Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Law Firm Data Breaches Increasing in 2023

July 11, 2023

Bloomberg Law reported on July 7 that law firms are increasingly the target of cyberattacks. Thus far in 2023, five class actions have been filed alleging that law firms failed to adequately protect the confidential information of clients.

It is logical that they should be targets – far beyond their own valuable data, they hold the valuable data of many other entities. It’s a gold mine for cybercriminals.

Five class action cases have been filed this year against Bryan Cave; Cadwalader, Wickersham & Taft; Smith, Gambrell & Russell, and two smaller firms—Cohen Cleary and Spear Wilderman, all claiming that the firms didn’t provide sufficient protection against the possibility of cyberattacks.

We hear about law firm data breaches much more often than previously. Cybercriminals have gotten access to different types of data including “personally identifiable information,” (PII) from former employees of firm clients, among others. Proskauer Rose, Kirkland & Ellis, K&L Gates, Loeb & Loeb, and Orrick Herrington & Sutcliffe were targeted along with a number of other law firms.

Some law firms, such as Covington & Burling, are under attack from government regulators over failure to disclose the extent to which clients have been harmed by cyberattacks. The Securities & Exchange Commission subpoenaed Covington in January based on a 2020 cyber hack that may have resulted in client data being stolen.

Kevin Rosen, a partner at Gibson, Dunn & Crutcher, said large law firms have talked to him in recent months about responding to the damage both they and clients may have undergone from cyberattacks and how to handle potential lawsuits.

Rosen represents Covington in its battle against the SEC’s demand to release names of 298 publicly traded clients whose information may have been exposed in the 2020 cyberattack.

The rate of global weekly cyberattacks rose by 7% in the first financial quarter of 2023 compared with the same period in 2022, according to an April report by cybersecurity firm Checkpoint Research.

Checkpoint found that organizations suffered an average of 1,248 attacks a week. One stat that all law firms should note: One out of every 40 of the attacks targeted a law firm or insurance provider.

Most firms lack economies of scale, or budgets, to invest sufficiently in cyber defenses, said law firm consultant Kent Zimmermann of the Zeughauser Group. This makes them “soft underbelly” targets of hackers seeking client data, because firms “know where the market-moving information is,” he said.

Jones also said law firms often make client information accessible throughout the firm, which makes it hard to build adequate security.

“Balancing maximum security and being able to readily share data creates a certain level of risk,” Jones said. “A lot of law firms really struggle with this.”

From our foxhole, there are many firms which are reluctant to adequately budget for cybersecurity – or to deal with the fact that there are now mandatory elements of cybersecurity, some of them required by cyberinsurance providers, which are essential to adopt to adequately protect the law firms’ data and that of their clients.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology