Kyanite Blue
Threat Intelligence

Insider Threat at Law Firms: Protecting Client Data When Fee Earners Leave

The most damaging data breach a law firm can suffer does not always involve an external attacker. A departing partner taking client relationship data, a laterally moving associate downloading their client files, a disgruntled employee emailing case papers to a competitor — these insider threats are common, often go undetected, and carry the same ICO and SRA consequences as an external attack. The legal sector's obsession with confidentiality agreements rarely addresses the technical controls needed to enforce them.

The legal sector ranks among the top five industries for insider data theft, driven by high staff mobility and relationship-based client data.

The Fee Earner Departure Problem

Law firm departures — particularly at partner or senior associate level — create a predictable insider threat window. In the weeks before resignation or announcement, departing fee earners with legitimate access to client data and client contact information have both the motive and the means to take it. Common exfiltration routes include:

  • Emailing client contact lists and matter documents to personal email addresses
  • Uploading files to personal cloud storage (Dropbox, Google Drive, iCloud)
  • Copying files to USB drives or personal laptops
  • Forwarding email threads with client context to personal accounts
  • Printing physical copies of client information
  • Using firm systems to extract data that appears to be legitimate work activity

The Legal Position: Confidentiality and the SRA

The SRA's position is clear: a fee earner taking client data — even data about clients they personally originated — is a breach of confidentiality that may constitute professional misconduct. The firm holding that data retains its data controller obligations under GDPR and may be liable for the breach. Firms that do not take reasonable steps to prevent and detect insider data theft have limited regulatory defences when the ICO investigates.

Technical Controls That Detect and Prevent Insider Exfiltration

Preventing and detecting insider threat requires different controls from defending against external attacks:

  • Data Loss Prevention (DLP): monitoring and blocking large transfers of files to external destinations
  • BlackFog: prevents data from leaving the device entirely — the most effective control at the endpoint level
  • Email monitoring: alerts on large attachments sent to personal email domains or bulk forwarding rules created
  • Cloud storage blocking: preventing upload to consumer cloud services from firm devices
  • Access reviews: regular review of who has access to which client matter files, particularly for staff in notice periods
  • USB port controls: restricting use of removable media on firm devices
  • Departure process: immediate access suspension or tightening when a resignation is received

Frequently Asked Questions

Can we monitor a departing partner's use of our systems without breaching their privacy?

Yes, with appropriate notice. Your acceptable use policy, which staff should sign at employment commencement, should state that firm systems may be monitored for security purposes. This provides the lawful basis for monitoring. You should take legal advice on proportionality before implementing enhanced monitoring in specific cases, particularly at partner level.

What do we do if we discover a former fee earner has taken client data?

Act immediately: notify your professional indemnity insurer, take legal advice on injunctive relief, consider whether the ICO must be notified (if the data removed is personal data that you no longer control), notify affected clients if the data is at risk of misuse, and consider a complaint to the SRA about the departed individual's conduct.

Does client data belong to the firm or the fee earner who originated the relationship?

The data belongs to neither the firm nor the individual fee earner — it belongs to the client and is held by the firm under obligations of confidentiality. The fee earner has no right to take it. Client contact details may be different — courts have recognised that personal knowledge of clients can be taken as memory, but downloading databases of client information is data theft.

Prevent data exfiltration — including from your own staff

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides