A six-lawyer New Jersey boutique; a 17-lawyer defense-side firm in the Chicago suburbs; a 60-lawyer New York law and lobbying firm; and a 30-lawyer full-service firm in Michigan. They all share a single problem: Each suffered a data breach the last year, and the plaintiff's lawyers targeted each for allegedly failing to protect client information from hackers.

The incidents—a mere sampling of recent cyberattacks—demonstrate that midsize and smaller firms are just as vulnerable to data breaches and potential liability as their Big Law brethren. They may be even more vulnerable than large firms. According to the American Bar Association’s most recent Legal Technology Survey Report, over one-third of firms with 10-49 lawyers reported a cyberattack. By comparison, less than a quarter of firms with 500 lawyers or more reported an attack.

As their technology risks continue to evolve, midsize and smaller law firms will need to be proactive in their efforts to secure client data by adopting robust cybersecurity standards, leveraging advanced technologies, training employees, and maintaining transparency. Otherwise, they may face an expensive and embarrassing reckoning with their clients and in the courts.

A GROWING NUMBER OF CLAIMS

Firms face a variety of potential claims for breaches. In a June article, Bressler, Amery & Ross attorneys Benjamin DiLorenzo, Diana Manning, and Kyle Valente, writing in Philadelphia’s The Legal Intelligencer, noted that “in the face of cybersecurity incidents, law firms and lawyers may face potential malpractice, negligence, and privacy-related claims…Clients and affected third parties may also file ethics complaints or grievances with state bar authorities… Further, there may even be grounds for statutory claims involving HIPAA and the like.”

Plaintiff's lawyers have increasingly investigated and sued law firms for breaches that have revealed client data, including names, Social Security numbers, and other sensitive information. In April, for instance, Orrick, Herrington & Sutcliffe agreed to pay $8 million to settle class action claims stemming from a March 2023 data breach that compromised the personal information of more than 600,000 people. Kirkland & Ellis, the top-grossing law firm in the world, was drawn into a proposed class action in June over a data breach.

And judges are allowing suits to move forward. In just one example from June, U.S. District Judge Jorge Alonso of the Northern District of Illinois preserved a number of the negligence claims brought against Bryan Cave Leighton and snack food maker Mondelez International over a 2023 breach at the law firm. A proposed class of 51,100 current and former Mondelez employees accuse Bryan Cave and the company of failing to properly safeguard their data.

THE CASE FOR TRANSPARENCY

Data breaches, according to the Association of Corporate Counsel’s 2024 Chief Legal Officers Survey, are the top technology-related threat that chief legal officers are focused on mitigating in 2024. “Forty percent [of CLOs] say they plan on instituting new processes to help defend against these threats, yet just 9 percent are ‘very confident’ in their organization’s ability to mitigate emerging data risks,” the survey said.

Midsize and smaller law firms can help CLOs reduce this risk—and assuage concerns about the security risks posed by outside counsel—by being transparent about their efforts to curb cyber threats. This means not only implementing strong encryption protocols for data at rest and in transit but also clearly communicating these measures to clients. When clients understand that their data is encrypted and that the firm has adopted a "Zero Trust" security model—where no user or device is trusted by default—they can feel more assured that their information is secure.

Firms should also consider providing clients with regular updates on their cybersecurity practices, including any incidents that occurred and the actions taken to address them. This level of openness not only builds trust but also demonstrates that the firm is proactive in protecting client data.

COUNTERACTING THREATS

To counteract growing cyber threats, smaller and midsize law firms should consider:

1. Cultivating a Culture of Vigilance: Cybersecurity training must be a continuous endeavor. Regular training sessions on recognizing phishing attempts, maintaining updated software, and adhering to stringent password policies can significantly mitigate risks. (The Cybersecurity and Infrastructure Security Agency (CISA) offers comprehensive training resources that can be tailored for law firms.)

2. Implementing Robust Security Protocols: Law firms should integrate advanced encryption, access controls, and intrusion detection systems. Regular vulnerability assessments and penetration testing can help identify and address potential weaknesses before they are exploited. For guidance on best practices, the National Institute of Standards and Technology provides a detailed cybersecurity framework.

3. Prioritizing Incident Response Preparedness: Developing and regularly updating an incident response plan ensures a swift and effective reaction to cyber threats. A plan should include procedures for detecting, containing, and recovering from incidents. Organizations like the SANS Institute offer resources and templates to help firms craft robust incident response strategies.

4. Embrace Emerging Technologies: Leveraging artificial intelligence (AI) for threat detection and blockchain for secure transactions can enhance defenses against sophisticated cyber threats. AI technologies can identify anomalies in network traffic that may indicate potential breaches, while blockchain offers immutable records of transactions, reducing the risk of data tampering.

With the potential for serious financial, reputational, and legal consequences, firms that fail to invest in advanced security measures, employee training, and transparent communication with clients are placing themselves—and their clients—at significant risk. Taking proactive steps to safeguard sensitive information can help firms reduce cyber threats and demonstrate their commitment to protecting their client's interests in an increasingly complicated and sometimes dangerous digital world.

Do you have questions, feedback, or topics you would like The Edge to cover? Send a note to david@good2bsocial.com.