Law Firms are Attractive to Hackers

It's Time to Evaluate Cyber-Risk Seriously—and Take Serious Steps to Mitigate Potential Losses


Joel Neckers | Partner

Too many law firms have only minimal safeguards to protect computer systems and client data. That needs to change.  

Home Depot. Target. Neiman Marcus. JP Morgan Chase. The U.S. Government. These entities have one unfortunate thing in common: they have all been victims of hackers and ultimately suffered massive data breaches. Add Mossack Fonseca and Johnson & Bell, and it is clear the legal world also has much to fear from cybercrimes.

Lawyers often rank maintaining client relationships, protecting client information, and safeguarding their firm’s brand and reputation near or at the top of their respective priority lists. Despite this, and despite the ever-increasing list of companies whose IT systems have been breached, many law firms have only minimal safeguards in place to protect their IT systems. Fewer still have plans in place to address an actual breach.

It may be tempting to hope hackers will prey on high-profile corporate clients. But ignoring the potential risks to even small law firms is no longer an option. Law firms of all sizes must use appropriate technology to protect IT systems (and thereby clients’ data) and design plans to deal with the worst-case scenario of a data breach. Moreover, this is not an issue to delegate blindly to IT departments. Data security begins at the top, with firm management, and flows down to every employee at every level.

The Tip of the Iceberg

Hacks are on the rise. A recent ABA survey indicates that 25% of firms with more than 500 attorneys experienced some form of data breach in 2016, continuing a steady rise over the last several years. The infamous “Panama Papers” leak, following the breach of the Mossack Fonseca data system, resulted in the exposure of 11.5 million documents. In 2015, California-based Ziprick & Cramer was the victim of a ransomware attack. A hacker or hackers installed software on the firm’s server (likely enabled when an attorney or staff member clicked a link in a phishing email), blocking the firm from accessing its own data. The hackers demanded the firm pay a ransom to get its data back. The firm refused and reported the incident to the California attorney general’s office.

More than a quarter of large firms experienced some form of data breach in 2016.

In late 2016, three Chinese nationals were criminally charged for hacking into seven law firms and using confidential client data to make $4 million on trades from the illegally-obtained information. Their method of attack: targeting the email accounts of leading partners with big clients handling high-profile transactions. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” said then-U.S. Attorney Preet Bharara. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”

These cases are likely only the tip of the iceberg. Indeed, we rarely hear about the daily attacks on smaller firms or smaller, less dramatic breaches. But for attorneys entrusted with client information, there is no such thing as a “minor” breach. If these issues are not keeping you up at night, they should.

Protecting Client Data

A new comment (Comment 8) to ABA Model Rule 1.1 states that, to provide competent representation, lawyers must have a basic understanding of the benefits and risks associated with the use of technology. Many states, including Colorado, have adopted or are in the process of adopting the new comment. Rule 1.6 requires lawyers maintain the confidentiality of client data. This includes—at least arguably—installing safeguards to ensure client information is not compromised. Having handled numerous malpractice cases for lawyers and law firms across multiple jurisdictions, we can tell you that ignorance of your firm’s data storage practices, and any associated risks, will not be a viable defense if your firm is hacked.

Hackers may target data for a variety of reasons:

  • to leverage information for monetary gain;
  • to obtain adverse information about a company or individual targeted out of animus; or
  • for whistleblowing purposes or to expose sensitive or potentially damaging material.

Ignorance of your firm’s data storage practices will not be a viable defense if your firm is hacked.

These are just a few potential motivators. Understanding the nature of the client data your firm harbors is essential to evaluating risk and taking appropriate precautions to strengthen systems and protect your clients, and your firm, from risk.


So where does that leave, or lead, us? For starters, law firms and firm counsel must acknowledge that their vulnerability is more a result of the data they receive from the clients they serve than the law firms themselves. As such, law firms should analyze each client relationship and take steps to ensure they are appropriately safeguarding that data.

Consider the following basic questions:

  1. How is data maintained?
  2. Is data compartmentalized or stored in only one location?
  3. Does some data require additional security, for instance, regarding particularly sensitive cases, transactions, or clients?  

The answers may inform your firm’s data protection solutions. Obviously, large firms with many employees handling data for multinational corporations will need more sophisticated systems than small or solo firms handling mostly individual legal matters. Every firm, however, needs some system in place. If something does goes wrong—and your firm finds itself defending against legal malpractice claims—it will be important to at least show what efforts your firm and lawyers made to safeguard your client’s data.

Consider Shore v. Johnson & Bell, filed in 2016 in the Northern District of Illinois, and now pending in a confidential arbitration. In that case there was no actual loss of client data. (Take a moment and let that sink in.) Rather, the lawsuit was based on perceived vulnerabilities in the law firm’s data security system. We may never know the outcome of this matter, but the fact that it was filed at all should be a wakeup call to every lawyer and law firm.

Final Suggestions

Law firm management should coordinate with IT professionals to gain better understanding of their systems, the vulnerabilities of those systems, and their lawyers’ data practices.

In addition, lawyers must be thoughtful in their daily approach to the practice of law:

  • Tread carefully when using cloud storage, and only use firm-approved storage systems that have been vetted, monitored, and maintained by the firm’s IT professionals.
  • Relatedly, do not use independent and unsecured cloud accounts for storage of client documents.
  • Consider secure offsite backup or removable hard drives to ensure data recovery in the event of a ransomware attack or system failure.
  • Wait to access sensitive projects via secure connections. We have all used unsecured wifi at some point, but before you work, ask yourself: is it really worth the risk?

The days of hackers overlooking law firms are over. Recognizing that we are all vulnerable to these types of attacks is the first step toward implementing practical solutions to address them.

Defending Lawyers & Law Firms When it Matters Most

Wheeler Trigg O'Donnell defends lawyers and law firms against high-stakes professional liability claims. Our team has successfully represented lawyers and law firms in at least 12 states.

In the past three years alone, WTO has won for lawyers and law firms in the Colorado Supreme Court, the Tenth Circuit Court of Appeals, and numerous state district and appellate courts.

Recent victories include:

  • Won a landmark federal case in Illinois defining the obligations of lead and liaison counsel in multidistrict litigation.
  • Obtained summary judgment for a national legal malpractice carrier in an attorney-lien enforcement action in Wyoming district court. In this matter of first impression, the Court held that the plain language of the statute precluded the plaintiff law firm's attorney-lien and constructive fraud claims. As the prevailing party under the statute, WTO obtained a significant award of attorneys' fees and costs for its client.
  • Won a complete defense verdict for a lawyer and law firm accused of malpractice in the handling of a sale of interests in the plaintiff's company.
  • Obtained Rule 12 dismissal for an AmLaw 200 firm facing claims exceeding $500 million in state court in Kentucky.
  • Won a complete defense verdict in a professional liability claim against a law firm and lawyer. The plaintiff alleged that WTO's client was negligent, yet the jury found that not only was our client not negligent, but that the alleged negligence didn't cause the claimed damages.

We understand how personal these claims can be. We also appreciate that staying out of court may be a client’s ultimate goal. Whether you wish to resolve claims creatively and discreetly or defend them vigorously before judge and jury, WTO will help.

About Wheeler Trigg O'Donnell

Wheeler Trigg O’Donnell lawyers have taken more than 1,100 trials, arbitrations, and appeals to verdict, award, or opinion all across the nation, with exceptional results for our clients.

Established in 1998, WTO numbers more than 100 lawyers in three offices. The firm represents sophisticated clients in high-stakes civil trials, appeals, and related litigation ranging from complex commercial to class actions to multidistrict litigation.