Law Firm Data Breach


I. Law Firm Data Breach Threat

The Sony and Target data breaches in 2014 raised awareness about the risk of a data breach, but the FBI has been warning law firms that they were being targeted by hackers since 2009. “We have hundreds of law firms that we see increasingly being targeted by hackers”, stated the FBI’s Mary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office.

Others have concluded the same thing:

  • Cisco Systems Inc. ranks law firms as the seventh most-vulnerable industry to “malware encounters” in its 2015 “Annual Security Report”.
  • Law firms are very attractive targets . They have information from clients on deal negotiations which adversaries have a keen interest in,” according to Harvey Rishikof, co-chair of the American Bar Association’s Cybersecurity Legal Task Force. “They’re a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”
  • Citibank, issued a report this year concluding that law firms are at a “high risk for cyber-intrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.” The report also stated since the legal industry lacks standardized reporting requirements for cyber-intrusions, there is very little data on successful hacks.
  • According to cybersecurity firm Mandiant, at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.

Further, “while cybercrime has plagued U.S.-based law firms quietly for close to a decade, the frequency of attacks of attempts and attacks has been increasing substantially…(although) numbers aren’t available, since…law firms have no legal obligations to disclose cybercrimes to the public…“Hackers use third parties like law firms or accounting firms as vehicles into major companies and corporations…They’re being used as an unwitting vehicle to get in there, and sometimes they don’t even need to go beyond the firms, because the firms have all of this sensitive information.”

II. Law Firm Data Breach Examples

  • In January 2015, the California law firm Ziprick & Cramer was hit by a new variant of CryptoLocker that encrypted files on their network share drive. After notifying the Federal Bureau of Investigation and the California Attorney General, Ziprick & Cramer refused to pay the demanded ransom, publicly stating, “[o]ur firm did not and will not pay any such ransom, which would only encourage and fund such criminals in their illegal activities.” Ziprick & Cramer should be applauded for standing up to these criminals; however, this dilemma likely put the firm in a precarious position with its clients.
  • Virginia-based firm Puckett & Faraj, which represented a Marine Staff Sergeant accused of leading the group of Marines alleged to have been responsible for the 2005 death of 24 civilians in Haditha, Iraq. In 2012, the hacker group “Anonymous,” in an apparent retaliation, stole 3 GB of sensitive files from the firm and posted them online, dealing the firm a substantial public relations blow that ultimately ended in the dissolution of the law firm.
  • Alabama law firm McCutcheon and Hamner was deemed as “racist” after an offensive commercial was released on their YouTube Channel after it was hacked. Can you say damaging to one’s reputation? The law firm released this statement “Attention: McCutcheon and Hamner’s You Tube Channel has been hacked. Our firm did not approve the latest advertising commercial. We apologize to anyone who has watched the commercial. Our IT team has been working all morning to get the commercial taken off YouTube and find the person who is responsible for this action.”

III. Data Breach Implications

An ABA Report highlights the implications of breaches that leak client information:

“A security breach that results in unauthorized access to a client’s sensitive data could have tremendous consequences for a firm, ranging from loss of business to potential disciplinary fallout.  It’s vital that firms work to minimize the risk of such a breach, but also that firms have solid response plans prepared in the event that a serious data breach does occur.  A firm that waits until after a security breach to come up with a response plan may end up making the situation worse.”

 IV. Data Breach Cost

According to the 2014 Cost of Data Breach study, the average cost to a company was $3.5 million, 15% more than what it cost last year. Critical to controlling costs is keeping customers from leaving. Reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers.

The Ponemon Institute reported that cyber-security breaches cost companies an average of $194 per compromised record, and $5.5 million per breach.

V.Data Breach Causes

The five most common causes of a data breach are:

  1. Technology failure (firewall, server compromised)
  2. Criminal act by outsider (hacking, portable device theft)
  3. Employee misconduct (collusion with competitor, theft, unauthorized disclosure)
  4. Human error (lost or unsecured data portals, misdirected data, improper security configurations)
  5. Vendor error (misdirected data, packages, email)

VI. Data Breach Effects

  • Identity theft from lost or stolen customer information
  • Hacker stealing confidential client information or conducting e-vandalism
  • Lawsuit alleging invasion of privacy, libel, slander or product disparagement from emails or your website.
  • Business interruption: loss of access to data, destruction of data, etc.
  • Loss of customers, damage to the firm’s reputation, lawsuits from customers. Damage to/lawsuit by third-party whose systems are damaged by a virus your firm’s transmission of virus.
  • Costs associated with crisis management, privacy notification or disaster recovery

VII. Data Breach Prevention/Damage Control

By taking steps to guard against a data breach, companies can mitigate their losses and minimize the direct and indirect financial and reputational costs incurred in the event a data breach occurs.

1. Audit:
Firms should conduct an audit to develop a clear picture of their vulnerabilities. The two key parts: 1. Determine who the firm collects information from, the method(s) by which the information is received, where the information is stored, and who has (or may have) access to the information. 2. Develop an inventory of the firm’s technology hardware, i.e., PCs, laptops, and flash drives, and assess the security of each piece.

Larger firms should conduct a risk assessment using the ISO 27001 framework. It will identify the firm’s most pressing security threats, and most effective risk mitigation strategies.

 2. Data classification:
Firms should classify the personal information they collect and store according to the level of criticality and sensitivity. One option is to use the U.S. government’s classification scheme of top secret/secret/confidential/unclassified. Regardless of the schematic employed, it should detail data ownership, security controls, and data retention/destruction requirements for the personal information at each level.

 3. Limit data access:
By limiting employees’ and vendors’ access to personal information, firms can minimize the scope of losses and establish a level of accountability. To limit access:

  • Password-protect data;
  • Scan email attachments;
  • Scan data copied to removable drives and backup systems;
  • Encrypt and track all devices, i.e., laptops, and ensure they may be remotely wiped of data;
  • Limit user privileges to data, and maintain data log reports that are reviewable by management; adopt the principle of least privilege
  • Establish policies to automatically revoke access upon an employee’s termination or resignation.

4. Deploy basic cybersecurity measures:

    • Antivirus software, frequent software updates, a company firewall, and email filtering software that detects SPAM and scans attachments for viruses all provide basic protections against malware, including ransomware like CryptoLocker.
    • Encrypt data, computer disks, and wireless routers, default disabling of shared folders, identity-verification security questions.
    • Up-to-date network diagrams, physical access logs, and legal notices upon logging in.

5. Establish data logs:
Data logs are records of events created by a computer program that provide an audit trail. Data logs for web, client and server, operating systems, application, firewall, and mail and intrusion detection system should be in place, maintained, and tested. If a data breach occurs, it is important for firms to have data logs that allow a forensic investigator to determine the scope and cause of a data breach.

6. Security systems:
Both physical and electronic security systems are necessary to protect against data breaches. Besides electronic data breaches, many data breaches occur when physical paper documents or computers are lost or stolen. To guard against physical breaches:

  • Store all documents and equipment with personal information in a locked area with limited access;
  • Implement access controls to the firm;
  • Maintain offsite storage facilities;
  • Use overnight-shipping services that allow firms delivery;
  • Encrypt laptops to minimize consequences of a lost device.

7. Back-up firm data:
Do so at least daily, keep recent backups offline and handy, i.e., on flash drives.

8. Train employees to follow preventive measures:
Encryption, firewalls, and other electronic security, they can be
easily thwarted by “employee errors, non-digital (paper) records, rogue employees, mistakes by third parties (such as record storage firms), couriers and web hosts. Data breaches caused by third parties that handle data on a company’s behalf caused nearly 40% of the data breaches reported in the Ponemon Study. A company’s firewall or encryption can’t prevent the errors of others operating outside of the company. Negligence accounts for just over 40% of data breaches according to the study. If employees are not following preventative measures, a data breach remains a real possibility.”

VIII. Data Breach Response

Firms must take immediate action in the aftermath of a cyber-security breach. Efficient response to the breach and containment of the damage has been shown to significantly reduce the cost of a breach.

1. Develop an incident response plan
Firms should develop a data-breach-incident plan that will enable them to quickly respond to a data breach, train key management and employees, and periodically evaluate and update the plan. Regular data breach simulation exercises will allow the team to work together during a crisis, upgrade the incident response plan, and maintain firm-wide vigilance.

2. Confirm and contain
Determine the scope and cause of the breach. Details regarding the breach inform how the company must respond to prevent further intrusion and determine which records have been compromised. Data breaches range from orchestrated attacks on a company’s computer system to the loss or theft of storage media or computers. Companies must also be mindful that actions taken to respond to a breach could destroy information relevant to pinpoint the nature and cause of the breach itself.

3. Notification obligations
Companies must immediately determine if they are subject to federal and/or state notification requirements. Reporting requirements depend upon the type of information held by the company and the scope of the breach. 47 states, plus Washington D.C., Puerto Rico and the Virgin Islands, have regulations for notifying customers that their personal information was compromised in a data breach. Deadline requirements can be from 48 hours to “without reasonable delay”.

Federal laws containing reporting obligations include:

Health Insurance Portability and Accountability Act (HIPAA);

Health Information Technology for Economic and Clinical Health Act (HITECH Act);

Gramm-Leach-Bliley Act;

Federal Trade Commission Act; and

Fair Credit Reporting Act.

