On March 31, 2020, someone threw a rock through the window of Young, Cohen & Durrett and stole a hard drive containing clients’ names, addresses, Social Security numbers, and medical reports, according to a data breach notice the Sacramento boutique later filed with the California Attorney General’s Office.

There aren’t many romantics left in the criminal underworld of identity theft, but the new school of cybercrime has been far more effective at targeting law firms large and small since the onset of COVID-19. And although most hacks that expose personal data—and therefore get reported to state regulators and attorney general’s offices—have victimized small and midsize law firms, the November hack that hamstrung Cadwalader, Wickersham & Taft for weeks proved Big Law isn’t exempt from hackers’ global reach.