Are Your Contact Forms Storing Client Data? Law Firm Website Risks Part 2

Are Your Contact Forms Storing Client Data?

Many law firms understandably focus on the visible aspects of their website, such as branding, design, content, and SEO. However, there is another issue that often goes unnoticed: how your contact forms handle and store enquiry data.

Depending on how your website has been configured, sensitive client information may be stored directly within the website itself, sometimes without the firm fully realising it.

And if a website is compromised, that data could potentially become accessible to unauthorised parties.

Certain WordPress contact form plugins, including widely used systems such as Gravity Forms, allow submissions to be stored within the website database. This can mean that:

• every enquiry submitted through the website is retained internally,
• names, email addresses, phone numbers, and message contents may be accessible through the WordPress administration area,
• and historic submissions remain stored unless they are manually deleted or managed.

Other plugins may offer similar functionality depending on how they are configured.

At first glance, this may appear convenient. However, it also raises an important question: What happens if someone unauthorised gains access to the website?

As discussed in our previous article, websites are not always compromised through the homepage itself. In many cases, access can occur through:

• outdated plugins,
• vulnerable APIs, website integrations, themes or page builders,
• weak passwords or access controls,
• or third-party tools added without proper security review.

Once administrative access is obtained, a hacker may also gain visibility of any information stored within the website environment, including historic contact form submissions.

For a law firm, this could potentially include:

• client names and contact details,
• sensitive information relating to disputes or claims,
• financial or medical information,
• and confidential disclosures submitted through online enquiry forms.

This is where a technical website issue can quickly become a much wider compliance and regulatory concern.

If your client information is exposed through a compromised website, there may be obligations to:

• report the incident to the Information Commissioner’s Office (ICO),
• notify the Solicitors Regulation Authority (SRA),
• investigate the extent of the breach,
• and assess whether confidential client information has been accessed.

Even where the issue originates from a technical vulnerability, responsibility for protecting client data ultimately remains with the firm.

In addition to the operational disruption caused by a website compromise, firms may also face reputational damage and loss of client trust.

In many cases, vulnerabilities are not created intentionally. Instead, they develop gradually through:

• plugins not being regularly updated,
• unnecessary add-ons being installed over time,
• websites becoming overly reliant on third-party tools,
• or changes being made by external providers without a full understanding of regulatory risk.

There are more cautious ways to manage contact form submissions on law firm websites. For example:

• using lightweight form systems, including contact forms which send enquiries directly via email rather than storing them within the website database,
• routing enquiries into secure external CRM systems with safeguards such as two-factor authentication (2FA),
• and limiting the amount of sensitive information retained within the website itself.

The aim is not necessarily to eliminate functionality, but to reduce unnecessary risk and minimise the amount of sensitive data exposed if a website is ever compromised.

If you are unsure how your website currently handles enquiry data, it may be worth asking:

Are contact form submissions stored within the website database?
Who has access to that information?
Are plugins and themes updated regularly?
Is there a process for monitoring vulnerabilities?
Are unnecessary plugins or integrations installed?
Where is enquiry data ultimately stored?

These issues are not always visible from the front end of a website, but they are important considerations for any regulated business.

Website security is not simply about preventing downtime or restoring a hacked website. For law firms, it is also about protecting confidential information, maintaining regulatory compliance, and reducing avoidable risk.

Something as simple as how a contact form is configured can have wider implications than many firms realise.

If your website stores enquiry data internally without clear safeguards or oversight, it may be worth reviewing whether the current setup remains appropriate.

Not Sure How Your Website Handles Data?

If you would like us to review how your website currently handles enquiries, plugins, or stored data, we are happy to take a look.

No pressure and no obligation, just a clearer understanding of what may be happening behind the scenes.

And if you are looking for a responsible team to redesign your existing law firm website, don’t hesitate to get in touch.

We build and manage websites for regulated law firms with security, stability, and compliance considerations in mind, helping reduce unnecessary risk through careful plugin selection, ongoing maintenance, secure integrations, and practical website management practices.

Contact us