CLA News / The Cybersecurity Challenges of Mobile Legal Practice by Bill Holohan SC

Part One: Evolving Legal Workflows in a Mobile World

Introduction

Since the early 1990s, legal professionals have increasingly embraced mobility in their work. For over three decades, I have practiced primarily in Dublin while residing in Cork, while also operating across nearly every county in Ireland. Since establishing my own firm in 1998, a sustained investment in mobile technologies allowed me to work seamlessly across remote locations. Notably, in 2004, (at time when I still had hair and it was red), I was featured in a Vodafone advertisement illustrating what was then then considered as the cutting edge and innovative application of mobile technology—conducting legal work while travelling in a taxi.[2]

This example of early adoption highlights both the immense benefits and the critical risks associated with mobile lawyering. Mobile legal professionals are exposed to a distinct set of cybersecurity vulnerabilities, including phishing schemes, compromised public WiFi networks, man-in-the-middle attacks, (including diversion of funds transfers), ransomware, and other advanced digital threats. Unlike traditional law offices, which can benefit from robust IT infrastructure, (where they exist) mobile practitioners often lack consistent access to secure networks, firewalls, and dedicated IT oversight.

Smaller screens and multi-tasking further compound the risks, making it more difficult to detect malicious links or spoofed sender details. However, these risks are not insurmountable. Legal professionals can safeguard their data through strategic use of encryption, secure communication protocols, application vetting, and regular cybersecurity training.

Shifting Norms and Persistent Vulnerabilities.

In 1998, the notion of a mobile solicitor was virtually unknown. To avoid having to drag filing cabinets up and down from Cork to Dublin, technologies such as digital dictation had to be imported by me from the USA, and remote access was constrained by dial-up internet. The widespread shift to remote work accelerated significantly during the COVID-19 pandemic, when many firms discovered that productivity remained stable despite physical distance from traditional office spaces.

Post-pandemic, a hybrid or fully mobile work model has become the norm for many solicitors. Legal professionals now draft documents, respond to urgent communications, and attend virtual court hearings from homes, holiday rentals, taxis, airports, and more—often using unsecured networks. This transformation has permanently altered the landscape of legal practice in Ireland and beyond.

Many legal professionals have not returned to physical offices. In fact, entire practices now operate remotely, with in-person meetings becoming infrequent exceptions. This paradigm shift is expected to endure.

Digital Native Solicitors: Embracing Convenience While Managing Risk

As mobile work increases, so does reliance on smartphones, tablets, and laptops. This convenience comes at a price. Mobile solicitors frequently work outside of controlled environments and handle sensitive information on devices that are constantly exposed to cyber threats.

Unlike centralized systems in larger firms, personal mobile devices often lack enterprise-level cybersecurity safeguards. These devices—carrying confidential client communications, legal strategies, evidence, and access credentials—are effectively briefcases left ajar in the digital world.

Solo practitioners and small firms, which may lack dedicated IT departments or comprehensive cybersecurity protocols, face significantly higher exposure. Public networks, outdated software, and the informal use of personal devices for professional tasks multiply risk factors.

Recent data from the Cisco Cyber Threat Trends Report[3] and Kaspersky Security Insights (2024)[4] underscores the scale of the threat:

• Over 4 million social engineering attacks targeted mobile users.
• iOS devices saw twice as many phishing incidents as Android devices.
• 427,000 malicious apps were discovered on enterprise devices.
• 6 million apps with known vulnerabilities were detected.
• 3 million malicious or unwanted mobile software threats were blocked.
• 1 million installation packages were deemed malicious or suspicious, including nearly 69,000 linked to banking trojans.

Although these numbers only reflect attacks detected by Cisco and Kaspersky systems, they represent a serious indication of widespread vulnerabilities.

Given their professional obligations under the Guide to Professional Conduct (Fourth Edition), solicitors must proactively mitigate cybersecurity risks associated with mobile lawyering. As the Guide puts it:

“The principal or partners of a firm should use reasonable endeavours to prevent a breach of security and confidentiality. All solicitors have a duty to ensure adherence to GDPR requirements. Solicitors should ensure a level of security appropriate to risks within their practice.

It is recommended that firm owners should ensure an appropriate level of security, both physical and cyber, to mitigate the risks of loss to clients’ monies and assets.”[5]

Part 2  – Core Threats Facing Mobile Solicitors.

1. Insecure Public Networks.

Mobile solicitors often rely on WiFi at cafes, hotels, airports, and courthouses. These networks are frequently unencrypted and susceptible to data interception. Cybercriminals may set up rogue access points—networks with names like “FreeHotelWiFi”—to lure users into connecting and unknowingly transmitting sensitive information.

2. Device Loss or Theft.

Physical devices can be stolen or misplaced, especially while traveling. (Indeed, in February last I suffered the theft of a mobile phone myself). Without encryption or strong access controls, unauthorized access can lead to the exposure of sensitive emails, documents, and login credentials. Traditional offices benefit from physical security measures rarely available to mobile professionals.

3. Multi-App Usage Without Vetting.

Using a wide variety of apps—messaging, file-sharing, time tracking, document editing—opens new vulnerabilities. Unvetted apps may lack encryption, store data in non-compliant jurisdictions, or leak information through permissions and metadata.

