Get Staffed Up, LLC

Get Staffed Up
Virtual Case Managers
Client Login
Get Staffed Up, LLC logo
Delegate your way to freedom®

Can a Virtual Assistant Safely Handle Confidential Client Information?

Yes — when proper safeguards are in place. Under ABA Model Rule 1.6, attorneys are responsible for supervising anyone who handles client data, including remote staff. A trained legal virtual assistant should operate under a signed contract with confidentiality obligations, use role-based access to case management software, and follow documented data handling protocols. The risk is not in using a VA — it is in failing to supervise one.

What does ABA Model Rule 1.6 say about delegating to remote staff?

ABA Model Rule 1.6 requires attorneys to make reasonable efforts to prevent the unauthorized disclosure of client information — and that obligation applies to every person who handles client data on the attorney’s behalf, whether licensed or not, in-office or remote. The rule does not prohibit using virtual assistants. It requires that attorneys supervise them adequately.

ABA Formal Opinion 08-451 addresses outsourcing legal and administrative work specifically. It confirms that attorneys may delegate tasks to remote workers, including offshore workers, provided they conduct appropriate due diligence on the provider, establish clear confidentiality obligations, and maintain supervisory oversight of the work. The opinion does not treat geography as a disqualifying factor — it treats supervision as the controlling one.

What this means in practice:

  • You are responsible for ensuring your VA understands and follows confidentiality obligations
  • You must use reasonable security measures when giving a VA access to client data
  • You should document what access the VA has and what protocols govern their work
  • Discipline, when it occurs, results from inadequate supervision — not from the fact of using a VA

 

Attorneys who set up proper access controls, confidentiality agreements, and communication protocols are well within the bounds of their ethical obligations when using remote legal staff.

How do I know my virtual assistant isn't working for multiple law firms at the same time?

This is one of the most common concerns attorneys raise — and it’s a legitimate one, particularly with independently sourced VAs on general platforms like Upwork where a single worker may serve multiple clients simultaneously.

Agency-placed VAs through Get Staffed Up are dedicated to your firm during your assigned hours. They are not shared across multiple clients. Activity is trackable through your case management software and task tools, giving you visibility into what work is being done and when.

For firms that want an additional layer of infrastructure security, Get Staffed Up offers virtual machines as an opt-in option. A virtual machine provides a controlled, firm-specific digital workspace — your data and activity occur within that environment rather than on the VA’s personal device. If data containment is a priority for your firm, ask about this option during your consultation.

If you want further assurance, you can also ask your VA to use a time-tracking tool that logs activity screenshots at set intervals — a common practice for remote workers that provides a verifiable record without requiring micromanagement.

What safeguards should a legal VA provider have in place?

A reputable legal VA agency should be able to answer specifically — not vaguely — when you ask about their security and confidentiality protocols. If the answer is “we take security seriously” without specifics, that’s a red flag.

The safeguards to ask about:

Contractual protections VAs should sign contracts that include confidentiality obligations before they begin work. Ask any agency you’re evaluating what their VA contracts cover and whether confidentiality obligations are included.

Confidentiality training VAs should receive training on attorney-client confidentiality, data handling expectations, and the professional communication standards required in legal client interactions. This is not the same as a general data privacy course — it should be specific to law firm contexts.

Virtual machine option For firms that prioritize data containment, Get Staffed Up offers virtual machines as an opt-in feature. A virtual machine provides a controlled digital workspace separate from the VA’s personal device — client data stays within that environment. Ask about this option during your consultation if it’s a priority for your firm.

Role-based access controls Each VA should have their own login credentials with access limited to what their role requires. Shared login credentials create accountability gaps — if something goes wrong, you can’t trace which action came from which person.

Activity logging Your case management software (Clio, MyCase, PracticePanther) logs user activity by login. This gives you a verifiable record of what your VA accessed, changed, or created — without requiring you to watch them work.

Background checks Get Staffed Up conducts background checks on candidates before placement — ask any agency you’re evaluating whether they do the same.

Want to know exactly what protections are in place before you commit?

Ask us directly. Schedule a call with us to answer your security questions.

Get your questions answered

What access should a virtual assistant have to my case management software?

