Every now and then, my wife helps me clear out my spam-riddled email inboxes. The ones overflowing with pitches from law firm data brokers. It’s something she enjoys doing (bless her, I can’t stand it), and sometimes she finds something important. Today, she did it again.
While sweeping up the mess inside my email, she mentioned something she’s said many times before. “You got another one of these!” She showed me. A familiar template of an email I get constantly. I almost always just junk them. Sometimes I send a frustrated reply. But I never think twice about them.
Until today. Today, I decided to investigate just how deep the law firm data broker problem really goes.
Because every week — sometimes every day — I get emails like this:
“Hi, I hope this message finds you well. My name is Dorothy Gale, and I have some suggestions that could quickly boost your email marketing efforts. Would you be interested in purchasing a verified list of Legal Practice Management Software Users?”
The sender is using a fake name from an Outlook burner account. The email lists every major cloud-based legal software platform by name: Clio, Smokeball, MyCase, PracticePanther, and a dozen others, and offers to sell their users’ personal data: I’m talking names, direct emails, phone numbers, mailing addresses, firm revenue, salaries, decision makers, employee counts, and more.
This isn’t a one-off. I’ve received over 2,218 of these emails since 2017. And the number grows every single year.
| Year | Broker Emails Received |
|---|---|
| 2019 | 143 |
| 2020 | 217 |
| 2021 | 262 |
| 2022 | 297 |
| 2023 | 384 |
| 2024 | 416 |
| 2025 | 461 |
| 2026 | 38 (first 7 weeks) |
That’s a 222% increase from 2019 to 2025. It has never gone down. Not once. Not a single year.
And when I say “data brokers,” I don’t mean one bad actor. A forensic analysis of just 118 of these emails revealed 57 unique senders operating from 24 different domains. Half use Outlook burner accounts (disposable, untraceable identities). Many trace back to IP addresses in India, Korea, Japan. But some even from the US. They operate openly, offering “verified lists” of lawyers like it’s a perfectly normal business.
Because for them, it is.
These emails aren’t new, either. The earliest one I can find dates back to 2017:
And they don’t take “no” for an answer. Here’s a follow-up from 2018, pressuring for a response:
What Are Law Firm Data Brokers Selling, and Who’s Buying?
Let’s be clear about what these brokers are offering. This is directly from their emails:
“The data fields include: Company Name, Contact First & Last Name, Job Title, Direct Email Address, Phone Number, Fax Number, Mailing Address, Employee Count, Revenue Size, Industry Classification, and Website URL.”
That’s not aggregated, anonymized market research. That’s your name, your direct phone number, your firm’s revenue, and your office address, all packaged and sold to anyone with a credit card.
These emails are highly personalized. The brokers know exactly who they’re targeting: using your name, your firm’s name, and even referencing your specific software:
They’re also shamelessly opportunistic. When AffiniPay acquired MyCase and LawPay, brokers immediately used the M&A news as a hook to sell user lists:
Who’s buying?
- Competing software vendors looking to poach customers
- Marketing agencies running targeted campaigns
- “Consultants” selling overpriced services to lawyers
- Bad actors using the data for social engineering, phishing, or fraud
If someone knows your name, your firm, your software, your revenue, and your phone number, they can craft a very convincing phishing email. Or an impersonation call. Or a targeted attack that looks like it came from your bar association.
18 Platforms. One Industry. Zero Accountability.
From our sample of 118 analyzed broker emails, here’s how often each platform’s users are being sold:
Clio leads the pack at 70 mentions — appearing in 59% of all broker emails. But Smokeball, MyCase, CosmoLex, PracticePanther, and 13 others are all on the menu. This isn’t a problem with one vendor. It’s an industry-wide failure.
Every platform on this list stores your data in their cloud. And somehow, that data is ending up in the hands of overseas brokers who sell it to strangers. It’s one more reason to break free from cloud dependency entirely.
And here’s a 2021 email showing the range of platforms being offered, from LexisNexis to Clio to everything in between:
Your State Bar is Part of the Pipeline
Here’s where it gets truly disturbing.
Smokeball (the #2 most-mentioned platform in data broker emails) has partnered with 22 state and local bar associations to offer free software licenses to their members:
Alabama, Arizona, California (two separate programs), Colorado, DC, Florida, Georgia, Illinois, Minnesota, Missouri, Nebraska, New Hampshire, New York, Oklahoma, Oregon, Texas, Utah, Wisconsin. Plus local bars in Beverly Hills, DuPage County, and St. Petersburg.
Each partnership funnels thousands of lawyers into Smokeball’s cloud platform. The New York State Bar Association alone represents over 70,000 members.
Think about what happens:
- Your state bar says “Free Smokeball license included with your membership!”
- You sign up: name, email, phone, firm details
- Your data enters the cloud ecosystem
- Data brokers start selling lists of “Smokeball users”
- Spam arrives in your inbox from Dorothy Gale
Your own professional licensing organization — the entity charged with protecting the legal profession — is a major on-ramp to the data broker pipeline.
We’re not saying Smokeball (or any specific vendor) is intentionally selling your data. But when 22 bar associations funnel their members onto a platform whose users routinely appear in data broker lists, someone should be asking hard questions about where the leak is.
