The Panama Papers is the most well-known breach of a law firm, compromising 11.5 million documents from the law firm Mossack Fonseca. In it, 2.6 terabytes of client data were exposed, revealing information about 12 heads of state, 29 billionaires, 150 politicians, and many major financial institutions across the globe.

But Mossack Fonseca is hardly the only firm facing data breaches. Now, law firms everywhere are increasingly concerned about exposure of client data. During the panel “Lessons Learned from the Panama Papers” at Wolters Kluwer’s ELM User conference, speakers discussed information governance practices from the perspectives of corporate legal departments, law firms and legal service providers. In doing so, they provided three ways in which legal professionals can reduce the risk of data breaches:

1. Ask better questions.

Marco Salcedo, senior counsel at Wolters Kluwer, said that working in a corporate legal department following the Panama Papers breach he routinely fields questions from clients who want to know what documents are being produced, where those documents are being stored, how they’re being secured and who has access to them.

Ted Banks, an attorney at Scharf Banks Marmor, agreed that clients should be grilling their legal service providers about their data security practices before entrusting them with sensitive data. “Every corporate client should be worried about their data. You can’t assume the law firm will protect it,” he said.

Banks said that the onus to interrogate data security practices shouldn’t fall solely on clients. Law firms sometimes turn over client data to third-party vendors without examining vendor data security. Even when working with cloud-based or legacy vendors, who tend to be more secure, Banks said that law firms need to understand vendor practices and communicate security expectations as part of the standard operating procedure.

“If you outsource something, it doesn’t mean you stop worrying about it,” Banks added.

2. Don’t keep unnecessary data.

3. Remember to account for human error.