Credential Stuffing, Attorney-Client Privilege, and the Password Habits That Expose Confidential Case Documents
For Salt Lake City law firms, a data breach is not just an IT problem — it is a professional liability problem. Attorney-client privilege extends to every digital communication, every document stored in Clio or NetDocuments, and every email your attorneys and staff exchange with clients. When a single compromised password unlocks a thread of confidential case documents, your firm does not just face a cleanup bill — it faces questions about malpractice, bar association discipline, and irreparable damage to client trust. Yet many law firms still rely on the same passwords across multiple platforms, making them prime targets for one of the most common and effective cyberattacks in use today: credential stuffing.
What Is Credential Stuffing — and Why Law Firms Are a Target
Credential stuffing is an automated attack in which cybercriminals take username-and-password combinations stolen from one breach and try them against hundreds of other websites and platforms. The attack works because of a simple human habit: password reuse. A recent Cybernews study analyzing 19 billion exposed passwords found that 94% of them were reused or recycled across multiple accounts. That is not a fringe problem — it is the norm.
For law firms, the stakes are especially high. Your attorneys and staff access practice management platforms like Clio or MyCase, document repositories in NetDocuments or iManage, research databases like Westlaw and LexisNexis, and billing systems like TimeSolv — all from the same devices and often with the same passwords. When one of those passwords is exposed in a breach at an unrelated service, attackers can use it to walk straight into your most sensitive systems.
Think about what lives in those systems: client intake forms, deposition transcripts, settlement agreements, financial disclosures, and privileged attorney communications. One credential stuffing attack on your firm's Clio account could expose everything a client entrusted to you — and every attorney in your firm shares that professional exposure.
The 'Master Key' Problem in Legal Practice
Password reuse turns a single breach into a master key. If your firm administrator uses the same password for their email, their NetDocuments login, and their personal streaming service, a breach at the streaming service hands attackers the key to your entire document management environment. Attackers do not need to hack your firm directly — they just need to find a reused password from anywhere in a person's digital life.
This is especially dangerous for law firms because your most valuable data — confidential case documents, client contracts, and privileged communications — is often stored in cloud platforms that are accessible from anywhere with the right credentials. That accessibility is exactly what credential stuffing exploits.
Solo attorneys and small firms often assume they are too small to be targeted. That assumption is wrong. Automated credential stuffing tools do not discriminate by firm size — they run thousands of login attempts per minute across any accessible platform. If your Clio or PracticePanther login is exposed, it will be tested.
Fix #1: Password Managers — Your Firm's First Line of Defense
The most effective way to stop credential stuffing is to eliminate password reuse entirely. That means using a unique, complex password for every account — and the only practical way to do that is with a password manager.
Tools like 1Password, Bitwarden, and Dashlane generate and store unique passwords for every platform your team uses. Your attorneys and staff only need to remember one strong master password — the password manager handles the rest. When every Clio login, every NetDocuments account, and every Westlaw credential is unique, a breach at one service cannot cascade into your entire firm.
For law firms, password managers also support compliance. Bar association cybersecurity guidance increasingly references password hygiene as part of a firm's duty of competence under Rule 1.1. Having a firm-wide password management policy is not just good security — it demonstrates professional diligence.
Fix #2: Multi-Factor Authentication on Every Legal Platform
Password managers reduce the risk of credential stuffing, but no password is perfectly safe. Multi-factor authentication (MFA) adds a second layer of verification — typically a time-sensitive code from an app like Google Authenticator or Microsoft Authenticator — so that even a stolen password cannot unlock an account without physical access to your attorney's or staff member's device.
MFA should be enabled on every platform your firm uses: Clio, MyCase, PracticePanther, NetDocuments, iManage, SharePoint, email accounts, and any remote access tools. This is especially important for platforms that store privileged client communications or case documents, where unauthorized access carries both legal and ethical consequences.
Several state bar associations have issued guidance recommending or requiring MFA for law firm systems handling client data. Qualit helps Salt Lake City law firms configure and enforce MFA across all platforms — including step-by-step setup for legal software that may not have obvious MFA settings.
Fix #3: Monitor for Credential Exposure
Your firm may already have compromised credentials circulating on the dark web without knowing it. Proactive credential monitoring scans dark web marketplaces, breach databases, and hacker forums for your firm's email addresses and associated passwords. When a match is found, your team can respond immediately — changing passwords and locking down accounts before attackers use them.
This is not a one-time check. New breach data surfaces constantly, and the window between a credential being exposed and an attacker attempting to use it can be measured in hours. Ongoing monitoring is the only way to stay ahead of the threat.
What Your Law Firm Should Do This Month
- Audit password practices across your legal team — are attorneys and staff reusing passwords?
- Deploy a password manager (1Password, Bitwarden, or Dashlane) firm-wide and enforce unique passwords for all legal platforms
- Enable MFA on Clio, NetDocuments, iManage, Westlaw, LexisNexis, and all email accounts
- Run a dark web credential check on your firm's domain
- Brief your attorneys and staff on credential stuffing — explain how one reused password becomes a master key
The Professional Obligation to Protect Client Credentials
Bar associations across the country are strengthening their cybersecurity guidance, and Utah is no exception. The duty of competence under Rule 1.1 now includes the obligation to understand and manage technology risks — including the risk of unauthorized access to client data through poor password practices. A credential stuffing breach that exposes client files is not just a security incident — it is a potential ethics violation.
Your firm's reputation is built on client trust. Protecting that trust means protecting the credentials that guard your clients' most sensitive information. The good news is that password managers and MFA are low-cost, high-impact measures that every firm can implement quickly.
Qualit works with Salt Lake City law firms to protect client confidentiality and meet bar association IT requirements. Schedule a free discovery call to see where your firm's password security stands today.
Frequently Asked Questions
Q: Does the Utah State Bar have specific requirements for law firm password security?
The Utah State Bar, like most state bars, grounds cybersecurity guidance in the duty of competence (Rule 1.1) and the duty to protect confidential information (Rule 1.6). Bar ethics opinions across the country have increasingly stated that attorneys must take reasonable measures to protect electronic client data — and courts and disciplinary bodies have cited weak authentication practices in malpractice and discipline cases. While specific technical mandates vary, using MFA and password managers is widely recognized as a baseline reasonable measure.
Q: Does attorney-client privilege protect data stored in Clio or NetDocuments?
Attorney-client privilege protects the confidentiality of privileged communications and work product, but it does not automatically secure the technology holding that data. Privilege can be waived if a firm fails to take reasonable precautions to maintain confidentiality — including digital security. Storing privileged client documents in cloud platforms like Clio or NetDocuments is appropriate as long as reasonable security measures (strong authentication, encryption, access controls) are in place. Weak passwords or no MFA could be argued as a failure to take those reasonable precautions.
Q: What happens if our firm's Clio or practice management account is compromised?
A breach of your practice management platform is a serious incident requiring immediate action. You should change all credentials, notify your malpractice insurer, assess what client data was accessible, consult with your bar association about notification obligations, and engage a cybersecurity firm to conduct a forensic investigation. Many state bar rules require prompt notification to clients when their confidential information is compromised. Having an incident response plan in place before a breach occurs — including who to call and what steps to take — is strongly recommended.
