What Happens When a Law Firm Accidentally Shares a Client's SSN?

You know how it goes. The demand package took three weeks to assemble. It includes medical records from four providers, billing summaries, a lost-wage calculation, and an expert's report on future care costs. Your paralegal reviewed each component as it came in, organized it, and compiled the final package the night before the deadline.

It went to the insurance carrier the next morning, and the case moved forward.

Three weeks later, someone noticed a number on page 128 of the demand package. Your client's Social Security number was sent to the opposing side in a document your firm produced.

What happens next is the part most PI firms haven't thought through.

The bar complaint

ABA Rule 1.6 requires attorneys to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The question a bar investigator asks is not whether your paralegal made a mistake. It is whether your firm had a process that constituted reasonable efforts, and whether you can prove it.

A manual review protocol and a careful paralegal aren't a documented process. They're a hope. And when a bar complaint opens — which can run for months — hope is not a defense.

Most data-related complaints do not end in suspension or disbarment. But the process is expensive, it affects the firm's name in ways that are difficult to undo, and it forces a managing partner to spend time and money defending something that a consistent, documented process would have prevented entirely.

Malpractice exposure and security breaches

A client whose Social Security number was sent to opposing counsel has a legitimate grievance. Depending on what happens with that number, they may have real, documentable damages. Identity theft does not always surface immediately. When it does, and a client can trace it back to a document your firm sent, the malpractice conversation becomes very real.

The ABA's most recent technology survey found that approximately 29% of law firms have experienced a security breach — and that figure reflects only the breaches firms have detected and reported. There are likely plenty more that go undetected or unreported.

The exposure that eventually leads to a malpractice claim is often the one nobody at the firm caught, simply because the client found it first.

The insurer's questions

During renewal, malpractice carriers have begun asking firms directly how they handle outbound document security. It is a newer line of questioning, and most managing partners do not have a ready answer.

"Our paralegals are careful" does not satisfy an underwriter who has seen what "careful" looks like at the tail end of a 300-page medical records review under deadline pressure.

Firms that cannot describe a consistent, documented process are beginning to see that reflected in their premiums. Some are seeing it affect their coverage options. The firms that have a clear answer are in a structurally different position at renewal.

What most firms try, and why it falls short

Most PI firms handle outbound document risk through one of three approaches. None of them is designed to catch what actually goes wrong at volume.

• Manual review. A paralegal visually scans each document before it leaves the firm, looking for Social Security numbers, medical record numbers, and other identifiers. This is the most common approach in PI firms today, and it works until it doesn't. The error rate is not a function of effort or training — it is a function of page count, time of day, and workload. At the volume a busy PI firm produces, errors are statistically inevitable.
• Microsoft Purview. Microsoft 365 includes a built-in compliance tool that detects certain types of sensitive information and responds by blocking the send or generating an IT alert. For firms with a dedicated IT team actively managing it, Purview can provide real protection. For the vast majority of PI firms without that infrastructure, the outcome is the same: a paralegal gets a warning, nobody knows how to clear it, an exception gets created, and Purview is eventually disabled by the people it was supposed to protect.
• Dedicated DLP platforms. Tools like Nightfall, Strac, and Polymer provide genuine AI-powered detection across multiple applications. The caveat is that they are built for organizations with security teams that can manage them full-time: IT integration projects, policy configuration, classifier training, and a dashboard that assumes someone is watching it daily. Most smaller firms don't have an IT department, which makes these tools impractical — and when they are implemented, too many false positives and frustrated attorneys tend to reduce the system to a compliance checkbox within three months.

How DataGuard handles it differently

DataGuard was built for the specific situation that most data security tools were not designed to address: a firm that shares sensitive documents every day but has no one managing security.

It runs within Microsoft 365, so it works where your team already works. There is no separate application to learn, no new login, no change to how paralegals prepare or send documents.

When a file is sent out, DataGuard automatically screens it against your firm's defined policies. The core difference from every other approach is what happens when restricted content is detected.

Setup takes under five minutes through Microsoft 365. No IT expertise required, no classifiers to configure, no policies to build from scratch. It is designed to be deployed by an office manager on a Tuesday afternoon and left alone thereafter.

A defensible process you can actually use

The paralegal who sent that demand package was not negligent. She reviewed the components. She did the work. The SSN was on page 47 of a billing summary, one piece of a larger assembled document. It went wrong because no one was specifically looking for identifiers across the final package.

That's how manual review works at volume. Things get missed.

A defensible process does things differently. It applies the same standard to every document, at every page count, under every deadline condition — and it produces a record of what it did, not a checklist that an employee initialed. It gives you a timestamped log of every external share, including what was in the document and what was removed before it left the firm.

That record is what "reasonable efforts" looks like when someone asks. It is what you hand your malpractice carrier at renewal. It is what distinguishes "our process caught it" from "we got lucky this time."