4. Email and SMS Exploits.

Mobile screens and fast-paced communication habits make it easier for attackers to succeed with phishing and smishing (SMS phishing). A solicitor may click a link or respond to an urgent-sounding message without verifying its authenticity, exposing accounts or installing malware.

5. Device Sharing and Personal Use.

Using one device for both personal and professional tasks can lead to accidental data exposure. Apps installed for personal reasons may access storage that contains client files. Family members may also inadvertently compromise the device if it is not properly secured.

6. Lack of Backups and Response Plans.

Many mobile devices are not regularly backed up. In the event of ransomware, device loss, or corruption, solicitors may be unable to recover critical data. Without clear incident response procedures, detection and containment may be delayed, worsening the breach.

7. Jurisdictional Compliance Risks.

Solicitors operating across borders—such as a Newry resident Irish solicitor working in the Dublin —must be cautious about data jurisdiction. Storing client data on servers outside the EU, including in the UK, may contravene GDPR or professional conduct standards.

Real-World Consequences.

Security failures are not theoretical. In 2021, Ireland’s Health Service Executive suffered a ransomware attack that shut down national health IT systems. In the U.S., the American Bar Association reported that in 2022 a mid-sized Chicago law firm was paralyzed by a ransomware attack, and a California solo practitioner faced disciplinary action after client data was exposed via compromised email.

Consequently, the consequences for solicitors may include:

• Breach of solicitor-client privilege,
• LSRA or Data Protection Commissioner complaints and investigations with associated penalties and fines,
• Civil liability, and
• Reputational damage and client loss.

Best Practices for Cybersecurity in a Mobile Legal Environment

• Use VPNs: Secure traffic on public or unknown networks with a firm-approved virtual private network (VPN).
• Enable Full-Disk Encryption: Use tools such as FileVault (Apple)[6] or BitLocker (Windows)[7] and enforce biometric security features.
• Implement Multifactor Authentication (MFA): Add a second layer of access control through time-based codes or biometrics.
• Keep Software Updated: Enable automatic updates and maintain an inventory of devices.
• Choose Secure Legal Tech: Use platforms certified under ISO 27001[8] or SOC 2,[9] with encryption and audit capabilities.
• Adopt MDM Solutions: Mobile Device Management software allows firms to enforce policies, monitor usage, and remotely wipe lost or stolen devices.
• Train Continuously: All legal staff should undergo regular cybersecurity training tailored to mobile threats. The Law Society provides significant valuable advice and resources in this regard.[10]
• Apply Zero-Trust Principles: Assume no device or user is inherently trustworthy. Continuously verify access and segment networks to limit breaches.
• Regularly Back Up Data and Define Response Plans: Ensure secure, cloud-based backups and develop clear protocols for responding to breaches.

Conclusion: Security in the Era of Mobile Legal Practice

Mobile lawyering is no longer a fringe activity; it is a central feature of 21st-century legal practice. The convenience it offers is matched by the responsibility to safeguard sensitive data in the absence of traditional firm infrastructure.

By adopting robust cybersecurity protocols and integrating them into daily routines, mobile solicitors can meet their ethical obligations, protect client interests, and continue to thrive in a digital-first professional environment.

Bill Holohan SC [1]

Senior Partner at Holohan Lane LLP, Waterview House, Sundays Well Road, Cork, and The Capel Building, St Mary’s

FOOTNOTES:

[1] Bill Holohan SC is the Senior Partner of Holohan Lane LLP Solicitors, is a former chair of the Law Society’s Professional Indemnity Insurance Committee, is a member of the Guidance & Ethics Committee and of the Curriculum Development Unit.

[2] No “appearance fee” was paid – just a donation to the Children’s Hospital in Dublin.

[3] Cisco Cyber Threat Trends Report From Trojan Takeovers to Ransomware Roulette, https://learn-cloudsecurity.cisco.com/umbrella-library/cyber-threat-trends-report

[4]  Link here 

[5] Guide to Professional Conduct (Fourth Edition), page 112.

[6] FileVault is Apple’s full-disk encryption technology that secures the data on your Mac’s startup disk. It encrypts the entire disk, requiring a password or recovery key to access the data, including during startup. FileVault enhances data protection, especially on devices with Apple silicon or the T2 chip, by leveraging hardware security features.

[7] BitLocker is a full-volume encryption feature built into Windows operating systems, designed to protect data by encrypting the entire drive. This helps prevent unauthorized access to sensitive information if a device is lost, stolen, or inappropriately decommissioned. It’s a security feature that encrypts your drive and requires authentication to unlock it.

[8] ISO 27001 is the leading international standard for information security management systems (ISMS). It provides a framework for organizations to establish, implement, maintain, and continually improve their ISMS. This standard helps organizations manage the security of their information assets and ensure the confidentiality, integrity, and availability of their data.

[9] SOC 2, which stands for System and Organization Controls 2, is a security framework developed by the AICPA to help service organizations manage and protect customer data. It focuses on how companies handle sensitive data, particularly in the cloud, and ensures they have appropriate security controls in place. SOC 2 compliance is often a requirement for organizations that provide services to other businesses and handle their data.

[10] Cyber security and your practice https://www.lawsociety.ie/Solicitors/business-career-resources/Cybersecurity/