¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

Mobile misadventures

Mobile’ legal professionals are exposed to a distinct set of cybersecurity vulnerabilities. Unlike traditional law offices, mobile practitioners often lack consistent access to secure networks, firewalls, and dedicated IT oversight. Bill Holohan SC logs on

Since the early 1990s, legal professionals have increasingly embraced mobility in their work. For over three decades, I have practised primarily in Dublin while residing in Cork, and operating across nearly every county in Ireland.

Since establishing my own firm in 1998, a sustained investment in mobile technologies allowed me to work seamlessly across remote locations.

Notably, in 2004 (at time when I still had hair, and it was red), I was featured in a Vodafone advertisement, illustrating what was then considered as the cutting edge and innovative application of mobile technology – conducting legal work while travelling in a taxi. (Note: no ‘appearance fee’ was paid – just a donation to the Children’s Hospital in Dublin.)

This example of early adoption highlights both the immense benefits and the critical risks associated with mobile lawyering.

Mobile legal professionals are exposed to a distinct set of cybersecurity vulnerabilities, including phishing schemes, compromised public Wi-Fi networks, ‘man-in-the-middle’ attacks (including diversion-of-funds transfers), ransomware, and other advanced digital threats.

Unlike traditional law offices, which can benefit from robust IT infrastructure (where it exists), mobile practitioners often lack consistent access to secure networks, firewalls, and dedicated IT oversight.

Smaller screens and multi-tasking further compound the risks, making it more difficult to detect malicious links or spoofed sender details.

However, these risks are not insurmountable. Legal professionals can safeguard their data through strategic use of encryption, secure communication protocols, application vetting, and regular cybersecurity training.

Persistent vulnerabilities

In 1998, the notion of a ‘mobile solicitor’ was virtually unknown. To avoid having to drag filing cabinets up and down from Cork to Dublin, I had to import technologies such as digital dictation from the USA, and remote access was constrained by dial-up internet.

The widespread shift to remote work accelerated significantly during the COVID-19 pandemic, when many firms discovered that productivity remained stable, despite physical distance from traditional office spaces.

Post-pandemic, a hybrid or fully mobile work model has become the norm for many solicitors. Legal professionals now draft documents, respond to urgent communications, and attend virtual court hearings from homes, holiday rentals, taxis, airports, and more (often using unsecured networks).

This transformation has permanently altered the landscape of legal practice in Ireland and beyond. Many legal professionals have not returned to physical offices.

In fact, entire practices now operate remotely, with in-person meetings becoming infrequent exceptions. This paradigm shift is expected to endure.

Convenience v risk

As mobile work increases, so does reliance on smartphones, tablets, and laptops. This convenience comes at a price.

Mobile solicitors frequently work outside of controlled environments and handle sensitive information on devices that are constantly exposed to cyberthreats.

Unlike centralised systems in larger firms, personal mobile devices often lack enterprise-level cybersecurity safeguards.

These devices – carrying confidential client communications, legal strategies, evidence, and access credentials – are effectively briefcases left ajar in the digital world.

Solo practitioners and small firms, which may lack dedicated IT departments or comprehensive cybersecurity protocols, face significantly higher exposure.

Public networks, outdated software, and the informal use of personal devices for professional tasks multiply risk factors.

Recent data from the Cisco Cyber Threat Trends Report and Kaspersky Security Insights underscore the scale of the threat:

• Over 4 million social engineering attacks targeted mobile users,
• iOS devices saw twice as many phishing incidents as Android devices,
• 427,000 malicious apps were discovered on enterprise devices,
• 1.6 million apps with known vulnerabilities were detected,
• 33.3 million malicious or unwanted mobile software threats were blocked, and
• 1.1 million installation packages were deemed malicious or suspicious, including nearly 69,000 linked to banking trojans.

Although these numbers only reflect attacks detected by Cisco and Kaspersky systems, they represent a serious indication of widespread vulnerabilities.

Given their professional obligations under the Guide to Professional Conduct, solicitors must proactively mitigate cybersecurity risks associated with mobile lawyering.

As the guide puts it: “The principal or partners of a firm should use reasonable endeavours to prevent a breach of security and confidentiality. All solicitors have a duty to ensure adherence to GDPR requirements. Solicitors should ensure a level of security appropriate to risks within their practice. It is recommended that firm owners should ensure an appropriate level of security, both physical and cyber, to mitigate the risks of loss to clients’ monies and assets.”

