The dangers of cyber breaches and how lawyers can avoid them

By Steve Couch, J.D., President and CEO, OBLIC

The practice of law traditionally poses plenty of challenges—knowing and keeping abreast of the latest case law and statutory developments, honing your craft and improving your skills, complying with procedural and professional rules, finding and selecting desirable clients, collecting a reasonable fee and many, many others. Until just a few short years ago, protecting attorneys and their firms—whether as an owner, manager or insurer—was largely focused on helping them avoid, manage, repair and respond to the occasional mistake committed while navigating these traditional challenges.

Enter computers, digital storage, the internet, emails, the “cloud” and ever-increasing, innumerable ways to conduct business faster and easier, and then add the widely unexpected, or at least under-appreciated, cybercriminal. Most law firms were not, and many still are not, truly prepared to defend themselves against the intentional actions of these unseen criminals. Unfortunately, customary loss prevention programs practiced by even the most sophisticated law firms were not designed to address this new risk.

Sure, it is easy to dismiss the highly publicized cyber breaches at Target (70 million records), JP Morgan Chase (76 million records), Myspace (164 million records), eBay (145 million records) and Yahoo (two breaches, 500 million and then one billion records) as not law firms and PII-rich targets (pun intended). Surely, the Democratic Party and John Podesta breaches ring a bell, but they were different—or were they?

Don’t know what “PII” means? Keep reading.

Law firms as targets

Hitting closer to home, do the breaches of the Cravath, Swaine & Moore and Weil, Gotshal & Manges law firms sound familiar? According to Fortune, these law firms were allegedly targeted by China because of the clientele of these firms and the potential gold mine of confidential information they maintained. The office of the U.S. Attorney for the Southern District of New York is apparently investigating.

And then there was the attack against Mossack Fonseca, a Panamanian law firm, widely referred to in the press as the “Panama Papers” story. More than 2.6 terabytes of data were stolen before the law firm realized there was a breach, and a crucial 11.5 million sensitive records were lost, leaving the law firm with difficult conversations to be had with some very unhappy clients.

Cyberattacks against law firms were first widely reported beginning in 2008, and the frequency of publicly known law firm breaches has steadily been growing. In fact, Cisco, in its 2015 Annual Security Report named law firms as the seventh highest target for cyber criminals in 2014.


The most common cyberattack reported by law firms is “spear-phishing,” an email that appears to be from a trusted individual or business that is known or familiar, but instead is from a criminal hacker who wants to gain access to your computer system or obtain information to enable the theft of financial, credit card or other confidential, valuable data. The email typically requests the addressee to click on an executable link that then “opens the door” to the hacker, launching spyware, malware or a Trojan Horse. Many times, the addressee opens this door without ever realizing anything untoward has occurred.


The kissing cousin of the “spearphishing” attack is the rather simple “phishing” attack. This email usually appears to come from a large and well-known company or website with a broad membership base, and like its cousin, asks the addressee to click on an executable link. Any law firm, no matter its size or sophistication, can fall victim to these types of attacks without proper loss prevention preparation and education.

Personally identifiable information

Cyber criminals are looking for all sorts of valuable information, from client confidential information to personally identifiable information (PII). PII can be used, directly or indirectly, or in combination with other information, to identify a particular individual. It includes:

  • A name, identifying number, symbol or other identifier assigned to a person;
  • Any information that describes anything about a person; and
  • Any information that indicates actions done by or to a person, and any information that indicates that a person possesses certain personal characteristics.

Some examples of personally identifiable information, as defined by Ohio Revised Code (ORC) 1347.01, are names, Social Security numbers, resumes, correspondence, addresses, phone numbers, driver’s license numbers, state identification numbers, professional license numbers, financial account information, medical and health information, physical characteristics and other biometric information, tax information, education information, individuals’ job classifications and salary information, performance evaluations, employment applications and timesheets. Does your law firm possess any of this type of data?

