Business of Law Firms:
Law Practices and Cybersecurity Risks​

By Jake Rickman​

What do you need to know this week?

This week’s The Business of Law Firms series looks at the role cybersecurity plays in a law firm’s risk mitigation and what the consequences are when a law firm suffers a breach.

On Monday, Law.com reported that Bryan Cave Leighton Paisner (BLCP) has been sued by a class action lawsuit filed in the United States. The lawsuit is brought by employees current and former over claims that BCLP was responsible for a massive data breach that resulted in the personal data of more than 50,000 employees of BCLP’s client being accessed by hackers.

BCLP’s client, Mondelez, instructed BCLP to advise the snack food conglomerate on data and privacy advice. The claimants in the class action (or plaintiffs as they are known in US court jurisdictions) have brought claims of negligence, breach of implied and express contractual terms, unjust enrichment, and invasion of privacy.

Wisconsin law firm Turke & Strauss represents the plaintiffs.

Why is this important for your interviews?

Cybersecurity breaches are among the top risks facing nearly all businesses, including private practice law firms. The fact that BCLP was instructed to advise Mondelez on data and privacy advice but ended up exposing their employees to a massive data breach is ironic, to say the least.

BCLP is now facing a claim worth millions of dollars and unquantifiable damage to its reputation. Understanding how this situation fits in with current industry practices on managing cybersecurity risks will enhance your understanding of the challenges and threats facing law firms today.

Law firms store the most sensitive of their clients’ information on their own servers. This makes law firms obvious targets for hackers looking to target valuable businesses. A report released by the Solicitors Regulation Authority (SRA) last year identified three key IT threats facing law firms:
  1. Phishing and email modification frauds designed to trick client personnel into transferring client money to individuals impersonating the client’s legal adviser;
  2. Ransomware, where hackers gain access to a law firm’s IT system to steal data or otherwise prevent the firm from accessing its servers, seriously hampering a firm’s ability to do business; and
  3. Attacks on third-party IT service providers.
Law firms have responded by retooling their IT systems to prioritise cybersecurity. Law firm personnel, including trainee solicitors, also receive extensive awareness training to minimise the risk that they inadvertently give hackers an opening to exploit.