Insight

Into the Breach

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches
JE

John Ettorre

December 22, 2017 02:58 PM

For many years, data breaches were a subject discussed only within the IT industry. But as the sophistication of these attacks has grown and the costs associated with them has mounted, that has become a luxury no one can afford.

By 2012, with data breaches becoming such a common occurrence that they seemed all but inevitable, FBI Director Robert Mueller told an information security conference, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

With ever-evolving hacker sophistication, the philosophy for defending against data breaches has shifted.

Where IT security professionals might once have tried to erect impermeable walls around their systems, the emphasis is now on proper and timely detection and response to inevitable breaches.

Meanwhile, the prime targets are also changing. Major repositories of valuable commercial secrets—university labs, regulatory agencies, and corporate law firms—are increasingly being targeted by hackers intent on stealing clients’ secrets involving intellectual property or mergers and acquisitions. Government investigators believe, for instance, that the prominent M&A firms Cravath, Swaine & Moore and Weil, Gotshal & Manges were hacked for information that could be used for inside trading.

Wake-up Call

In the last few years, the scale of these breaches—and the consequent damage they can do to consumers’ privacy—has begun capturing wider attention.

A 2014 data breach at Home Depot potentially compromised the private information of 56 million individuals. Others followed at Chase bank (76 million), Anthem Blue Cross (as many as 80 million), and Target (110 million). The granddaddy was a breach of Yahoo’s system, which involved 1.5 billion user accounts.

The case involving the global law firm DLA Piper, which was attacked by ransomware in 2017 that all but shut down the firm for days, got everyone’s attention in the legal arena, says Sharon Nelson, an attorney who specializes in IT threat mitigation through her Virginia-based firm Sensei Enterprises.

“The DLA Piper leak was a showstopper for firms of all sizes. What we keep hearing is, ‘If it could happen to DLA Piper, what hope do any of us have when it comes to protecting client data?’”

What Not to Do

Given the ubiquity of the problem in recent years, endless suggestions have issued forth about what organizations should do in the wake of a data breach. So instead, we asked an expert for a quick rundown on some pitfalls you should avoid after an IT incursion. Here is Sharon Nelson’s list:

•Failing to notify the regional FBI office (some firms just call their local police departments).
•Failing to notify clients who may have been impacted in a timely manner.
•Failing to follow their state data breach notification law (many hide behind the “no one can ascertain for sure what data was compromised” argument).
•Moving too quickly to announce a breach, especially where there is no response plan in place and no facts have yet been gathered by digital forensics. Never let public statements outrun provable facts.
•Using IT generalist staff to conduct breach investigations rather than experts.
•Moving too slowly to announce the breach. It will look like concealment and have a bad PR response when and if the breach becomes public.
•Discussing the breach on social media. A carefully crafted statement on the website is a better idea.
•Failing to instruct employees on how to handle questions about the breach.

You’ll Need a Plan

The foundation of any organization’s effective data breach strategy should be having a solid incident response plan in place.

These IRPs would typically include such components as having a data breach lawyer and a digital forensic consultant lined up ahead of time and having internal IT systems logs and insurance coverage in place to cover such an eventuality, as well as a plan for containment of and recovery from the breach.

Even in the face of the mounting evidence that it’s disastrous to ignore proper IT security, many organizations continue to drag their feet.

Sometimes they’re forced to act by clients, who insist on security audits of their operations before doing business. “Client security audits have proliferated,” says Sharon Nelson. “This train is moving even faster than the adoption of incident response plans.”

Law Firms as Juicy Targets for Hacking

IF robbers target banks simply because that’s where the money is, sophisticated hackers often find law firms as an inviting target for similar reasons: they’re repositories of valuable information.

In 2009, the Federal Bureau of Investigation warned American law firms that they were being specifically targeted by hackers intent on breaching their computer security. Two years later, the bureau organized an educational meeting with the managing partners of top law firms, paying special attention to firms with offices in Russia or China.

If law firms needed that warning then, either about state-sponsored players or hackers with fewer resources, the threat is hardly news to them today.

After all, two-thirds of U.S. law firms were breached in 2016, and 18 firms reported losing a client after failing an IT security audit, according to one survey.1

An American Bar Association study2 found that 40 percent of firms that suffered a data breach in 2016 reported significant downtime and loss of billable hours.