Law firms can be a perfect target

As law firms act as warehouses of client and employee data, they should recognize they are not immune to cyberattacks. Not only are they not immune, in many ways law firms are the perfect targets. Most, if not all, law firms possess some amount of the above-described personally identifiable information and, in many instances, vast amounts of such information, whether that of their clients, employees or parties and witnesses in litigation.


In addition to the phishing attacks previously described, law firms also commonly experience cyber breaches due to the loss or theft of a laptop, thumb drive, smart phone, tablet or other mobile device. If the information on the device was not encrypted and contained or had access to files containing any of the personally identifiable information described above, a breach has likely occurred. With access to office email and other law office networks, such theft can be an open door for cyber criminals to gain access to and steal confidential information.

Employee theft is also a significant risk within the law firm environment. Whether it is the theft of a laptop as described above, theft of the actual data itself or theft of user identifications and passwords, such can occur and often go undetected for a lengthy period of time. Such conduct can originate with an employee or can originate through outside parties who “influence” an employee in a compromised position (for various reasons), i.e., social engineering. Often, by the time such conduct is discovered, the stolen data has made its way to third parties for various nefarious purposes, usually including identity theft.

Attorneys’ responsibilities

Besides the common law duty owed by attorneys to protect the confidential information entrusted to them by clients, two additional sources of duties require attorneys to protect data: the Rules of Professional Conduct and federal and state law. Rule 1.6 of the Ohio Rules of Professional Conduct requires an attorney to maintain the confidentiality of information relating to representation of a client and Rule 1.9 requires the same for information of former clients. Rule 1.15 of the Rules of Professional Conduct requires that an attorney safeguard property of a client in his or her possession—a fiduciary obligation.

Most states and U.S. territories also have enacted data security breach notification laws. Ohio’s notification law, ORC 1349.19, applies to personally identifiable information of Ohio residents. It defines a “breach” as unauthorized access to and acquisition of unencrypted computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that results in, or is reasonably believed to cause a material risk of, identity theft or fraud to the person or property of an Ohio resident.

Pursuant to this law, a breach of security of the person’s or business’s data system must be disclosed to any resident of Ohio whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person, if the access and acquisition by the unauthorized person causes, or reasonably is believed will cause, a material risk of identity theft or other fraud to the resident. Disclosure is required to be made in the most expedient time possible, but no later than 45 days following its discovery or notification of the breach of the system, subject to the legitimate needs of law enforcement activities. Failure to comply with this notice requirement is subject to investigation and a potential civil action brought by the Attorney General.

Costs involved

The types of costs associated with a data breach can be many, beginning with the expenses associated with hiring a computer forensics expert to determine how much information was compromised, and most importantly, whose information was disclosed. This cost can range from a few thousand dollars to tens or even hundreds of thousands of dollars, depending on the breadth of the breach. Another typical cost is that associated with compliance with the notice requirements of the state(s) of residence for those persons whose information was disclosed, and depends largely on the number of records disclosed. This cost will also vary based on whether the notice can be sent electronically, whether it must be mailed, whether additional costs need be incurred to locate the persons whose information has been disclosed, and whether alternative notice or publication is necessary.

Once a breach is discovered, additional costs are often needed to repair any damage to the systems themselves, replace or restore software or data records that might be damaged or corrupted and block further access to the criminal(s) who obtained the personal information. These out-of-pocket costs do not include the potential damage to reputation caused by a breach, often occurring as a loss of trust of clients who entrusted their confidential information to the law firm. Most law firms will also experience some form of business interruption as a result of a data breach, as many hours will be devoted to investigating, responding to and repairing the breach. Finally, if clients sustain damage as a result of the data breach, such as damage to their credit resulting from identity theft or loss of funds from financial accounts, they may articulate a claim for negligence or malpractice.

Author Bio

Steve Couch is president and CEO of the Ohio Bar Liability Insurance Company.

This article was originally published in the May/June 2017 issue of Ohio Lawyer, the Ohio State Bar Association's member magazine.



Staff Directory

Contact Information


8 A.M. - 5 P.M.
Monday - Friday