6 minute read

5 Lessons From Law Firm Data Breaches

Matt Pollins

In this article

Law firms hold a treasure trove of sensitive information. Contact information. Personal data. Information that might be damaging to clients’ reputations. And yet, compared to other industries, many law firms don’t protect this information as securely.

This lack of proper security has been demonstrated in the number of recent high-profile law firm data breaches (as well as those that go under the radar). In fact, research from the American Bar Association reported that 25% of law firms have already experienced a breach.¹

Without understanding the lessons from these law firm data breaches, firms will remain vulnerable to attack, putting their client data — and their firm’s reputation — at risk.

So how can law firms and legal departments make sure their security is up to scratch? In this post, we’ll talk about the key lessons learned from 5 data breaches, and give you solutions to help keep your data secure.

1. Appleby (Paradise Papers)

Hitting global headlines in 2017, the Paradise Papers are over 13.4 million confidential documents leaked from law firm Appleby. These documents contain information about wealthy individuals and companies using offshore “tax paradises” to avoid billions of dollars in taxes.

Notable names whose financial affairs were mentioned in the leak include mega-corporations like Facebook (Meta) and Twitter, and even royalty like Queen Elizabeth.

Little has been publicly revealed about how this attack happened, outside the law firm’s claim that the breach was not a leak but “an illegal computer hack” where their systems were accessed by an intruder.

Lessons Learned

The impact of the breach was huge. Not only was sensitive client information revealed, the media coverage that followed it, as Appleby described it, led to “irreparable damage” to the firm’s reputation. ²

While the risks of an illegal computer hack, as Appleby called it, can’t be entirely avoided, they can be reduced.

Secure storage: Storing and sharing sensitive legal information securely is an absolute minimum for law firms. Whatever platform you’re using to store data and information, this platform should have SOC2 certification to ensure your data security meets the highest standards. Many clients won’t consider working with a firm without it.
Secure sharing: It’s one thing to store securely, but another to securely share that information across networks and devices. You might want to share information with clients and outside counsel. By using an encrypted collaboration platform, you can make sure that whatever information you share reaches the person you’re sending it to — and that person only — in a secure way.

Lupl holds a SOC2 accreditation so our users can store, manage, and collaborate on their legal work without compromising on security.

Book a tailored demo today

2. Mossack Fonseca (Panama Papers)

Perhaps one of the best-known law firm data breaches is the Panama Papers. 11.5 million documents, containing the personal information of public officials and well-known people, were leaked from Panamanian law firm Mossack Fonseca. The leaked documents revealed information about tax evasion, fraud and international sanctions. It was one of the largest data leaks ever. ³

The breach happened due to a hack of the company’s email server. Data security experts found that Mossack Fonseca wasn’t securely encrypting its emails, alongside other security vulnerabilities within its network infrastructure. For example, some IT systems weren’t being kept up to date and their web portal was unpatched.

In short, their email was unsecure and their IT was out of date.

Lessons Learned

Mossack Fonseca was once the fourth largest provider of offshore financial services in the world — but the financial and reputational damage inflicted by the data breach forced the company to close.

Legal still runs on email. But without up to date encryption and security, email can be unsecure — as the Panama Papers showed.

Safer collaboration: Collaboration is essential to law firms, but this doesn’t mean security has to be compromised. To prevent a breach, firms need to collaborate within a secure communication solution. Instead of relying entirely on email, by using a single unified platform, you remove loose ends, such as unsecured email chains. And that means you reduce risk.
Keeping your tech up to date: Hackers look for vulnerabilities in systems, and outdated systems are vulnerable. When new patches are released, they should be updated immediately.

3. Cravath, Swaine & Moore and Weil, Gotshal & Manges

It’s not just personal information that’s at risk — it’s sensitive information about mergers and acquisitions, too. Just ask law firms Cravath Swaine & Moore and Weil Gotshal & Manges, who suffered data breaches in 2014 and 2015.

Cyber attackers gained unauthorized access to the law firms’ email servers (can you see a trend here?) identifying information about upcoming merger plans.

Cravath, Swaine & Moore referred to the hack as a “limited breach” of their data — so imagine what a bigger breach might’ve meant. The law firms immediately brought in additional security measures, but not soon enough to prevent its impact on their firms’ reputation.

Lessons Learned

As Preet Bharara, the U.S. Attorney for the Southern District of New York, said, the breaches should serve as a “wake-up call for law firms around the world.” So how can law firms gear up to protect their data and information?

WhatsApp integration: 75% of clients and lawyers use WhatsApp — that’s the reality. It’s quick and easy, but unsecure. Right? Wrong. By integrating WhatsApp into a secure communication tool that comprises all your legal collaboration, you can use WhatsApp to send documents, trade comments and make changes — all while meeting compliance and sector security requirements.
Heightened security standards: Whatever storage or communication platform you use, SOC2 is vital to delivering a solution built for the legal industry. Alongside this, you can put smaller measures in place. Before you send a document, new features notify you about who you’re sending the information to, so you can make sure it’s being sent to the right person — and sent securely. For extra peace of mind.

Lupl is now integrated with WhatsApp! So you can meet your clients where they are with the security of end to end encryption.

Book a personalized demo

4. McCarter & English

Breaches don’t just leak sensitive information: they can also stop law firms from being able to do their jobs. That’s what happened to New Jersey law firm McCarter & English. Earlier this year, they suffered a network security incident that impacted the availability of their computer system, including access to email and remote working tools.

While the firm claimed their lawyers’ ability to perform services for clients wasn’t significantly impacted, it was significant enough to hit the news. Meanwhile, employees claimed they had difficulty communicating with each other for nearly a week. Who knows what the potential cost of this lack of communication meant in terms of productivity and employee and client satisfaction?

Lessons Learned

McCarter & English immediately contained the security incident and shifted to a temporary email system to keep things running. Unfortunately, the law firm’s backup systems didn’t have up-to-date contact information, disrupting many employees’ ability to get on with their work until the issues were fully resolved.

A modern, secure collaboration tool: People within a law firm need to talk to each other. They need to share know-how and information daily and from all over the world. Using a huge tech stack is not only hard to use, but it can also be unsafe. By using a sector secure collaboration tool that unifies your communication tools in one place, law firms can eliminate loose ends and keep everything integrated.
Don’t rely on email: While email is important, you shouldn’t rely on it entirely. By securely integrating other communication channels into your legal platform, you can shift up to 75% of collaboration out of email…and send, receive and edit documents safely and securely.

5. DLA Piper

DLA Piper, one of the biggest law firms in the world, suffered a ransomware attack while its Ukrainian offices were performing a payroll software upgrade.

The attack was one in a string of ‘NotPetya’ malware attacks, designed to destroy files and give attackers the upper hand to request a ransom. That’s what happened here: the firm’s computer and phone systems were taken out by the malware, and the hackers demanded a ransom in Bitcoin to regain access.

For several weeks during and after the attack, employees couldn’t use the firm’s phone or email systems. How could a firm of this size, which had invested in cybersecurity measures and was considered to be a thought leader in the industry, suffer a breach like this?

Lessons Learned

Along with the impact on DLA Piper’s reputation, the firm incurred millions in lost business and recovery costs: the firm had to pay its IT team 15,000 hours of overtime to recover lost documents and repair its systems. ⁴

The risk of data breaches can be reduced — significantly — but, as noted, they can’t be eliminated entirely. That doesn’t mean, however, that law firms can’t take steps to protect their servers, infrastructure and information from breaches.

Security by Design: Phones and email systems are crucial to lawyers’ daily work. By using a communication platform designed with security as a priority — through continuous testing and adhering to best practices, known as Security by Design — you can rest assured that your communications channels are secure.
Intuitive and simple technology: Yes, you need to invest in IT infrastructure that’s designed to prevent attacks. But you also need to use technology that’s simple and intuitive. Clunky and impractical tech is hard to get your head around. And many breaches are the result of human error. By creating simple processes, you reduce the likelihood of errors and — you guessed it — the likelihood of breaches. And seemingly micro changes like these can have big macro impacts.

Protect Your Law Firm Data

For any law firm that wants to protect their client data, cybersecurity isn’t optional. And it might not be optional from a legal standpoint for long either: New York State recently made it compulsory for attorneys to complete cybersecurity, privacy and data protection training as part of their legal education requirements.

But you shouldn’t wait until a breach happens or cyber training is a legal requirement to get cybersecure. Get prepared today.

Lupl is a Matter Management Platform that makes it easy to collaborate and manage legal documents from a single, centralized tool. More than this, the platform was built from the ground up with a Security by Design approach. Including:

Full compliance with SOC 2 security standards
File and communication encryption
Integration with your Document Management System so that documents can continue to live in your secure document system
An intuitive and simple design
Reminders about who you’re sharing information with before you hit send.
Input from CISOs at major law firms and legal departments – approved by law firms, financial institutions and others all over the world
A new feature update, enabling secure integration with WhatsApp

The reality is that your law firm needs to protect its sensitive client data with the same robustness and sophistication as other industries — perhaps even more so.

Book a demo

¹ 2021 Cyber Security

² Pinsent Masons Advises BBC on Settlement

³ Panama Papers – How Hackers Breached the Mossack Fonseca Firm – Infosec Resources

⁴ DLA Piper Set to Sue Insurer Over NotPetya Claim: Report – Infosecurity Magazine

In this article