There’s an old saying in cybersecurity: “Your biggest security risk isn’t the hacker in a hoodie, it’s the well-meaning employee with a Dropbox account.” Now, replace “employee” with “lawyer,” and the risk level multiplies. Welcome to the world of Shadow IT, where attorneys, often unintentionally, create data security nightmares for their firms and clients. (Rather than call out “company” and “firm” throughout this article, I will collectively refer to “firm.”)

You may be thinking that cybersecurity is something that your IT department handles, and your role is limited. That belief could not be farther from the truth. As attorneys that are bound by ethical obligations to protect client and confidential information, our obligations begin and end with our own actions.

What Is Shadow IT?

Shadow IT refers to the use of unauthorized applications, cloud services, or devices within an organization, outside the control or knowledge of the IT and security teams. In law firms and in-house legal departments, this usually looks like:

• Personal email accounts used to send large files that won’t fit in firm email systems.
• Dropbox, Google Drive, or OneDrive for quick file-sharing when firm systems feel too slow or restrictive.
• WhatsApp, Signal, or Slack for client or internal communications because email is “too slow.”
• Unapproved AI tools for drafting and summarization because these tools offer efficiency gains that lawyers often find hard to resist.
• Personal laptops, tablets, or mobile devices used to access firm data without security controls or oversight.

The problem? These tools, while convenient, bypass firm policies, circumvent security controls, and introduce serious compliance risks that can lead to real consequences.

Why Do Lawyers Use Shadow IT?

Before the IT team starts drafting their strongly worded email, it is worth acknowledging the reality that most lawyers are not doing this to be reckless. The main drivers of Shadow IT in legal practice include:

• Efficiency Over Security: If it takes multiple IT tickets and approvals just to access a basic file-sharing tool, lawyers will find an easier workaround.
• Client Expectations: Clients often have their own preferred platforms and may push their outside counsel to use them. A law firm that resists may risk alienating a client. (And it is worth noting that clients that insist on their own preferred platforms unintentionally may be making their data less safe.)
• Rigid IT Policies: If firm-approved tools are outdated, slow, or too restrictive, lawyers will opt for what actually works.
• Remote Work Culture: The pandemic made it normal to use personal devices and cloud-based solutions for work, and many never reverted to more traditional systems.

The Hidden Risks of Shadow IT

Shadow IT is not just an IT department annoyance. It is a serious data security, ethical and regulatory problem that can have costly consequences, such as:

• Data Leaks and Loss. Without firm oversight, files stored in personal cloud accounts or shared through unsecured apps can be lost, deleted, or accessed by unauthorized individuals. Many consumer-grade tools lack proper encryption and access controls, have minimal password best practice rules, and do not require multifactor protection, making them easy targets for cyberattacks. When sensitive client data is involved, even a minor breach can be catastrophic.
• The Breaking of Retention. When data is stored on systems outside the firm’s control or knowledge, it is impossible to properly enforce a data retention policy. Additionally, when an attorney leaves a firm with that data, it is impossible for that firm to protect that data.
• Regulatory and Compliance Violations. For firms handling GDPR, CCPA, or HIPAA data, storing information outside of firm-approved systems can create significant compliance risks. Additionally, improper storage can jeopardize the attorney-client privilege in many situations. Imagine standing before a regulatory body and explaining how a confidential contract leaked because a lawyer found the firm’s document management system too frustrating to use.
• Ethical Implications. Under ABA Model Rule 1.6, attorneys must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” If client documents are sitting in a lawyer’s personal Google Drive, that may be a direct violation of this ethical duty. Even worse, if that Google Drive account is compromised, the breach may not even be noticed until it is too late and/or proper mitigation and notification cannot occur.
• Increased Cybersecurity Risks. Unapproved applications do not go through security testing, which leaves the firm vulnerable to malware, phishing and ransomware attacks. If a lawyer’s personal file-sharing account is hacked, there may be no visibility into what data has been exposed. Unlike firm-approved tools that have centralized logging and monitoring, Shadow IT solutions often provide no audit trail, making incident response difficult or impossible.

What Can Law Firms and Legal Departments Do?

Now that we have established that Shadow IT is a widespread and serious issue, what is the solution? Simply creating policy banning nonapproved tools and hoping for the best will not work. Lawyers who need a faster or more convenient option will continue to find workarounds. Instead, firms should take a balanced and strategic approach to managing this problem.

• Make Approved Tools More User-Friendly. If firm-sanctioned tools are slow, outdated, or require too many steps to complete a simple task, lawyers will default to Shadow IT. Firms should invest in modern, user-friendly legal tech solutions that integrate smoothly with daily workflows and do not create unnecessary friction.
• Provide Secure File-Sharing Solutions. If lawyers are turning to personal Dropbox or Google Drive accounts because the firm’s document-sharing system is too complicated, then the firm needs to reevaluate its solutions. A firm-approved secure, easy-to-use document-sharing platform should be in place and widely accessible. To be clear, a small population that finds existing solutions inconvenient does not mean a complete revamp is required. It is not possible to please everyone.
• Educate, Rather Than Punish. A strict policy against Shadow IT is necessary, but it will not be effective unless lawyers understand why it matters. Rather than relying on dense, technical policy documents, firms should hold short, practical training sessions that focus on real-world risks and provide concrete examples of what can go wrong.
• Proactively Monitor and Address Shadow IT. Firms should use network monitoring tools to detect unauthorized applications and proactively address emerging risks. If a large number of lawyers are using a specific tool, firms should consider whether it makes sense to vet and approve that tool rather than simply prohibiting it.
• Establish an AI and Cloud Application Approval Process. For AI-driven legal tools and cloud applications, there should be a clear, streamlined approval process so that lawyers do not feel the need to circumvent security controls. If approvals take too long or are unnecessarily complex, Shadow IT will thrive.
• Enforce Security on Personal Devices. Many lawyers prefer to work from personal devices, whether at home or on the go. Instead of fighting this trend, firms should require security measures like endpoint protection, encryption, and mobile device management (MDM) to ensure firm data remains protected.

Final Thoughts: A Smarter Approach to IT Governance

Shadow IT is not just an issue of compliance. It is a significant security threat that undermines the confidentiality and integrity of client data. The goal should be to eliminate Shadow IT entirely rather than simply minimizing risk. While some may argue that total elimination is unrealistic, law firms often must prioritize security over convenience when sensitive information is at stake.

A smarter approach is to make secure solutions accessible, enforce policies consistently, and educate attorneys on the critical risks involved. By doing so, law firms and legal departments can create a more secure environment while ensuring that lawyers have the necessary tools to work efficiently without compromising client data.

Reprinted with permission from the March 24, 2025 issue of The Legal Intelligencer© 2025 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.