In 2016, the law firm Mossack Fonseca was hacked. More than 11.4 million files were copied and exposed to the world — a leak that became known as the Panama Papers. It remains one of the most catastrophic data breaches in the history of the legal profession.
Most law firms assume that if they have passwords and firewalls in place, their documents are protected. But here is a question worth sitting with: would you know if someone inside your firm — a disgruntled associate, a paralegal about to leave, or an account that had been compromised — started downloading thousands of your client documents right now?
If your firm stores files on a Windows file server, SharePoint, or a basic network drive, the honest answer is probably no.
The Blind Spot in Most Document Storage Systems
Most law firms have some form of document storage in place, but very few of those systems are built to tell you when documents are flowing out. Let’s look at what the most common platforms actually offer.
Windows File Server / Network Drive
The traditional Windows file server is still in use at thousands of law firms. It is familiar, inexpensive to maintain, and it works. But from a security visibility standpoint, it has a major gap.
Windows Server does have an auditing feature called File System Auditing that can technically log file access events. But it is not enabled by default, and when it is enabled, it generates so much log data that most firms have no practical way to monitor it. You end up with gigabytes of event logs and no alerts, no thresholds, and no one watching.
In practice, if an employee copies 5,000 client files to a USB drive or personal Dropbox on their last day, a firm running a standard Windows file server will have no idea it happened unless someone goes looking for it after the fact.
SharePoint
SharePoint is a Microsoft product and benefits from integration with the broader Microsoft 365 security ecosystem, which is genuinely more capable than a bare Windows server. Microsoft Purview and the Microsoft 365 Defender suite can be configured to monitor and flag unusual download activity.
However, the word “configured” is doing a lot of work in that sentence. Out of the box, SharePoint does not send you an alert when a user downloads 2,000 documents. Getting that kind of protection requires a meaningful investment in Microsoft security licensing (E3 or E5 tiers), configuration work by someone who knows what they are doing, and ongoing monitoring. Most small and midsize law firms in the 10–150 user range do not have that infrastructure in place.
SharePoint also has a broader adoption challenge in law firms: it was not designed as a legal document management system. Many firms that try to use it as one end up with inconsistent filing, poor metadata, and limited matter-level organization. The security tools it offers assume the documents are organized in a way that supports policy enforcement — which often is not the reality.
Basic Cloud Storage (Dropbox, OneDrive, Google Drive)
Consumer and SMB cloud storage tools like Dropbox and Google Drive are sometimes used by law firms, particularly smaller practices. These platforms do offer some download activity logging in their admin consoles, but the monitoring capabilities are limited, alerts are not set up by default, and they are not purpose-built for the needs of a legal environment.
OneDrive, as part of Microsoft 365, has similar capabilities and caveats to SharePoint above. The tools exist but require configuration and appropriate licensing to function as actual security controls.
Worldox
Worldox is a widely used document management system in the legal market, and it is a legitimate DMS with proper matter-based organization and search. However, Worldox is an on-premises system and does not include a built-in download threshold alerting feature. File access can be logged, but automatic alerts based on download volume are not a native part of the platform.
This is one of several reasons why Optiable has guided hundreds of law firms through a migration from Worldox to NetDocuments over the years. The gap in outbound document visibility is one of the security considerations that comes up in those conversations.
What NetDocuments Does Differently
NetDocuments is a cloud-based document management system built specifically for law firms. One of its native security features is the Download Threshold Alert, and it is turned on by default.
Here is how it works: every repository in NetDocuments has a download threshold configured by the administrator. The default is 2,000 actions per session. A session in NetDocuments is 1.5 hours (or up to 8 hours if your firm uses federated ID / single sign-on).
When any user hits that threshold within a single session, every repository administrator receives an email alert that looks like this:
“Internal user Wayne Jarvis (VAULT-T5C8B9IU) has downloaded more than 2000 documents in a single login session. The login session began at 10/31/2020 11:59:00 AM, and the download threshold was exceeded at 10/31/2020 12:07:47 PM.”
That alert fires automatically. No configuration required beyond deciding what your threshold number should be.
What Counts as a Download?
NetDocuments counts the following actions toward the threshold:
- Opening a document via the web interface
- Printing a document via the NetDocuments print option
- Viewing a PDF or HTML document
- Launching a document in a client-side application
- Downloading a document (including the Mass Export utility)
- Emailing a copy of a document (note: emailing a link does not count)
- Moving a document to a cabinet in a different repository
- Opening or downloading a document via WebDAV
- Syncing a matter or folder with ndSync
Each of these actions counts as one download event, even if the user opens the same document multiple times in the same session.
A Note on ndSync
NetDocuments includes a desktop sync product called ndSync, which allows users to sync specific matters or folders down to their Windows or Mac workstation for offline access. Because ndSync downloads documents, it does count toward the threshold.
If your firm uses ndSync, you will likely receive download threshold alerts for those users. You have two options: raise the threshold for your firm, or set the threshold to 999,999,999, which effectively disables the alert for ndSync users since no one can hit that number in a 1.5-hour session. The threshold can be customized to whatever works for your environment.
Why This Matters for Your Firm
The Panama Papers breach was an external hack. But a significant percentage of data breaches in professional services firms are internal — employees taking client data when they leave, account credentials that have been compromised, or authorized users accessing more than they should.
The download threshold alert does not prevent every threat. But it gives you one critical advantage: you find out quickly. In the NetDocuments example above, the session started at 11:59 AM and the alert fired at 12:07 PM — eight minutes later. That is enough time to act before serious damage is done.
No system can protect what it cannot see. If you are storing client documents in a platform that cannot tell you when documents are flowing out at an abnormal rate, that is a gap worth closing.
How Optiable Can Help
Optiable has completed over 550 NetDocuments implementations for law firms across the United States and Canada. We specialize in firms with 10 to 150 users and have been implementing NetDocuments since 2010.
If your firm is currently on a Windows file server, SharePoint, Worldox, or another platform and you are evaluating whether a purpose-built cloud DMS makes sense, we are happy to talk through the security considerations along with everything else that goes into that decision.
Schedule a free consultation at go.oncehub.com/optconsult, call us at 1-800-399-0852, or email help@optiable.com.