Potential Law Firm Liabilities for Data Breaches are Dire

The recent Cloudstrike global IT outage represents an important wake-up call for service providers across the business spectrum. Insurance providers, airlines, and payment processing companies have all been negatively impacted by the outage. However, law firms are the most vulnerable focal point for legal action at the center of cyber security. Beyond the recent outages caused to the systems of Kirkland & Ellis lies evidence of a distinctly more worrisome trend for law firms. Cyber-attacks against law firms are on the rise, and the firms make for a tempting target. As of 2024, at least 21 law firms filed data breach reports to state attorneys general offices this year. By comparison, 2023 saw 28 law firm breach reports, while 2022 had 33 breach reports and 2021 had 38. ¹

Data breaches and the hacking of law firms are concerning trends in isolation, but they are compounded by law firms now finding themselves targets for litigation, both by their clients and regulators. As detailed in a report by Bloomberg Law in 2023, five class action cases filed against Bryan Cave; Cadwalader, Wickersham & Taft; Smith, Gambrell & Russell; and two smaller firms—Cohen Cleary and Spear Wilderman—claim that the firms were negligent in their management of the client’s personal identifying information. While several of these lawsuits were dismissed for reasons such as lack of standing,² the situation is only getting worse. For hackers, large law firms are a one-stop shop, serving as filters of low-value material, because [firms] will tend to receive from its clients and store only a subset of their vast information, namely, the valuable portion of it . . .” ³

Breach reports by law firms are on a continuous rise as the potential financial rewards for gaining access to firms’ proprietary information and client data make for a tempting target. Worse still, an IBM report detailing the costs associated with breached information. Customer and employee PII cost firms $183 and $181 per lost record respectively as a part of an overall increase in the price of their business offerings, to compensate for such damages.

Law firms and legal practitioners would be best suited to employ the services of third-party cybersecurity service providers who can offer a holistic suite of cybersecurity services. In recently dismissed litigation against Bryan Cave, a single client breach led to the loss of PII for 51,100 individuals associated with the client. At $183 per individual, that represents 9.2 million dollars in actual damages. This excludes any punitive damages associated with claims of negligence, court costs, or reputational costs to the firm. There are solutions to the developing trend of cybersecurity breaches that can help ameliorate these growing threats to the industry. For example, if firms were to anonymize this data, they would save 30% per record on the cost of a breach.

Anonymizing user data means removing or changing personal information in a way that prevents someone from identifying the person it belongs to. Here’s how it works in simple terms:

1. Remove Identifiers: Take out names, addresses, phone numbers, and other direct identifiers from the data.
2. Mask Details: Replace specific information with codes or general terms (e.g., “John Doe” becomes “User123”).
3. Aggregate Data: Combine information so individual details are not visible (e.g., showing total sales in a region instead of individual purchases).
4. Add Noise: Introduce random changes to the data to obscure exact details while keeping overall trends.

This process helps protect individuals’ privacy while allowing the data to be used for analysis or research.