Cyber Security: A cyber security wake-up call for law firms

By Carl Mazzanti

In November, a Florida business law firm agreed to pay $8.5 million to settle a class-action lawsuit over a data breach which exposed personal and health information impacting nearly 10,000 people, including former and current clients and employees.

Data breaches are distressingly and increasingly common in the legal industry. Even small firms hold a lot of confidential client data and sensitive intellectual property. This makes them, along with medium- and large-sized firms, prime targets for cybercriminals.

While the potential for cyber attacks has become well-known – in December, Moody’s Ratings predicted that cybercriminals would have their most active and aggressive year yet in 2025 – many firms are still putting their clients and their reputations at risk by not being ready for them. By working closely with an experienced cyber security provider, however, firms can establish the defenses they need against this threat.

High-profile attacks spotlight weaknesses

High-profile cyber attacks on major law firms include a 2020 attack on Grubman Shire Meiselas & Sacks, a New York entertainment law firm whose clients included Bruce Springsteen, Madonna, Elton John, and Lady Gaga. The attackers accessed a large amount of data and demanded a ransom of $21 million.

Law firms have long been considered “low-hanging fruit” by hackers due to their sometimes lax cyber security practices. Many, especially smaller firms, do not use basic security measures like multi-factor authentication (MFA) and conduct regular system updates. Legal professionals also often use old software, or personal devices for work, further increasing their susceptibility to attack.

The nature of the legal profession exacerbates these risks. The highly sensitive client information that firms handle, including financial data, trade secrets, and privileged communications, makes them especially appealing targets for cybercriminals seeking to extort ransoms or steal valuable data.

Even when firms do prioritize cyber security, the complexity of the legal industry’s networked environment complicates defense efforts. Many law firms work with third-party vendors, contractors, and clients. That creates multiple entry points for hackers. Ensuring the security of internal systems and the whole supply chain of digital partners is a big challenge.

The financial and reputational costs on a firm of a cyber attack can be devastating. Direct costs include paying legal fees for those harmed by breaches, covering business interruption expenses and the potential penalties levied by government regulators. Indirect costs may be even worse and harder to make good on, including damage to a firm’s reputation and the loss of clients’ trust.

Steps for improving cyber security in law firms

Use of a layered approach that includes both technical solutions and organizational best practices is generally the best strategy for enhancing a firm’s cyber safety posture:

1. Multi-factor authentication:This easy but strong tool adds extra protection by requiring users to confirm their identity with more than just a password. This reduces the chances of a successful attack if a password is compromised.

 

2. Periodic security audits:Regular audits can identify potential vulnerabilities in cyber defense systems. Audits should include penetration testing and vulnerability assessments.

 

3. Staff training and awareness:Human error is often cited as one of the biggest weaknesses in law firm cyber security. Lawyers and staff should be trained in such topics as overall digital hygiene, spotting phishing attempts, and best practices for safeguarding confidential data.

 

4. Strongbackup systems. This is important in case of a ransomware attack or data breach. Backup and disaster recovery plans are essential to help a firm recover quickly and reduce operational disruptions.

 

5. Vendor risk management:Law firms often work with outside vendors. Checking and managing the cyber security practices of these partners is important, since a breach at one of your vendors can quickly lead to a breach at your own firm.

 

6. Legal and insurance protections:Firms should invest in cyber liability insurance and have a clear legal plan to respond to a cyber attack. Such a plan should feature data breach notification and client communication procedures.

 

Looking ahead: The growing risk

The cyber security landscape is evolving rapidly, as are the tactics employed by wrongdoers.

Ransomware is still a big threat, and we are seeing smarter attacks that target law firms’ supply chains, exploiting weaknesses in third-party software or services. Firms must also ensure that the artificial intelligence tools and other new technology they are employing are safe and not  introducing new security risks to their operations.

By working with a proven cyber security provider to strengthen and prioritize digital defenses, firms can prevent their becoming the next victim of a cyber attack.

 

 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, N.J., providing IT consulting services for businesses ranging from home offices to multinational corporations. The company can be contacted at: 866-362-9926.