Mobile Device Management: Securing Lawyers’ Smartphones and Tablets

It’s 2:00 PM on a Thursday afternoon. Your senior partner finishes a client meeting at a coffee shop, packs up her laptop, and rushes to catch a cab to the courthouse. Twenty minutes later, she realizes her phone is still on the table at the cafe. That phone contains client emails from the past six months, settlement negotiations in three active cases, and access to your firm’s document management system. By the time she returns, the phone is gone.

This scenario happens more than office managers want to admit. Lawyers carry their entire practice in their pockets. They review documents on tablets during commutes, answer client emails from their phones at dinner, and access case files from wherever they happen to be. Mobile devices have made legal practice more flexible, but they’ve also created security vulnerabilities that most firms haven’t addressed. Every smartphone and tablet that touches your firm’s data is a potential breach waiting to happen.

Why Mobile Devices Are Your Biggest Security Gap

Your firm probably has firewalls protecting the office network. You’ve got password requirements for desktop computers. You might even have encrypted backup systems. But what about the phones in everyone’s pockets? Those devices connect to your practice management software, sync with your email server, and store client documents in ways you can’t see or control. They’re mini computers with the same vulnerabilities as any other system, except they leave the building every night and connect to networks you don’t manage.

The numbers tell the story. Law firms experience data breaches from lost or stolen mobile devices at higher rates than any other source except phishing attacks. A phone left in an Uber contains the same confidential client information as a filing cabinet full of paper files, but it’s harder to track and easier to exploit. When someone steals a laptop from your office, you know it’s gone. When a paralegal loses their phone at a bar, they might not report it until the next morning, if at all.

PIPEDA requires law firms to implement security safeguards appropriate to the sensitivity of the information you handle. The Law Society of Ontario expects lawyers to protect client confidentiality through reasonable security measures. Neither of these obligations disappears just because the data lives on a mobile device instead of a desktop computer. If anything, mobile devices require stronger protections because they’re more vulnerable to loss, theft, and unauthorized access.

The BYOD Problem Nobody Wants to Talk About

Many Ontario law firms operate under an unofficial bring-your-own-device policy without calling it that. Partners use their personal iPhones, and associates access case files from their Android tablets. Nobody issued these devices or manages them. Nobody knows what apps are installed or what security settings are enabled. The firm just assumes everything is fine because nothing has gone wrong yet.

This approach worked when mobile devices were for phone calls and maybe checking email. It doesn’t work now that lawyers can edit pleadings, review discovery documents, and access client trust account information from their phones. Your associate’s phone has client files sitting next to their kids’ games and their spouse’s shopping apps: one malicious app with excessive permissions can access everything on that device, including your firm’s confidential information.

Required Security Controls for Mobile Devices

Every device that accesses your firm’s data needs encryption turned on. iPhones encrypt automatically when you set a passcode, while Android devices need encryption enabled in settings, and many older Android phones can’t encrypt at all. If someone on your staff is using a phone that can’t encrypt data, that device shouldn’t touch client information.

Multi-factor authentication needs to be mandatory, as passwords alone don’t protect anything anymore. Stolen credentials are everywhere, and lawyers reuse passwords across multiple services more than they’d like to admit. MFA adds a second layer that makes stolen passwords worthless.

Remote wipe capability matters more than most firms realize. When a device goes missing, you need the ability to erase all data on it remotely before someone accesses client files. This is controversial with BYOD policies because wiping a device also deletes personal photos, text messages, and everything else on the phone. Staff need to know this is part of the deal if they use their own phones. The alternative is leaving client information accessible to whoever finds or steals the device.

App Permissions and the Risks You Can’t See

Most people tap “Accept” on app permissions without reading what they’re agreeing to. That flashlight app wants access to your contacts, your location, your camera, and your microphone. The game your paralegal downloaded wants permission to read all files on the device. Once it’s granted, the app can access all files, including the confidential settlement agreement you reviewed last night.

Malicious apps are a real threat, but poorly designed legitimate apps create problems too. They request more permissions than they need, store data insecurely, and send information to servers in countries where your firm’s data shouldn’t go. Staff don’t think about these issues when they’re downloading apps for personal use, but those same apps sit on devices that access your client data. One compromised app can be an entry point for attackers who want to reach your firm’s network.

Mobile Device Management software lets you control which apps can be installed on devices that access firm data. You can block categories of apps entirely, require approval before certain apps install, and monitor for apps with known security vulnerabilities and force removal. This level of control makes staff uncomfortable when it’s their personal device, which is why clear policies about acceptable use need to be in place before problems occur.

Public WiFi and the Networks You Don’t Control

Lawyers work from coffee shops, airport lounges, client offices, and hotel rooms. Every one of these locations offers free WiFi, and every one of those networks is a security risk. Public WiFi networks don’t encrypt traffic by default, so anyone else on that network can intercept the data moving between your device and the internet. That includes emails, document downloads, and login credentials if you’re not using additional protection.

Virtual Private Networks create encrypted tunnels for your data even when the underlying network isn’t secure. Every device that accesses firm data from outside the office needs VPN software installed and configured, and staff need to be trained to connect to the VPN before they do anything else on public networks. This basic security control can protect the firm against one of the most common attack vectors.

Start Moving Forward Today

Start with an assessment of what devices currently access your firm’s data. Ask staff to report every device they use for work-related tasks, even occasionally, and document the operating systems, security settings, and apps installed. This baseline shows you where the gaps are and lets you prioritize improvements.

Mobile devices aren’t going away, and lawyers won’t stop working remotely. The good news is that the tools and practices to secure mobile devices are readily available and straightforward to implement. Address this now while you can plan carefully, rather than scrambling to respond after an incident forces your hand.