Core threats facing mobile solicitors include:

• Insecure public networks: mobile solicitors often rely on Wi-Fi at cafés, hotels, airports, and courthouses. These networks are frequently unencrypted and susceptible to data interception. Cybercriminals may set up rogue access points – networks with names like ‘FreeHotelWiFi’ – to lure users into connecting and unknowingly transmitting sensitive information.
• Device loss or theft: physical devices can be stolen or misplaced, especially while traveling. (Indeed, in February last, I suffered the theft of a mobile phone myself.) Without encryption or strong access controls, unauthorised access can lead to the exposure of sensitive emails, documents, and login credentials. Traditional offices benefit from physical security measures rarely available to mobile professionals.
• Multi-app usage without vetting: using a wide variety of apps (for example, messaging, file-sharing, time tracking, document editing) opens new vulnerabilities. Unvetted apps may lack encryption, store data in non-compliant jurisdictions, or leak information through permissions and metadata.
• Email and SMS exploits: mobile screens and fast-paced communication habits make it easier for attackers to succeed with phishing and smishing (SMS phishing). A solicitor may click a link or respond to an urgentsounding message without verifying its authenticity, exposing accounts or installing malware.
• Device sharing and personal use: using one device for both personal and professional tasks can lead to accidental data exposure. Apps installed for personal reasons may access storage that contains client files. Family members may also inadvertently compromise the device if it is not properly secured.
• Lack of back-ups and response plans: many mobile devices are not regularly backed up. In the event of ransomware, device loss, or corruption, solicitors may be unable to recover critical data. Without clear incident-response procedures, detection and containment may be delayed, worsening the breach.
• Jurisdictional compliance risks: solicitors operating across borders, such as a Newry-resident Irish solicitor working in Dublin, must be cautious about data jurisdiction. Storing client data on servers outside the EU, including in the UK, may contravene GDPR or professional-conduct standards.

Real-world consequences

Security failures are not theoretical. In 2021, the Health Service Executive suffered a ransomware attack that shut down national-health IT systems.

In the US, the American Bar Association reported that, in 2022, a mid-sized Chicago law firm was paralysed by a ransomware attack, while a California sole practitioner faced disciplinary action after client data was exposed via compromised email.

The consequences for solicitors may thus include:

• Breach of solicitor-client privilege,
• LSRA or Data Protection Commissioner complaints and investigations, with associated penalties and fines,
• Civil liability, and
• Reputational damage and client loss.

What is to be done?

Best practices for cybersecurity in a mobile legal environment include:

• Use VPNs – secure traffic on public or unknown networks with a firmapproved virtual private network (VPN),
• Enable full-disk encryption – use tools such as FileVault (Apple) or BitLocker (Windows) and enforce biometric security features,
• Implement multifactor authentication (MFA) – add a second layer of access control through time-based codes or biometrics,
• Keep software updated – enable automatic updates and maintain an inventory of devices,
• Choose secure legal tech – use platforms certified under ISO 27001 or SOC 2 with encryption and audit capabilities,
• Adopt ‘MDM solutions’ – mobile devicemanagement software allows firms to enforce policies, monitor usage, and remotely wipe lost or stolen devices,
• Train continuously – all legal staff should undergo regular cybersecurity training tailored to mobile threats (the Law Society provides significant valuable advice and resources in this regard: ),
• Apply zero-trust principles – assume no device or user is inherently trustworthy and continuously verify access and segment networks to limit breaches, and
• Regularly back up data and define response plans – ensure secure, cloud-based back-ups and develop clear protocols for responding to breaches.

The age of mobile practice

Mobile lawyering is no longer a fringe activity: it is a central feature of 21st century legal practice. The convenience it offers is matched by the responsibility to safeguard sensitive data in the absence of traditional-firm infrastructure.

By adopting robust cybersecurity protocols and integrating them into daily routines, mobile solicitors can meet their ethical obligations, protect client interests, and continue to thrive in a digital-first professional environment.

Bill Holohan SC is the senior partner of Holohan Lane LLP Solicitors, is a member of the Guidance and Ethics Committee, and a member of the Curriculum Development Unit.  

FOCAL POINT

There’s an app for that

‘FileVault’ is Apple’s full-disk encryption technology that secures the data on your Mac’s startup disk. It encrypts the entire disk, requiring a password or recovery key to access the data, including during startup. FileVault enhances data protection, especially on devices with Apple silicon or the T2 chip, by leveraging hardware security features.

‘BitLocker’ is a full-volume encryption feature built into Windows operating systems, designed to protect data by encrypting the entire drive. This helps prevent unauthorised access to sensitive information if a device is lost, stolen, or inappropriately decommissioned. It’s a security feature that encrypts your drive and requires authentication to unlock it.

ISO 27001 is the leading international standard for information-security management systems (ISMS). It provides a framework for organisations to establish, implement, maintain, and continually improve their ISMS. This standard helps organisations manage the security of their information assets and ensure the confidentiality, integrity, and availability of their data.

SOC 2, which stands for System and Organisation Controls 2, is a security framework developed by the AICPA to help service organisations manage and protect customer data. It focuses on how companies handle sensitive data, particularly in the cloud, and ensures they have appropriate security controls in place. SOC 2 compliance is often a requirement for organisations that provide services to other businesses and handle their data.

LOOK IT UP

•  (2024)
• Kaspersky Security Insights, (12 March 2025)
• Law Society Legal Tech Hub: