Memo to Law Firms: Raise Cybersecurity Bar or Risk Client Losses


•Law firms with data breaches risk lawsuits from clients, damage to reputation
•Attorneys may face ethics discipline for failing to protect client data


Law firms may not be the safe repository of client confidences—such as trade secrets and merger plans—that they once were, as hackers recognize firms as prized vaults of proprietary corporate data.

If hackers want to get data from Alphabet Inc.’s Google, the best path may be through a law firm rather than directly from the company, because the law practice likely has an almost “unlimited variety of data,” Christopher Dore, privacy partner at plaintiff-side firm Edelson PC in Chicago, told Bloomberg Law.

“Law firms are ideal targets for hackers because of the sensitive nature and variety of information they collect and store,” Dore said.

Clients, for their part, view law firm data breaches or lax security as serious business considerations, Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Bloomberg Law.

“Cybersecurity protections are becoming a serious factor in client decision-making,” at law firms, and large firms stand to lose business if they don’t take care of cybersecurity, he said.

Hackers over the last few years have focused on big law firms, including DLA Piper; Mossack Fonseca & Co; Cravath, Swaine & Moore LLP; Proskauer & Rose LLP; Weil, Gotshal & Manges LLP; and offshore account specialists Appleby Law Pllc. Bad actors have used phishing, malware, and ransomware strikes to pilfer sensitive client data, merger materials, intellectual property, and financial information.

Representatives from these law firms didn’t immediately respond to Bloomberg Law email requests for comment.

The state of law firm cybersecurity is troubling for corporate clients that have historically felt their information, worth up to billions of dollars, is in safe hand at their lawyers’ offices.

Law firms may face lawsuits from clients whose data are compromised. Regulatory enforcement actions are another potential fallout from a breach of client data. And individual attorneys may face ethics charges if they fail to reasonably protect client information.

Wake-Up Call?

Decades of cyberattacks on corporations and government should have been “a wake-up call for legal firms,” Justin Fier, director of cyber intelligence at cybersecurity consulting company Darktrace in Cambridge, U.K., told Bloomberg Law. They “must realize that no one is immune from attacks,” he said.

Many law firms fall short of “effectively protecting their clients’ data,” according to LogicForce’s fourth quarter 2017 law firm cybersecurity scorecard. Of those surveyed, only 31 percent reported formal cybersecurity training programs for their workers and just 41 percent reported that they have documented cybersecurity policies, incident response plans, and backup and restoration procedures.

The financial industry, which has been hard hit by data breaches, is perhaps the the most similar to law firms in terms of the sensitivity of the data maintained.

Law firms should protect client data much like financial institutions, which often have advanced cybersecurity protections, Arik Solom, vice president of research and development at cybersecurity company Deep Instinct in Tel Aviv, Israel told Bloomberg Law.

Big Law, Big Lawsuits

It is possible for big law to face lawsuits from clients and even other law firms if they have “lax data security practices or other actions that arise from a lawyer or firm mishandling client data,” Pera said.

Such cases aren’t just speculative.

Edelson filed a federal court complaint in 2016 on behalf of clients of Chicago-based law firm Johnson & Bell Ltd. for its alleged lax data security, which clients said put their data at risk. The complaint asserted that the law firm implemented outdated cybersecurity safeguards, didn’t properly patch system vulnerabilities, and didn’t encrypt sensitive law firm communications. The case has been referred to arbitration.

“Not all law firm data breaches have been disclosed,” Dore said. “There have been deliberate choices in the big law space to not provide public announcement about all breaches,” he said.

Law firms also could face federal regulatory enforcement actions from the Federal Trade Commission if they don’t sufficiently protect client data.

The FTC “has brought actions against law firms” on matters other than data security. That demonstrates the commission has jurisdiction over law firms and can pursue data security enforcement against them, Juliana Gruenwald Henderson, agency spokeswoman, told Bloomberg Law.

Ethical Standards

Failing to protect data from hackers may carry ethics consequences for individual attorneys.

In a May 2017 ethics opinion, the ABA Standing Committee on Ethics and Professional Responsibility wrote that lawyers may generally send client data over the internet if “the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.” But lawyers may have to abide by industry-specific standards or take special precautions if a separate client agreement is reached, according to the opinion.

The ABA’s Cybersecurity Handbook states that lawyers should follow a fact-specific approach to each cyberthreat and make sure cybersecurity standards are updated in response to new developments. In some situations, encryption will be needed for certain clients and enhanced security safeguards may be needed in others, according to the ABA.

Under the ABA rules, a lawyer might lose his or her license over lax data security leading to a hack of client data, Pera said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com