The list of firms that have suffered breaches reads like a who’s who of marquee names. The Chicago-based firm Johnson & Bell was hit with a class action suit in late 2016 over its alleged failure to protect client information. The irony of the DLA Piper breach is that the firm promoted itself as a specialist in cybersecurity.

The Panama Papers case, which involved the leaking of 11.5 million legal documents from a Panamanian law firm that specialized in setting up offshore entities, represented an earthquake-sized wakeup call in the legal sector.

Related Articles

Bringing Cloud Liability Down to Earth


by Jim Steinberg and Lance McCord

Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.

Cloud Liability

Tampa Hospital Suffers Recent Data Breach


by Gregory Sirico

Tampa General Hospital, a non-profit research based medical center, suffered a sizeable data breach that put 1.2 million patients' information at risk.

Laptop reading hacked with translucent medical model in foreground

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Cyber School


by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

Introducing the 2026 Best Lawyers Awards in Australia, Japan, New Zealand and Singapore


by Jennifer Verta

This year’s awards reflect the strength of the Best Lawyers network and its role in elevating legal talent worldwide.

2026 Best Lawyers Awards in Australia, Japan, New Zealand and Singapore

Revealing the 2026 Best Lawyers Awards in Germany, France, Switzerland and Austria


by Jamilla Tabbara

These honors underscore the reach of the Best Lawyers network and its focus on top legal talent.

map of Germany, France, Switzerland and Austria

Effective Communication: A Conversation with Jefferson Fisher


by Jamilla Tabbara

The power of effective communication beyond the law.

 Image of Jefferson Fisher and Phillip Greer engaged in a conversation about effective communication

The 2025 Legal Outlook Survey Results Are In


by Jennifer Verta

Discover what Best Lawyers honorees see ahead for the legal industry.

Person standing at a crossroads with multiple intersecting paths and a signpost.

The Best Lawyers Network: Global Recognition with Long-term Value


by Jamilla Tabbara

Learn how Best Lawyers' peer-review process helps recognized lawyers attract more clients and referral opportunities.

Lawyers networking

Jefferson Fisher: The Secrets to Influential Legal Marketing


by Jennifer Verta

How lawyers can apply Jefferson Fisher’s communication and marketing strategies to build trust, attract clients and grow their practice.

Portrait of Jefferson Fisher a legal marketing expert

Is Your Law Firm’s Website Driving Clients Away?


by Jamilla Tabbara

Identify key website issues that may be affecting client engagement and retention.

Phone displaying 'This site cannot be reached' message

A Guide to Workers' Compensation Law for 2025 and Beyond


by Bryan Driscoll

A woman with a laptop screen reflected in her glasses

Medical Malpractice Reform Trends in Texas, Utah, Georgia and SC


by Bryan Driscoll

A fresh wave of medical malpractice reform is reshaping the law.

Medical Malpractice Reform Trends hed

Why Jack Dorsey and Elon Musk Want to 'Delete All IP Law'


by Bryan Driscoll

This Isn’t Just a Debate Over How to Pay Creators. It’s a Direct Challenge to Legal Infrastructure.

Elon Musk and Jack Dorsey standing together Infront of the X logo

Best Lawyers Launches CMO Advisory Board


by Jamilla Tabbara

Strategic counsel from legal marketing’s most experienced voices.

Group photo of Best Lawyers CMO Advisory Board members

Changes in California Employment Law for 2025


by Laurie Villanueva

What employers need to know to ensure compliance in the coming year and beyond

A pair of hands holding a checklist featuring a generic profile picture and the state of California

Common Law Firm Landing Page Problems to Address


by Jamilla Tabbara

Identify key issues on law firm landing pages to improve client engagement and conversion.

Laptop showing law firm landing page analytics

New Employment Law Recognizes Extraordinary Stress Is Everyday Reality for NY Lawyers


by Bryan Driscoll

A stressed woman has her head resting on her hands above a laptop

Best Lawyers Introduces Smithy AI


by Jamilla Tabbara

Transforming legal content creation for attorneys and firms.

Start using Smithy AI, a content tool by Best Lawyers

How to Create High-Converting Landing Pages for Your Law Firm


by Jamilla Tabbara

Learn how to create high-converting law firm landing pages that drive client engagement and lead generation.

Laptop screen displaying website tools to improve client conversion rates