4 lessons in-house GCs can learn from law firm data breaches

Law firms are “amazing targets on every conceivable level” for cyberattacks, according to K&L Gates partner Jake Bernstein. The combination of large volumes of confidential data, outdated cybersecurity measures, and increasingly sophisticated hackers has resulted in a growing number of significant law firm data breaches.

By looking at real-world examples from legal industry peers, general counsel can better understand the most common factors that open the door to steep regulatory fines, reputational damage, and business disruptions.

From confidential information to a lack of employee training, corporations share many of the same vulnerabilities that have led to costly law firm data breaches. With these insights, you can help your organization build a solid defense and avoid the same mistakes.

1. Legal risk management must include strengthening cybersecurity

As Identity Theft Resource Center COO James Lee points out, law firms are often victims of data breaches because their cybersecurity “sucks—it’s not much more complicated than that.” Cybercriminals are aware of this industry problem and take advantage of these security weaknesses, many of which are basic fixes.

It’s ultimately up to your IT department to implement strong cyber protections. But because there’s so much inherent risk in this area, legal should still be involved in conversations about company cybersecurity. Your IT department’s decisions should include the latest data privacy regulations and cover all the relevant bases.

You don’t need to be a complete cybersecurity expert when working with IT, but it helps to know some basic security measures. This way, it’s easier to bridge the gap between reading a data privacy law and putting it into practice. Devote some of your annual CLE credits to cybersecurity courses and ask questions when meeting with IT. Take the time to study up on your own. It will show your peers that you’re invested in the work, making for a strong and collaborative relationship.

Then, apply what you’ve learned by offering to conduct a joint audit with IT. This way, you can take a hands-on approach to identify potential vulnerabilities and instances of regulatory noncompliance, making sure nothing falls through the cracks.

Example: Tuckers Solicitors LLP was fined nearly $128K for inadequate cybersecurity measures

This United Kingdom–based criminal defense firm suffered a ransomware attack in 2020. Nearly 1 million files were rendered inaccessible, and 60 packets of sensitive client information were released on the dark web (essentially, the digital black market).

In its investigation, the Information Commissioner’s Office (ICO) found the law firm noncompliant with multiple articles of the European Union General Data Protection Regulation (GDPR), the EU’s comprehensive data privacy law. According to OneTrust DataGuidance, the ICO claimed Tuckers Solicitors “failed to put in place appropriate technical and organisational measures” to protect client data and was fined £98,000 — close to $128,000 — for its poor cybersecurity.

Example: Mossack Fonseca closed its doors just two years after an infamous hack

Even if you don’t recognize the firm name, you’ll probably recognize the name of Mossack Fonseca’s infamous data breach: the Panama Papers. Anonymous whistleblower “John Doe” acquired and leaked a staggering 11.5 million documents in 2016, exposing the Panamanian law firm’s long history of illegally helping wealthy clientele evade taxes and international sanctions.

Former Forbes contributor Jason Bloomberg stressed the hack was “dead simple” because of the firm’s “appallingly common” and preventable security gaps, including a lack of software updates and no firewall. While the firm was trying to hide its criminal activities, the Mossack Fonseca breach is still a reminder of how easily sensitive information can be compromised without proper cybersecurity. The firm shut its doors in 2018 after the fallout from the scandal.

Example: A ransomware attack compromised legal documents from Grubman Shire Meiselas & Sacks’ high-profile clients

Cybercriminal group REvil breached celebrity law firm Grubman Shire Meiselas & Sacks in May 2020 with a ransomware attack. This type of malicious software (malware) blocks users from accessing certain files or systems until the cybercriminal receives payment. With its attack, REvil stole 756 gigabytes of sensitive client information, leaking files from Lady Gaga as proof and auctioning off legal documents belonging to Bruce Springsteen and Usher on the dark web.

While there is limited information on the specifics of the hack, cybersecurity company Arctic Wolf suggests the ransomware was most likely delivered through a phishing email link or attachment.

The group demanded $42 million from Grubman, which the firm allegedly refused to pay (the hackers claimed they received $365,000). Because of these potential payouts, cybercriminals are increasingly deploying ransomware attacks among law firms.

2. Yes, ransom payments are a real thing (but that doesn’t mean you should pay)

While it sounds like something out of a spy movie, 69% of law firms surveyed by Capterra admitted they paid ransom to cybercriminals after experiencing a data breach. Capterra’s survey also revealed that 1 in 3 of the small and mid-size firms who admitted to experiencing an attack said it happened between 2020 and 2021.

We understand the desire to just pay the money and seemingly get things over with, but it’s not worth it. Sophos’ 2021 State of Ransomware Report found that only 8% of organizations who paid ransom got all their data back. The FBI explicitly advises against paying cybercriminals, with FBI director Christopher Wray likening modern ransomware to negotiating with terrorists.