Business partners: because data is routinely shared between business partners, a data breach at one company can affect a number of other companies. Many contracts now require that business partners be notified of a data breach. Likewise, companies must be prepared for a data breach at any one of their business partners.

Individuals: notification to individuals whose personal information has been compromised is often, but not always, required. However, where sensitive information has been released, early notification to individuals allows the individuals themselves to take steps to mitigate the breach.

4. Insurance coverage
Companies should review all insurance policies to determine if and to what extent the company is covered for a cyber-security breach, and when and how to file claims. Companies can hedge the risks of a cyber-security breach by purchasing specific data-breach insurance known as “cyber liability insurance” or “cyber risk insurance.” Similar to any insurance plan, coverage varies, but may include coverage for regulatory fines and penalties, class-action lawsuits, and response costs.

5. Remedial actions
Companies should consider providing individuals whose financial data has been compromised with credit-monitoring services, identity-theft insurance, and/or replacement-card fees. Courts are beginning to hold companies responsible for customer costs resulting from a data breach. By offering immediate support to affected individuals, companies may avoid costly lawsuits and negative press coverage.

6. Customer inquiries
Once individuals are notified that they may be affected by a data breach, it is important to provide them with a means to contact the company with questions. To help restore confidence with individuals affected by the breach, companies should consider establishing a call center to respond to inquiries, and posting information and responses to frequently asked questions on a dedicated webpage.

Preventing a breach by the implementation of thoughtful cyber-security policies is the best outcome. But responding quickly, being as transparent about the breach as possible, and providing timely customer support are the keys to successfully managing a data breach if one should occur.

IX. Related Risks

A failure of network security can lead to not just a data breach, but destruction of data, data theft, i.e., of trade secrets; virus transmission and cyber extortion, i.e., an attempt to shut down a firm’s network down so it can’t conduct business, for either financial or political gain.

A privacy breach may involve a network security failure, but can also result from a breach of physical records, i.e., files tossed in a dumpster; human errors such as a lost laptop, sending a file full of customer account information to the wrong email address, returning a photocopier with a hard drive that contains unwiped customer records, or wrongful collection of information.


which of the personal, private, sensitive and confidential information listed below the Applicant collects, stores,
maintains or transmits:

Social Security Numbers Credit Card Information Medical Records

Financial Account Information Intellectual Property/Trade Secrets None

Please identify which of the security measures listed below the Applicant employs to prevent unauthorized access to paper/
physical personal, private, sensitive and confidential information. If other is checked, please provide details on a separate page.

Nightly Alarm system File Cabinet Locks None

Locking System On Doors Other (please explain)

which elements the Applicant employs to prevent unauthorized access to computers and networks. If “Other” is
checked, please provide details on a separate page.

Firewall Intrusion Detection System None

Virus Protection Software Other (please explain)

How often are virus definitions updated? If “Other” is checked, please provide details on a separate page.

Automatically when released by the manufacturer. Daily

Weekly Monthly


39. How often are updates applied to operating systems and application software? If “Other” is checked, please provide details on a separate page.
Automatically when released by the manufacturer. Monthly Weekly Other

40. Does the Applicant require the use of strong passwords (e.g. change of passwords on a periodic basis, use of numeric and alphabetic characters, prohibition of previously used passwords)? Yes No

41. Is all client personal, private, sensitive and confidential information stored on your computer system encrypted? Yes No
42. Is all client personal, private, sensitive and confidential information sent via email encrypted? Yes No
43. Is all client information stored on laptops, smartphones, PDAs, portable storage devices or other portable devices encrypted? Yes No
44. Does the Applicant maintain a wireless network? Yes No
If Yes, is the network encrypted using features such as WPA/WPA2, IPSEC, SSL or PEAP? Yes No
45. Within the last 5 years has the Applicant been subject to or suffered any losses or litigation from any (please check all that apply): Breaches of security?
Unauthorized acquisition, access, use, identity theft, mysterious disappearance, or disclosure of personal, private, sensitive and confidential information?
Violation of any privacy law, rule or regulation? Technology or extortion threats?
If Yes, please provide details on a separate page.

45. Is all client personal, private, sensitive and confidential information backed-up? Yes No If Yes, please provide the following details.
a. Back-up records are stored: Internally Externally
b. Back-up of records occurs: Daily Weekly Monthly Annually
c. If externally, are the back-ups stored in a secure offsite location? Yes No
d. Are electronic back-ups encrypted? Yes No
In the event of a business interruption, how quickly can the backup records be retrieved and operations restored?

Print Friendly, PDF & Email