Law Firm Data Brokers Never Stop
As recently as yesterday (February 19, 2026) another one of these emails landed in my inbox:
Nine years. 2,218+ emails. And counting.
Where is the Data Leaking From?
There are four primary vectors:
1. The Vendor Themselves
Cloud platforms collect extensive user data. Their privacy policies (which nobody reads except me apparently) often permit sharing with “partners,” “service providers,” or “affiliated companies.” After Clio’s acquisition spree (acquiring Lawyaw, Calendly integration, Clio Payments via Stripe, and others), user data flows through an increasingly complex web of third-party relationships.
2. Third-Party Integrations
Every integration your cloud software connects to: email sync, calendar, payment processing, document storage, it’s another entity with access to your data. Each has its own privacy policy, its own data practices, and its own vulnerabilities.
3. Data Enrichment Companies
Companies like ZoomInfo, Apollo, Clearbit, and dozens of others scrape, buy, and aggregate business data from multiple sources. Once your information exists in any cloud platform, it becomes part of the data enrichment ecosystem. Bought, sold, combined, and resold endlessly.
4. Employee and Contractor Access
Cloud platforms employ hundreds or thousands of people who can potentially access customer data. Offshore support teams, contractors, and departed employees all represent potential leak points that simply don’t exist with locally-installed software.
The ABA Has Already Warned You
This isn’t hypothetical legal theory. The American Bar Association has issued clear guidance:
ABA Formal Opinion 477R (2017) requires lawyers to make “reasonable efforts” to prevent unauthorized access to client information when using technology. This includes understanding how your software vendor handles data.
ABA Model Rule 1.6(c) states: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
ABA Model Rule 5.3 extends your ethical obligations to anyone you’ve retained to assist in providing legal services — including your software vendors.
If your client data lives on a cloud platform whose users’ information regularly appears in data broker databases, can you honestly say you’ve made “reasonable efforts” to protect it?
Multiple state bars have issued their own opinions reinforcing these obligations. Florida Bar Opinion 12-3, California Formal Opinion 2010-179, and New York State Bar Opinion 842 all address the ethical obligations of lawyers using cloud computing. The consensus: you are responsible for understanding where your data goes and who has access to it.
The Cloud “Convenience” Tax
The irony of cloud-based legal software is that you’re paying more every year for less privacy.
Clio (the #1 platform being sold by data brokers) has raised prices at least twice in three years:
| Plan | 2022 Price | 2025 Price | Increase |
|---|---|---|---|
| EasyStart | $39/mo | $49/mo | +25.6% |
| Essentials | $69/mo | $89/mo | +29.0% |
| Advanced | $99/mo | $119/mo | +20.2% |
| Complete | $129/mo | $149/mo | +15.5% |
On top of that, they’ve quietly raised credit card processing fees from 2.8% to 2.95% (3.5% to 3.75% for Amex), increased the Clio Grow add-on from $49 to $59 per user, and locked more features behind expensive add-on tiers.
You’re paying 30% more for the privilege of having your data sold to strangers. That’s not a convenience tax, it’s a shakedown.
There’s an alternative to the SaaS treadmill: software you buy once and own forever — no recurring fees subsidizing the data broker ecosystem.
How to Protect Your Firm from Law Firm Data Brokers
1. Audit Your Cloud Footprint
Make a list of every cloud service that has access to your firm data. Read their privacy policies. Actually read them. Look for language about “sharing with partners” or “affiliated companies.”
2. Ask Your Vendor Directly
Send your cloud software provider a written request: “Please confirm whether any of our firm’s data, including usage data, account information, or metadata, has been shared with third parties, data aggregators, or marketing partners.” Watch how they respond. Or don’t.
3. Question Your Bar Association
If your state bar has a partnership with a cloud software vendor, ask them: “What due diligence was performed on this vendor’s data handling practices before recommending them to members? Has the bar reviewed whether users of this platform appear in data broker databases?”
4. Consider Local-First Software
The simplest way to prevent your data from being sold? Don’t put it in someone else’s cloud in the first place.
Software that runs locally on your machine, like TimeNet Law, keeps your data on hardware you control. There are no third-party integrations siphoning your information. No cloud servers for brokers to harvest. No employee with access to your client files from the other side of the world.
Your data stays yours because it never leaves your building.
The Bottom Line
Over 2,218 data broker emails. 57 different senders. 18 platforms being sold. 222% growth in six years. And it never, ever stops.
I’ve replied to some of these emails in frustration. I’ve reported them. I’ve flagged them. None of it matters. They just keep coming — from new names, new burner accounts, new domains. The data is out there, and once it’s out, it never comes back.
Every lawyer using cloud-based practice management software should be asking one question: Where is my data going?
Because right now, the answer is: everywhere. To anyone. For a price.
And the people who are supposed to protect you (your software vendors, your bar associations, etc.) are the ones who helped put you in this position.
Methodology note: Year-over-year email counts (2,218+ total) are actual totals from the full inbox. Platform mention counts, sender domain analysis, and other forensic breakdowns are based on a detailed analysis of 118 emails sampled from the full set.
Perry Fjellman is the developer of TimeNet Law, a desktop-native legal practice management application that keeps your data where it belongs: on your computer.