To prevent panic-based decisions with dubious results, create a detailed incident response plan. Based on your analysis of relevant data privacy regulations, work with IT to outline the appropriate steps to take in the event of a ransomware attack or other cyber event. The American Bar Association recommends including, at a minimum:

1. The specific law
2. The data breach trigger
3. Who to notify
4. What needs to be included in breach notifications

Additionally, include contact information for any cybersecurity outside counsel you have and your company’s cyber insurance carrier, if you have one.

Example: Moses Ryan Ltd. paid a Bitcoin ransom and still couldn’t access its billing system for 3 months

One of the largest law firms in Rhode Island, Moses Ryan Ltd., was the victim of a ransomware attack in 2016 that froze its billing system and related documents. While the firm paid the cybercriminals $25,000 in Bitcoin, the hackers didn’t restore access until 3 months later. The firm subsequently lost out on $700,000 in client payments during that time.

3. Human error causes more data breaches than you might think

When people think about data breaches, they usually think of nefarious criminals forcing entry into a network. The reality, though, is that most data breaches happen because of human errors that unintentionally give access or information to hackers.

Specifically, Egress’ 2021 Insider Data Breach Survey found that 73% of companies said they were breached after employees fell for phishing emails. These attacks involve criminals impersonating others to trick users into some kind of action, from downloading attachments that deploy malware to forwarding confidential data. For example, cybercriminals frequently pretend to be Amazon, sending users emails about purchases they never made or asking for payment information to be updated. The goal is to get the user to click a malware-laced link or enter their password, believing the email to be credible, and then it’s game over.

Egress notes that law firms are “uniquely susceptible” to phishing cyber threats— it’s easy for criminals to impersonate one of the many clients they exchange sensitive information with. This also applies to corporate law departments, which typically work with a wide range of vendors as well.

To minimize risk, work with your IT and HR departments to create mandatory employee training on best practices for data privacy compliance, including how to detect different types of phishing. Thorough education will directly benefit employees and protect their own sensitive information as well as client and consumer data.

Example: Proskauer Rose and Jenner & Block both sent W-2s to cybercriminals

Well-known international law firms Proskauer Rose and Jenner & Block LLP have each been in the spotlight as victims of phishing schemes that happened in 2016 and 2017, respectively. The American Bar Association Journal explains that a Proskauer payroll employee sent W-2 forms to a hacker impersonating a senior executive, compromising the personal information of over 1,500 individuals. Similarly, a Jenner & Block employee forwarded W-2 forms to a threat actor posing as a member of management, giving them key data like Social Security numbers and salaries for 859 people.

4. Data breaches negatively impact businesses — even if no data is released

Ultimately, the more time and effort you put into firming up your organization’s data privacy measures, the more you’ll save in the long run. But even if a hacker doesn’t release compromised data or you don’t get penalized for noncompliance with data privacy laws, data breaches still take a significant toll on a company’s bottom line and operations.

Example: IT overtime became the norm after a cyberattack on DLA Piper

Cited as the first major ransomware attack on a law firm, the 2017 DLA Piper breach forced the massive global firm’s IT department to work 15,000 hours of overtime to rebuild its robust network. Talk about a massive dent in finances and employee morale.

Example: Warden Grier was sued by a client after failing to disclose a data breach

After cybercrime group Dark Overlord hacked this small Missouri law firm in 2016, they stole data from one of Warden Grier’s clients, Hiscox Insurance. The law firm paid ransom to keep data private — but didn’t tell Hiscox what happened. Hiscox, however, found out in 2018 after one of its employees came across data leaked by the hackers (yes, even after they got the money they asked for). Warden Grier was then sued for $1.5 million in federal court, the alleged cost of Hiscox’s own forensic investigation.

Example: Campbell Conroy & O’Neil P.C. paid for breach victims’ access to identity theft restoration services

Known for representing Fortune 500 and Global 500 companies like Apple and IBM, national law firm Campbell Conroy & O’Neil P.C. was hit with a ransomware attack in February 2021. The hack compromised a variety of sensitive client data from Social Security numbers to health insurance and credit card information. Campbell ended up giving away 2 years of free access to fraud services to affected individuals as a gesture of goodwill. That’s thousands of dollars lost that could’ve been prevented.

Proactive risk management includes talking to vendors about their data security

Besides applying these lessons to your data privacy efforts in-house, you should reach out to your vendors to find out what they’re doing to protect your data. The American Bar Association found that 25% of surveyed law firms said they’ve experienced a data breach. So, there’s a good chance that at least one of your vendors has had (or will have) sensitive information exposed — a likelihood that increases the more third parties you work with.

While you wait to chat with outside counsel, partner with your IT department to review your company’s compliance with data privacy regulations and cybersecurity measures, including how secure your legal department’s software is. It might be time to evaluate using a modern solution that keeps their security measures up to date to keep your data secure.