Give your VA role-appropriate access only — enough to do their assigned tasks, nothing beyond that. Every user should have their own individual login. Never share credentials. This is both a security practice and an ethical one: individual logins create an auditable trail of who did what, which protects you if a dispute arises.

In practice, access tiers for VAs typically look like this:

Intake VA or receptionist: Contact creation, lead entry, consultation scheduling, intake form management. No access to case financials, trust accounts, or completed matter files outside their assignments.

Legal assistant: Case file access for assigned matters, document uploads, task and deadline management, case note entry, time entry. Limited or no access to billing and trust accounting.

Billing assistant: Invoice creation, payment tracking, billing history for assigned matters. Limited access to substantive case files.

Executive assistant: Calendar, email management, document organization, internal communications. Access scoped to their specific support function.

Most case management platforms allow you to configure role-based permissions at the user level. In Clio, for example, you can set each user’s access to specific matters, billing functions, and administrative features. Set these up before your VA’s first day — don’t rely on default permissions.

A VA who has access to everything they don’t need is an unnecessary exposure. A VA with precisely scoped access is both more secure and easier to supervise.

Does Get Staffed Up offer virtual machines for added data security?

Yes — as an opt-in option for firms that want an additional layer of infrastructure protection. A virtual machine is a controlled digital workspace that runs separately from the VA’s personal device. When your VA works inside a virtual machine, your firm’s data, software, and communications exist within that environment — not on a personal laptop that might have unmonitored access to other platforms, accounts, or networks.

What a virtual machine setup provides:

Data containment: Work performed by your VA happens inside the virtual machine. Client files, case notes, and communications aren’t stored on a personal device that could be accessed outside of work hours or by other parties.

Environment separation: The VA’s personal browsing, personal accounts, and personal software are outside the work environment. Your firm’s data doesn’t share a device with anything unrelated to your practice.

Access control: The virtual machine can be configured with the tools and permissions your VA needs — and nothing else. This is a meaningful safeguard against accidental or unauthorized data exposure.

This option is not required for every placement — but it is available for firms where data containment is a specific concern. If your practice handles particularly sensitive matters or you have internal security policies that require controlled device use, ask about the virtual machine option when you speak with Get Staffed Up.

Is a virtual assistant or an AI answering service better for client-facing calls?

For most law firms, a trained human VA outperforms an AI answering service for client-facing calls — particularly for intake and existing client communication. The distinction matters most in two scenarios: emotionally distressed callers (which is most personal injury, family law, and criminal defense intake) and callers with complex or irregular situations that fall outside scripted responses.

Here’s an honest comparison:

AI answering services

  • Available 24/7 including after hours and weekends
  • Consistent scripted responses, no variability in tone
  • Lower cost per interaction at high call volumes
  • Limited ability to handle calls that deviate from expected patterns
  • No relationship continuity — every call starts from zero
  • Can feel impersonal to callers in distress

 

Trained human VA

  • Available during assigned business hours
  • Adapts to caller tone, emotional state, and unexpected questions
  • Builds familiarity with your firm’s cases, clients, and communication style over time
  • Can exercise judgment on when to escalate vs. handle independently
  • Represents your firm with the nuance a scripted system cannot replicate
  • Higher cost than AI at scale, but more appropriate for complex or sensitive calls

 

The practical answer for most law firms: A human VA handles calls during business hours. An AI service or voicemail handles overflow and after-hours, with the VA following up on anything that requires a live conversation the next morning. This hybrid approach covers availability without sacrificing the quality of client interaction during the hours that matter most.

The attorneys most satisfied with AI-only services tend to have very high call volume, straightforward intake criteria, and limited need for judgment calls. The attorneys most frustrated with AI services tend to have emotionally complex intake, diverse caller situations, and clients who need to feel heard before they’ll hire.

If you already have an AI system and your clients aren’t responding well to it:

This is a common pattern — the AI handles overflow or after-hours coverage adequately, but clients who reach a live person convert and stay, while clients who reach the AI frequently don’t. The issue is usually not the AI itself but the mismatch between client expectations and what the AI can deliver. Legal clients, particularly in practice areas like personal injury, family law, and criminal defense, often call at an emotionally charged moment. They want acknowledgment, not a script.

