Law Firm Vulnerabilities: Why Bad Actors and Data Breaches Strike

By Brittany Demendi / Adlumin, Inc.
May 19, 2022

The legal system, in many ways, is the town hall of the economy, bringing together investors and businesses, filing IP and trademark applications, assessing compliance for regulatory bodies, interpreting statutes for their clients, and navigating complex legal proceedings. Law firms manage unparalleled access to confidential and valuable information. It’s a one-stop shop for lucrative data that attracts cybercriminals to law firms.

According to the American Bar Association (ABA), 25% of law firms were breached last year. Beyond the financial losses, the reputational damage can be fatal, and the trust relationship between client and attorney can be irrevocably harmed. This article will outline why law firms are being targeted and what types of insider threats to look out for going forward.

Why Are Law Firms Targeted?

Law firms are connected to many facets of the economy and are often considered softer targets than their clients. While firms can be small, their clients can be quite large or manage enormous sums of money. In essence, they are viewed as an easy target with an A-list of confidential and potentially damaging data, access to large funds, and a vector into their client’s operations:

  • DLA Piper suffered a public ransomware attack, resulting in the firm’s IT department putting in more than 15,000 hours of overtime for disaster recovery and shuttering operations across thousands of clients.
  • Some law firms oversee high-profile cases and names, making them a primary target. In 2020, Grubman Shire Meiselas & Sacks’, a law firm representing Hollywood A-listers and athletes, data was breached and held for a $21 million ransom. And, of course, there was the data breach that crumbled Mossack Fonseca at the heart of the Panama Papers.
  • Law firms have access to large amounts of money: trust funds, escrow accounts, etc.

Threats Law Firms Should Know About

Law firms don’t only have to mitigate risk from outside intruders, but they also need to ramp up security for protection against insider threats. In a previous blog post, we discussed how employees could be considered the weakest links. Insider threats can be classified into the following categories:

  • Employees fall victim to phishing or scams from an external source.
  • Employees use weak passwords or don’t adequately protect their equipment.
  • Employees exploit information, leak information to cybercriminals, carry information to a new job, or share data with personal systems.

Finding the perfect balance between protecting your firm’s assets or client information and making your employees feel trusted and valued can be challenging. Therefore, it’s essential to educate employees on cyberthreats to empower them while tightening up your security operations.

Law Firm’s Responsibility to Safeguard

While not directly regulated, a law firm’s obligations stem from three sources: ABA guidelines for attorneys, specific regulators that call out law firms as vendors of regulated entities, or the contractual obligations formed with their clients and their client’s compliance requirements.

The American Bar Association Model Rule of Professional Conduct covers attorney obligations to safeguard their clients’ information, uphold contractual agreements and even report specific cybersecurity incidents that could affect the client. These rules obligate managing partners and attorneys to hold themselves responsible for the conduct of the staff and non-licensed employees. When it comes to technology, the ABA requires attorneys to:

  • Employ competent and reasonable measures to safeguard the confidentiality of information relating to clients.
  • Communicate with clients about the attorney’s use of technology and obtain informed consent from clients when appropriate.
  • Supervise subordinate attorneys, law firm staff, and service providers to make sure that they comply with these duties.

Specifically, Formal Opinion 483 Oct 2018: Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” And in response to the pandemic, the ABA issued Formal Opinion 498 Mar 10, 2021: The ABA Model Rules of Professional Conduct permit the virtual practice, which is technologically enabled law practice beyond the traditional brick-and-mortar law firm. When practicing virtually, lawyers must consider ethical duties regarding competence, diligence, and communication, especially when using technology.

Beyond the legal community, regulators extend their coverage to include law firms as vendors. In healthcare, HIPAA considers law firms as business associates with their set of rules for managing healthcare records, and the New York Department of Financial Services covers vendors such as law firms in section 11 of the 23 NYCRR 500 cybersecurity regulations.

Law firms need to equip their employees with the proper knowledge not to jeopardize their law firm or clients’ reputations.

The ABA adopted a resolution encouraging law firms to develop, implement, and maintain proper cybersecurity to comply with ethical and legal obligations. Many firms (big or small) look for external help when tightening up their security. They do not rely on one resource to secure their IT landscape. As an example, the ABA reported that 80% of law firms use third-party consultants/experts, IT staff, and a Chief Information Officer for their security needs.

Law firms should consistently evaluate their security posture to avoid insider slip-ups to determine where their gaps lie. The regulations that the ABA issues and compliance regulations provide a minimum standard for the industry. All parties should do their due diligence and strive for more robust protection as a matter of healthy client service.