Data Security for Law Firms: Protecting Client Files Under KVKK

A lawyer’s duty to keep what a client tells them confidential does not end when the case closes. In Türkiye, Article 36 of the Attorney Act (Avukatlık Kanunu) makes that duty lifelong — it holds even after the engagement is over. The difference today is that the secret no longer sits in a filing cabinet. It lives on a file server, in a mailbox and, most of the time, in a cloud drive. So when client files are encrypted and exfiltrated in a ransomware attack, the firm hasn’t only breached KVKK, Türkiye’s personal data protection law. It has broken the profession’s most basic obligation.

That double exposure is what sets law firms apart from other small businesses. For most companies a data breach means an administrative fine and reputational damage. For a law firm, add the disclosure of professional secrets — and, under Article 239 of the Turkish Penal Code, the risk of criminal liability.

Why are law firms a priority target?

Attackers pick targets by the value of the data, and on that measure law firms are high-yield despite their small teams. A single server can hold active criminal files, M&A agreements, trade secrets, and sensitive details from divorce and inheritance matters all at once.

In exfiltration-based ransomware, the threat to publish that content makes the pressure to pay far stronger than in classic encryption-only attacks. The client entrusted their secret to the firm; breaking that trust through a technical weakness leaves a reputational wound that outlasts any financial cost.

There’s also the matter of scale. A firm of three to five rarely has a full-time IT lead. Systems run on defaults left over from setup, backups are irregular, and email is protected by a single password. On the attacker’s side, that is a well-known opportunity.

A VERBİS exemption is not a KVKK exemption

One common misreading needs correcting. By decision of the Personal Data Protection Board, lawyers are exempt from registering with VERBİS (the data controllers’ registry). That exemption is frequently misread as “lawyers are exempt from KVKK.”

The reality is narrower. The exemption removes only the registration step. KVKK’s substantive duties stay in place:

Obligation	What it means for a law firm
Data security (Art. 12)	Apply technical and administrative measures to protect client data against unauthorized access, loss and alteration
Transparency	Inform clients about the purpose for which their data is processed
Breach notification	Notify the Board within 72 hours once a breach is detected
Retention and disposal	Delete data per a retention policy once its purpose ends

So the duty to apply technical safeguards arises from two sources at once for a lawyer: KVKK Art. 12 and Attorney Act Art. 36. Both point the same way — protecting client data is now a digital discipline, not a physical one.

Minimum technical controls in a firm

Protecting client files isn’t about one expensive product. It comes from a few layered fundamentals. For a firm of three to thirty users, the core sits in these areas:

1. Email security and multi-factor authentication (MFA). Most attacks start with a stolen password or a phishing email. MFA on every account, a phishing filter and sender spoofing protection (DMARC/DKIM/SPF) are the first line.
2. Immutable backup. In a ransomware scenario, the only way to walk away from the negotiating table is a clean backup the attacker cannot delete. The 3-2-1 principle with at least one offline or immutable copy is essential.
3. Access authorization. Limiting each lawyer and clerk to their own files contains the scope of a leak. An “everyone can reach everything” setup spreads a single breach across the whole firm.
4. Endpoint protection and patch management. An unpatched server or Windows client is an open door through known vulnerabilities. Central patching plus an EDR/MDR layer closes it.
5. Securing UYAP and e-signature access. UYAP is Türkiye’s national judicial IT system; if the device or e-signature token used for filings under a lawyer’s identity is compromised, the harm lands directly on the client.

These five are a starting point, independent of firm size — not a luxury, but the technical form of a professional duty.

A checklist for an institutional assessment

Asking the questions one by one makes the picture clear:

• Is MFA enabled on every email account, or is it password-only?
• When was the last clean backup of the file server taken, and has a restore from it been tested?
• Is at least one backup copy offline or immutable?
• Do intern and clerk accounts reach every active file?
• Were security patches on servers and clients applied within the last 30 days?
• Is there a written process for the 72-hour notification in case of a breach?

Firms that want a clear picture against these criteria can request a 30-minute assessment call via the contact form.

Xen Bilişim scope of service

Our data security work for law firms isn’t the sale of a single product — it’s building an IT posture that fits the duty of professional confidentiality:

Scope	Content
Assessment	Review of existing backup, email and access structure against KVKK Art. 12 and professional confidentiality
Email and identity security	MFA, phishing filter, DMARC/DKIM/SPF setup
Backup architecture	3-2-1 and immutable backup design, restore testing
Endpoint and server protection	EDR/MDR, central patch management, server hardening
Access management	File-level authorization, least-privilege principle
KVKK compliance support	Transparency notice, retention-disposal policy, breach response flow consulting
Ongoing operation	Monitoring, updates and user awareness training

A framework by firm size

Firm size	Recommended structure	Note
1-5 users	Cloud email + MFA, immutable backup, endpoint protection	Basic protection without a server; low operating cost
6-20 users	The above plus central patching, access authorization, MDR	File separation across multiple lawyers becomes critical
20+ users	Fully managed IT, log retention, breach response plan, annual audit	Multiple locations and intern rotation require structural management

Frequently asked questions

Aren’t lawyers exempt from KVKK? No. The exemption is limited to VERBİS registration only. Data security, transparency, retention-disposal and breach notification duties apply to every firm.

Is all this really necessary for a small firm? Attackers look at the weakness of the defense, not the size of the firm. A three-person practice is often the easier target precisely because of weak backups and password-only access.

We have backups — isn’t that enough? Having a backup isn’t enough; it must be immutable and its restore must be tested. Accessible backups are among an attacker’s first targets.

What happens if we suffer a breach? A breach involving personal data requires notifying the Board within 72 hours. On top of that, a separate assessment applies for professional confidentiality, which is why having a written response flow ready in advance matters.

Is a one-time setup possible? It is, but security is a maintained state, not a one-time install. Without regular patch and backup testing, protection erodes within months.

Contact

For a law firm data security assessment or a call:

Channel	Details
Phone	0850 259 5949 (Weekdays 09:00-18:00)
Email	[email protected]
Form	Request an institutional assessment
WhatsApp	+90 850 259 5949

Technical assessment calls are free; sharing preliminary information requires no commitment.

Sources

• Attorney Act (Avukatlık Kanunu) Article 36 — Confidentiality
• KVKK — Law No. 6698, Obligations on Data Security (Art. 12)
• KVKK — Data Controllers Exempt from VERBİS Registration
• KVKK — Data Breach Notification