Hundreds of Firms Have Reported Breaches: Some Insight from the Investigation

October 23, 2019

Cyber hacks and data leaks have become commonplace in digital business, but the past few years have seen a surge in reported breaches across the legal industry. Even though law firm data breaches tend to slip under the wire, the number of cases, and their impact, keeps increasing. From corporate-scale law firms to offices with just a few partners, the data is too valuable and hackers spare no personally identifiable information (PII).

In the last couple of years, reports from firms and attorneys who have reported data breach incidents to state authorities, paint a wide picture of how ruthless cyber criminals are when it comes to stealing legal data.

Here are just a couple of examples from hundreds of reports, that range across firm size, practice area, and breach method:

  • Conn Maciel Carey, in 2018, CMC learned that the email account of one of its employees had been accessed without authorization by an unknown individual, exposing medical historical information.

  • Aaron J Butler, Attorney at Law: in 2017, this one-man firm in Indiana had customer data exposed after his laptop was stolen and password was hacked.  

  • Jenner and Block Law Firm – In 2017, the firm reported that employees’ W-2 forms were “mistakenly transmitted to an unauthorized recipient,” exposing Social Security numbers, salaries and other personal information for 859 people across 6 states.

  • Proskauer Rose – Similarly, one year prior, in 2016, Proskauer also reported a breach of W-2 information, when a payroll employee responded to what was believed to be an email request from a senior executive. More than 1,500 across 5 states people were affected.

  • Lando Law Firm – In 2015, the firm became the victim of a targeted phishing attack which exposed the firm’s emails and client and employee information across 6 states.

…The list goes on. Whether it’s a boutique firm, solo practitioner, nonprofit organization, even government law offices, everyone is at risk.

Just like the ABA Journal’s report above, most cybersecurity studies show rising trends in risk and exposure. For instance, in 2018, there were about eight cases of high-profile data breaches in New York alone, with a conservative estimate of a widespread impact of over 1,500 individuals.

Unfortunately, this is only the number of reported cases. We believe that the majority of data breach cases go unreported, especially in the legal industry, where the reputation for discretion is paramount. Law firms may choose not to report data breach incidents because they do not want their clients to know about the exposure- a data breach is also a breach of trust. Any vendor fears the loss of clients, but particularly in the legal industry, a data breach is a breach of trust.

Plus, there are so many attacks now, happening at every minute, that if anything is reported at all, it’s only going to be the huge attacks – the breaches that get out to public knowledge. Former head of the FBI’s cyber breach unit, Austin Berglas, confirms that “Law firms are only going to make those reports when they’ve confirmed through a forensic investigation that reportable information has been touched. They’re not going to report every event—they see it every day.”

Why Are Firms Being Targeted?

If it’s not clear yet, let’s take a look at why firms are so heavily targeted. First, and most clearly, lawyers are guardians of their clients’ important and sensitive information. From mergers to IPOs, confidentiality is one of the essential facets of attorney-client relationships. Cyber criminals know that they stand to win big if they land their hands on any attorney’s, much less a whole law firm’s, data.

Equally, the reputation of the law firm lies in its ability to protect and preserve the client's information. To protect client information, in some cases, law firms may be willing to pay off hackers rather than report the hacking incident to relevant authorities, meaning hackers have a higher chance of unanimous and undetected success.

Is There a Solution?

So what to do? Let’ work together to keep you, your firms, and your information safe. We are here to help you keep data secure by holding yourself and your firms accountable. Using Counself Risk, firms will respond thoroughly to client due diligence and information security questionnaires, requests, and audits, and legal departments can measure and manage third-party risk conveniently with a secure platform and audit history.

We, ourselves, are dedicated to safeguarding your data, and hold active ISO 27001 certification for our secure cloud platform stocked with templates, features, and policies that will help you organize your risk documentation, so you can focus on helping clients with their legal issues. Check out more about our security here, and contact us here to learn more about us.

  • Data Breach
  • Counself Risk
  • Information Security
  • Law Firms

What Else Are You Interested In?

We love research and would be happy to share our finding with you