A human VA as the primary intake handler — with AI handling only true overflow or after-hours triage — typically resolves this. The VA manages the calls that matter most for conversion and client experience. The AI handles the ones where the primary goal is simply capturing a message and ensuring follow-up. If you’re already running that hybrid model and still seeing client friction, the more likely issue is the VA’s intake script or training rather than the technology itself.

How do Latin American virtual assistants understand US client confidentiality requirements?

Through legal-specific hiring criteria, onboarding, and ongoing work within US law firm environments. Geography doesn’t determine a VA’s understanding of US professional standards — training and experience do.

Get Staffed Up recruits from Latin America specifically because of the time zone alignment with US law firms and the availability of candidates with professional backgrounds and English fluency. For legal assistant positions, candidates are required to have prior legal experience or a background in legal terminology before placement. That experience includes familiarity with the communication standards and confidentiality expectations of US legal practice.

Additionally, VAs placed with law firms receive confidentiality training as part of their onboarding — covering attorney-client privilege basics, data handling protocols, and the professional communication standards required when interacting with clients in legal situations.

A note for attorneys with PI practices: if your firm handles medical records, communications with medical providers, or HIPAA-adjacent information, a standard legal VA may not be the right fit for those specific tasks. Virtual Case Managers by Get Staffed Up receive specialized training, communicate with medical providers, and are equipped to handle that type of information correctly. 

The concern about LATAM VAs and US confidentiality requirements is understandable — and it’s exactly the question a careful attorney should ask. The answer is that the standard isn’t set by location; it’s set by training, contractual obligation, and supervisory structure. Those are things a legal-specific agency is responsible for building correctly.

Do I need a separate NDA with my virtual assistant?

Yes — regardless of whether you hire independently or through an agency. As with any employee or contractor who has access to sensitive client information, the responsibility for putting appropriate protective measures in place rests with your firm.

As with any staffing arrangement, the firm is not liable for staffer conduct — and it is the client’s responsibility to ensure proper measures are in place to protect their business, exactly as they would with any employee or contractor with access to sensitive information. That means your firm’s own confidentiality agreement is not optional — it is your protection.

This is no different from how you should treat an in-house hire. You would not rely solely on an employment agreement to protect client confidentiality — you would have staff sign your firm’s own confidentiality policy. The same applies to a virtual staffer.

What your confidentiality agreement for a VA should cover:

  • Non-disclosure of client identities, case details, and communications
  • Prohibition on retaining, copying, or transmitting client data outside the approved work environment
  • Acknowledgment of the attorney’s ethical obligations and the VA’s role in supporting them

 

If you don’t have a confidentiality agreement template for remote staff, your state bar’s ethics counsel or a business attorney can help you draft one. It does not need to be lengthy — a clear one-page agreement covering the points above is sufficient for most law firm VA arrangements.

Has any attorney been disciplined for using a virtual assistant?

Attorney discipline in connection with VA use has arisen from inadequate supervision — not from the use of remote staff itself. The ABA and state bar ethics opinions on outsourcing are consistent on this point: using a VA, including an offshore VA, is ethically permissible when the attorney exercises appropriate supervisory oversight and establishes reasonable confidentiality protections.

ABA Formal Opinion 08-451 and various state bar ethics opinions on outsourcing confirm that attorneys may delegate to remote workers provided they:

  • Conduct reasonable due diligence on the provider or individual
  • Establish confidentiality obligations
  • Supervise the work product
  • Disclose the arrangement to clients when the circumstances require it

 

Discipline arises when attorneys hand off work without oversight, fail to establish any confidentiality structure, or ignore obvious red flags about how their provider handles data. An attorney who uses a vetted agency placement with documented access controls and regular supervision is in a fundamentally different position than one who hired an unvetted individual from a general platform and never checked in.

The practical takeaway: the ethical risk of using a VA is manageable and well-defined. It requires supervision, documentation, and a provider who takes the legal industry’s requirements seriously — not avoidance of remote staff altogether.

Note: State bar rules vary. Attorneys should review their state’s specific ethics opinions on outsourcing and non-lawyer assistance before making delegation decisions. The ABA opinions cited here reflect national guidance but are not binding in all jurisdictions.

See how Get Staffed Up handles confidentiality

Background checks, opt-in virtual machines for data security, and a dedicated Account Manager overseeing every placement. If you have specific questions about how your firm’s data would be handled, we’ll walk you through it directly.

Talk to us about your firm