A lawyer’s phone is a filing cabinet of privileged material that happens to fit in a pocket and ride around on networks the lawyer doesn’t control. It holds privileged communications with clients, work product that reveals case strategy, and personal data that clients handed over on the assumption it would be protected. For a long time, securing all of that was treated as an optional technical nicety. It isn’t anymore. It’s part of the job, and increasingly part of the rules.
This is now an ethical duty, not just good practice
Over the past decade the legal profession has formally caught up to the reality that competent representation includes competent handling of technology. The American Bar Association amended its guidance to make clear that a lawyer’s duty of competence includes keeping abreast of the benefits and risks associated with relevant technology, and the large majority of states have since adopted some version of that duty of technological competence. Alongside it, the duty of confidentiality has been read to require lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information.
Put plainly, a lawyer who doesn’t understand how their own devices can leak client data is no longer just behind the times. They may be falling short of an ethical obligation. The standard is reasonableness, not perfection, but reasonableness now clearly includes thinking about the phone in your pocket, because that’s where a great deal of privileged communication actually happens.
What’s actually at stake
The consequences of getting this wrong are not abstract. A privileged communication that ends up in the wrong hands can, in some circumstances, be argued to have waived the privilege that protected it, handing an opponent both the material and an argument that you failed to keep it confidential. A breach of a firm’s devices can expose litigation strategy, merger terms, or a client’s most sensitive personal information. Beyond the harm to the client, the lawyer faces potential malpractice exposure, bar complaints, and the kind of reputational damage that quietly ends practices. Client data is a trust, and a phone is one of the easiest places to break it.
Who is trying to get in
Lawyers face a threat model wider than most realize. Opposing parties in high-stakes litigation, and the private investigators they sometimes retain, have real incentives to learn your strategy. Cybercriminals have figured out that law firms are target-rich and often under-defended, holding concentrated secrets about deals and disputes, which is why firms have become a favored target for ransomware and data theft. Lawyers in certain practices, from international trade to national security to representing dissidents, can find themselves in the sights of well-resourced state actors. And underneath all of that sits the most common threat of all: a phone simply lost or stolen, with a complete copy of a caseload sitting behind a weak lock.
Where lawyers actually get caught out
In practice, the failures tend to be mundane rather than exotic. The most common is the cloud backup that quietly uploads privileged material to a provider that holds the keys, where it can be exposed in a breach or reached by legal process the client never anticipated. Close behind is the blurring of personal and professional life on a single device, so client communications mingle with everything else and inherit every weakness of the lawyer’s personal habits. Many lawyers still discuss sensitive matters over consumer messaging apps that weren’t built to protect them, or hop onto the open wifi at a courthouse or hotel without a second thought, exposing their traffic to anyone on the same network. And a surprising number of privileged documents go out with revealing metadata still embedded, quietly carrying edit history and author information to the other side.
The practices that protect privilege
Defending against all of this is less about exotic tools than about a handful of consistent habits. Start with the device itself: full-disk encryption, which is standard on modern phones but only as strong as the passcode protecting it, and a strong passcode rather than a four-digit afterthought. Move client communications onto an end-to-end encrypted messenger so the contents are protected in transit and the provider can’t read them, and keep a clear line between your professional communications and your personal ones.
Get deliberate about the cloud. The convenience of automatic backup is real, but privileged material should not be sitting on servers where someone else holds the keys. Either keep backups local and encrypted, or encrypt them yourself before they leave the device. On any network you don’t control, and that includes the courthouse and the hotel, use a reputable no-logs VPN so the local network can’t watch your traffic. Scrub metadata from documents before they go out. And have an honest incident plan, because the difference between a manageable problem and a catastrophe is often whether you knew what to do in the first hour.
Where a hardened phone helps
A hardened, de-Googled phone like SovereignOS gives a lawyer a much stronger starting point. Because it strips out the constant background reporting that stock phones do, far less of your activity is being silently logged by third parties whose records could later be breached or subpoenaed. Because USB data is disabled by default, a lost or seized phone is a poorer target for the forensic tools that plug into it. Because the device is encrypted behind a dedicated secure chip with a locked bootloader, a powered-off phone is a hard target rather than a soft one, which matters the moment a device goes missing.
There’s also a structural advantage that fits the confidentiality duty well. SovereignOS doesn’t route your communications through our infrastructure, and there’s no account binding the device back to us, which means there’s no vendor sitting in the middle holding metadata about your privileged work that a third party could come asking for. You control the device, you control the backups, and you hold the keys. For a professional whose entire obligation is to protect what clients tell them, removing extra parties from the chain is exactly the right instinct.
Be honest about what technology can and can’t do
Privilege is a legal doctrine, not a software feature, and no phone enforces it for you. Technology supports careful practice. It does not replace it. A perfectly secured phone won’t help if you discuss a matter loudly in a crowded elevator, copy a client into a careless email, or hand a device to opposing counsel during discovery without thinking through what’s on it. There are also situations where you can be legally compelled to produce or unlock a device, and no hardware changes that. The goal of good phone security is to make the accidental disclosures far less likely and the malicious ones far harder, so the protection you promise your clients is backed by something more than hope.
A baseline for a careful practice
If you want a defensible starting point, it looks like this. Carry a hardened, de-Googled phone so the device isn’t leaking by default. Encrypt it, lock it with a strong passcode, and prefer that passcode over biometrics in any situation where you might be compelled. Move client communication to an encrypted messenger and keep it separate from your personal life. Keep backups under your control and encrypted, never on a service that holds the keys to your privileged material. Use a VPN on every network you don’t own. Scrub document metadata as a habit. And treat your phone with the same care you’d give a banker’s box full of client files, because that is exactly what it is.
Related reading
- What “End-to-End Encrypted” Really Means
- How to Back Up Your Phone Without Trusting the Cloud
- Metadata: What Your Phone Leaks Even When Your Messages Are Encrypted
- Executive Phone Security: Why the C-Suite Is the Target
- The Lawyer’s Secure Communication Playbook
SovereignOS is a hardened, de-Googled phone, set up the way we would build one we had to rely on ourselves. One-time price, no subscription, no account required.
See SovereignOSRecent Comments
Post Widget
Should You Trust Signal?
Social Media Widget
Customer service
Real people, ready to help. Reach our team anytime at hello@spicycorp.com.
Fast Free Shipping
Get free shipping on orders of $150 or more (within the US)
Returns & Exchanges
We offer free returns and exchanges within 30 days of purchase.