The news these days is filled with reports of significant data breaches. In fact, most experts opine that it is not a matter of “if” but “when,” as to whether an entity will fall victim to a cyber-attack. Unfortunately, those in the legal profession are not immune to a data breach. What’s more, ethical obligations put lawyers and law firms at even greater risk for significant business, financial and reputational harm should they experience a cyber-attack. More firms are falling prey to schemes as simple as “phishing” tactics or as sophisticated as a coordinated cyber-attack, exposing client data that could include sensitive financial information, market-influencing mergers and acquisitions intelligence, and intellectual property from a patent filing.  As a result, attorneys have both an ethical and legal duty to take reasonable steps to protect their clients’ personal sensitive data against a cyber-attack, or face serious ramifications.

Why Law Firms Are Prime Targets

Law firms are a soft target to hackers as they possess a large volume of critical data. For example, an attorney involved in a highly sensitive business transaction has access to information ranging from a client’s personally identifiable information (PII), to details of a business’ confidential transactions. Moreover, through discovery and the litigation process, law firms gain access to, among other items, their clients’ as well as adversaries’ PII, personal health information (PHI), and confidential financial information. Everything from trade secrets, to sensitive market-moving information about a company’s finances, to a client’s PHI occupies a law firm’s files and servers. Additionally, because attorneys tend to identify and isolate this information, hackers are able to quickly and efficiently locate this highly sensitive data. As such, by targeting law firms, cyber criminals have the ability to access a plethora of valuable information located in one place.