Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Law Firm Breach Results in Michigan Title IX Lawsuits Leak

April 8, 2021

The State News (Michigan) reported on April 6 that Michigan State sent out an email to just under 350 people on April 5 notifying them that Title IX case files from Michigan State were a part of a data breach of Bricker and Eckler Law Firm, which assisted in Michigan State’s Title IX investigations, Michigan State’s Title IX Communications Manager Christian Chapman said.

Bricker and Eckler is an Ohio law firm that is the parent company of INCompliance Consulting, which was hired by the University to assist in Title IX investigations and hearings.

Chapman said that because of the investigations into Larry Nassar’s abuse, the university was required to work with external investigators to help process cases that were working for policy violations, which could include cases surrounding relationship violence and sexual misconduct as well as anti-discrimination policies.

“INCompliance is the entity that we work with on some of those external investigations,” Chapman said. “Bricker and Eckler is their parent company or law firm, so to speak.”

Bricker and Eckler was hit by a ransomware attack between Jan. 14 and Jan. 31, which leaked personal information from its clients, including information from INCompliance Title IX investigations that they were a part of at Michigan State.

“So just to be completely clear, none of the MSU systems were accessed,” Chapman said. “It was just the Bricker and Eckler systems and the cases that they handled from MSU. So a small subset. It was less than 350 people affected. And the type of information were case files.”

Chapman said that none of Michigan State’s systems or resources have been affected by the leak and will continue to operate as usual.

Bricker and Eckler posted the following on their website:

“Bricker & Eckler LLP (“Bricker”), a full-service law firm with offices throughout Ohio, was recently the target of a ransomware attack. In the course of Bricker’s work on behalf of clients, it is at times provided access to personal information as a part of the client engagement. Bricker receives and utilizes this data solely in its representation of and to provide legal counsel to its clients.

What Happened?

On January 31, 2021, Bricker learned that it was the target of a ransomware attack. Upon learning of the incident, Bricker immediately took measures to contain the incident, launched an investigation, and third-party cybersecurity forensic experts were engaged to assist. Bricker also notified federal law enforcement.

The investigation determined that an unauthorized party gained access to certain Bricker internal systems at various times between approximately January 14, 2021 and January 31, 2021. Findings from the investigation indicate that the party obtained some data from certain Bricker systems during this period. Bricker was able to retrieve the data involved from the unauthorized party and has taken steps to delete the data. At this time, Bricker has no reason to believe this data was further copied or retained by the unauthorized party. Bricker conducted a thorough review of the data to identify individuals whose personal information may have been involved. On or around March 12, 2021, Bricker substantially completed its review of the data and began formally notifying clients of any client-related personal information included in these files.

What Information Was Involved?

The review determined that the data involved contained some personal information, including names, addresses, and in certain instances, medical-related and/or education-related information, driver’s license numbers, and/or Social Security numbers.

What We Are Doing

On April 6, 2021, Bricker will begin mailing letters to individuals whose information was involved and for whom Bricker has mailing addresses. Bricker also established a dedicated call center to answer questions about the matter.

To help prevent a similar type of incident from occurring in the future, Bricker implemented additional security protocols designed to enhance the security of Bricker’s network, internal systems and applications. Bricker will also continue to evaluate additional steps that may be taken to further increase Bricker’s defenses going forward. In addition, Bricker is continuing to support federal law enforcement’s investigation.”

My constant question is, “Did the bad guys keep a copy of the data?” The law firm says it doesn’t believe that they did, but how does one ever really know?

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson