Cyber attacks on law firms are more common than ever. How can we protect our data, attorneys, and clients?

In today’s digital world, all types of organizations are vulnerable to cyber attacks. However, law firms are seeing increased frequencies of cyber attacks, especially during the pandemic.

Due to the nature of their work, law firms collect tons of confidential information and data that makes them an attractive target for an attacker. They often balance several projects for one client, and have many attorneys working on different client matters at the same time.

Most of their business is done over email, and attorneys are constantly sending and receiving documents between themselves and their clients.

According to the American Bar Association’s (ABA) 2020 Cybersecurity Survey, 29% of respondents had experienced some type of security breach. 36% of respondents reported having systems infected by viruses, spyware, or malware.

Even more concerning, many firms don’t know if they’ve ever encountered a security breach – 21% reported that if they have been breached, they weren’t aware of it. 

Typically, the larger the firm, the more likely they are to be unaware of an attack. Only 1% of solo-practitioners, compared to 62% of firms with 100+ attorneys, didn’t know if they had experienced a breach.

When data is breached, the consequences are grim – not only can the firm’s reputation be irreparably damaged, there are often financial losses as well. These effects can include paying the costs for repair, having downtime with their systems and affecting billable hours, and replacing their hardware and software. 

A data breach doesn’t only affect the law firm, it affects its clients as well. When Grubman Shire Meisela & Sacks, a top entertainment firm, was breached in May 2020, the hackers leaked Lady Gaga’s legal documents after demanding a $42 million ransom. An attack like this would obviously impact a firm’s credibility, and cause them to lose current and potential clients.

Despite the effects of cyber attacks, the ABA found that less than half of respondents are using security tools. 39% use email encryption and 43% use file encryption. Only 39% were using two-factor authentication, 29% were using intrusion prevention or detection, and 28% were using remote device management and wiping. 

Since cybersecurity is such a huge issue for the legal industry, what more can firms be doing to better protect themselves and their clients?

According to Bloomberg Law, there are a few best practices every firm can have in place to prevent and prepare themselves for a cyber attack:


Regular security audits: Firms should conduct audits to fully understand how they can be vulnerable to a security attack. An audit can look at who has access to secure information and evaluate the technology solutions that are already in place. Third-parties can also do comprehensive scans of a firm’s networks and systems to detect any hidden threats and remedy them before it becomes a breach. A couple of recommendations within the Omaha area are EGIS Technologies and 12 Points Technology.

Have a security expert on staff: For a larger firm, having a dedicated security officer can help provide the resources needed and consistently ensure that the security plan in place is functional and follows the firm’s overall strategy. Some options are Reditech, EGIS Technologies, and Syxsense (not local to the Omaha area).

Reduce risk of insider threats: About one-third of all data breaches are caused by insiders, so it’s important to manage this risk. A few ways to do this is by limiting user access to information for only those on a need-to-know basis, install endpoint detection applications, and encrypting information at the device and document levels.

Have a response strategy in place: It’s not a matter of if, but when, a breach will occur – so having a plan that includes internal, as well as external, teams is essential. 

A couple of other easy best practices to implement with internal teams is to ask that all of their devices are locked when not in use (even personal ones), and to use unique passwords that are updated regularly.

In conclusion

Cybersecurity attacks have become more prevalent with law firms over the past few years, and the consequences of these breaches can be detrimental to firms. With some best practices and security hygiene in place, firms can help to prevent breaches and detect any threats before they become an issue.

Leave a Reply