1 (competence) and 1.6 (confidentiality), lawyers must proactively mitigate cybersecurity risks associated with mobile lawyering.
Key Vulnerabilities Peculiar to Mobile Lawyers
Unsecured Public Networks
Unlike lawyers working from secure office environments, mobile lawyers often depend on public or semi-public WiFi to access client files, court databases, and email communications. Networks at cafes, airports, libraries, and hotels have well-earned reputations as being notoriously insecure and susceptible to interception.
Rogue access points—spoofed WiFi networks that mimic legitimate ones—present a particularly dangerous scenario. For instance, a lawyer connecting to “Hotel Guest WiFi” might actually access a hacker’s device acting as a router. That network can allow logging and malicious use of all information transferred through it, including passwords and confidential communications.
Device Theft or Physical Compromise
Lawyers working from courthouses, coffee shops, or while traveling risk a higher likelihood of having their devices stolen or lost. These devices often contain sensitive data or provide automatic access to email, cloud storage, and client portals.
A traditional office setting generally provides locked doors, surveillance, and desktop-based systems. Mobile lawyers rely primarily on personal security measures. Without encrypted storage and strong access controls, even a brief period of unauthorized access can result in significant data leakage.
Constant Multi-App Usage and Inadequate App Vetting
Mobile lawyers often switch among various third-party applications throughout the day—from document editors and time-tracking tools to file-sharing apps and messaging services. This fragmented ecosystem increases the attack surface and the risk of data leakage.
For instance, a mobile lawyer may upload a sensitive contract to a non-secure PDF reader or cloud storage app without realizing that it lacks encryption or that it stores data in non-compliant jurisdictions. Such issues less commonly occur in desktop environments with pre-approved software and managed IT policies.
Overreliance on Email and Text Messaging
Mobile lawyers frequently respond to time-sensitive communications through mobile email or text messaging. These platforms’ immediacy and informality make them ripe for phishing attacks. Phishing attempts that mimic clients or opposing counsel work particularly effectively on mobile devices due to their reduced screen size, which makes it harder to spot spoofed email addresses or suspicious links.
SMS-based scams, such as smishing (SMS phishing), exploit mobile users’ tendencies to act quickly. A lawyer receiving a fraudulent text about a court date or urgent client matter may act without the standard due diligence, inadvertently exposing credentials or installing malware on their device.
Device Sharing and Lack of Physical Segmentation
Some mobile lawyers use the same personal devices for work and personal purposes. This blurring of professional and personal usage can lead to unintentional data exposure. For example, downloading a seemingly benign app for personal use could grant access to all device storage, including legal documents and confidential client communications.
Additionally, family members or unauthorized individuals may inadvertently access sensitive materials if a lawyer does not ensure the device gets securely locked or segmented by user profiles.
Infrequent Backups and Weak Incident Response
Mobile devices are often backed up irregularly, if at all. Unlike firm-managed systems that regularly archive and secure data, lawyers may lack redundant backups for their mobile devices. That may limit recovery options in cases of data corruption or a ransomware attack.
Absent centralized IT support, mobile lawyers may not follow established incident response protocols, which can lead to delays in breach detection, reporting, and containment.
Geographic and Jurisdictional Risks
Mobile lawyers frequently cross state or national borders. This mobility introduces complex data jurisdiction and compliance issues. For example, storing client data on servers located in foreign countries may violate local data protection laws or create conflicts with professional conduct rules.
Additionally, a lawyer traveling internationally and using local SIM cards or WiFi services may unknowingly transfer data through foreign networks, subjecting it to surveillance or seizure under foreign law.
Real-World Implications of Security Failures
The implications of these vulnerabilities are not hypothetical. In 2022, a mid-sized law firm in Chicago suffered a ransomware attack that encrypted all client files, resulting in missed court deadlines and breach of fiduciary duty claims. Similarly, a solo practitioner in California faced disciplinary action after inadvertently disclosing client communications via a compromised email account. Consequences may include:
- Breach and loss of attorney-client privilege.
- Bar association investigations and disciplinary action.
- Civil liability for negligence or data breach.
- Fines under data protection laws, such as the Health Insurance Portability and Accountability Act (HIPAA), Europe’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
- Damage to reputation and loss of client trust.
These incidents illustrate some of the ways that mobile-specific vulnerabilities can cause significant harm. Mobile attacks often go undetected for longer periods than traditional office breaches, increasing the scope and impact of the compromise.
