The Comforting Myth
Ask a partner how the firm manages access to client files and the answer is usually some version of:
“We disable accounts immediately.”
“Only employees can log in.”
“We trust our people.”
All of these statements can be true—and still insufficient.
They answer a narrow operational question:
Can this person log in today?
They do not answer the governance question:
What was this person allowed to see, and was that access justified?
In regulated professions, governance lives in the second question.
What Disabling an Account Actually Does
Account disablement is necessary. No one is arguing otherwise.
What it does:
Prevents future logins
Cuts off active credentials
Ends ongoing access
What it does not do:
Limit access during employment
Prove least privilege
Explain historical exposure
Demonstrate ethical boundaries
Satisfy auditors or insurers by itself
Disabling an account is an event.
Governance is a system.
Most firms stop at the event.
The Hidden Risk During Employment
The uncomfortable reality is this:
Most confidentiality risk occurs while people are employed—not after they leave.
In many firms:
Attorneys can see matters they are not assigned to
Paralegals retain access long after cases close
Contractors are given broad access “temporarily”
Access accumulates over time and is rarely revoked
This is rarely malicious.
It is operational drift.
Example:
A paralegal who assisted on a contentious divorce five years ago still has access to those files today—not because anyone decided she should, but because no one decided she shouldn’t. The client would be shocked. The partner probably doesn’t know. The risk persists quietly.
Disabling an account at termination does nothing to correct the exposure that already existed.
It simply freezes it in place.
The Question That Exposes the Gap
When challenged—by an auditor, an insurer, or a client—firms are often asked some version of:
“Who had access to this client’s data last year?”
Without governance, the answer sounds like:
“Probably the legal team.”
“Anyone working in that department.”
“We’d have to check the folders.”
These are not defensible answers.
They are assumptions.
Why Trust Is Not a Control
Law firms are built on trust.
That is a strength.
But trust is not a security control.
No regulator, auditor, or court accepts:
“We trusted them”
as evidence of appropriate access.
Controls must be:
Defined
Enforced
Reviewable
Provable
Disabling an account demonstrates intent.
It does not demonstrate control.
Governance Changes the Frame
Governance starts with a different premise:
Access should be intentional, scoped, and temporary—by design.
In a governed environment:
Access is granted by matter, not by convenience
Users only see what they are assigned to
Closed matters automatically lose active access
Access changes are tied to lifecycle events, not memory
Historical access can be demonstrated without reconstruction
In that context, disabling an account becomes the final step—not the primary control.
Why This Matters More Than Ever
The legal industry is changing.
Firms are increasingly evaluated not just on legal outcomes, but on:
Confidentiality controls
Operational maturity
Due diligence readiness
Clients ask harder questions.
Insurers scrutinize access models.
Due diligence digs deeper.
Audits expect evidence, not explanations.
Firms that rely on “we disable accounts” discover too late that this answer no longer satisfies anyone outside the firm.
The False Sense of Security
Disabling accounts feels decisive.
It creates closure.
That feeling is dangerous.
It allows firms to believe:
Access was controlled
Exposure was limited
Risk was managed
Without governance, none of those conclusions are guaranteed.
The firm may have:
Overexposed sensitive matters
Violated least-privilege principles
Created ethical risk without knowing it
No amount of termination hygiene corrects that retroactively.
The Shift Partners Must Make
The right question is no longer:
“Do we disable accounts when people leave?”
It is:
“Could we defend who had access to a specific client’s data throughout its lifecycle?”
That question reframes everything.
It moves the conversation from IT mechanics to:
Professional responsibility
Ethical walls
Client trust
Institutional risk
And it exposes the gap between access termination and governance.
Where This Is Going
This article is not an argument against IT best practices.
It is an argument that best practices are incomplete without governance.
In the next parts of this series, we will explore:
Why file shares drift without matter-based controls
Why cloud and SaaS platforms don’t automatically fix governance
How identity-based access can increase risk without structure
What practical, enforceable governance actually looks like
For now, the takeaway is simple:
If disabling an account is your primary access control, governance is missing.
And in modern legal practice, that absence carries real consequences.
About the Author
James Phipps is CEO of BeCloud, an advisory firm specializing in governance frameworks for compliance-intensive organizations. BeCloud works with legal, healthcare, and professional services firms to design infrastructure where security and compliance are embedded by design rather than retrofitted after deployment.