While the consequences of data breaches in many industries include public embarrassment, business loss and fines, an informal survey of Tampa Bay area law firms suggests that cyber-attacks in the legal profession also risk significant real and punitive damages, loss of clients and even potential closure of the firm itself.
The poll findings, based on confidential interviews by IT assurance and compliance firm 360 Advanced with six Tampa Bay managing partners, suggest that while most of the large, multi-national firms headquartered in Tampa Bay have what they believe are adequate defenses against cyber-attacks, smaller firms may not.
“They think they can’t afford to have those controls in place, but the alternative is much more costly. They have the same risks we do,” commented one principal with a large national Tampa law firm. She said her firm spends “an enormous amount energy and of money” on data security, both for the firm and its clients, and has invested even more recently as news of law firm breaches becomes more common. “This is only going to escalate as the bad guys follow the money,” she said.
Recent high-profile cyber-attack cases include a breach at Panamanian firm Mossack Fonseca, where millions of documents detailing offshore client holdings were made public. Last fall, the U.S. Attorney for the Southern District of New York announced indictments of data thieves who had used stolen information on upcoming M&A deals to profit on the stock market.
Eric Ratcliffe, Director of Client Development at 360 Advanced, said because their client data can be held for ransom, targets for cyber-thieves also can include firms handling confidential financial settlements in divorce or federal tax cases, patent applications, critically sensitive personal injury and healthcare litigation, to name a few.
“We have a data privacy team dedicated to cyber defense and a secured operations center monitoring inbound threats,” commented a leading Bay Area attorney. “It’s a concern for everyone. Everyone is breachable. We are attractive targets.”
He pointed out that having an established, formal system of data protection that is regularly reviewed and tested can be a defense against a claim of liability, while the opposite is also true. “We prepare for the worst,” he said.
Another law firm principal, who is also a leading white collar crime expert, commented that a cyber-breach of a client matter destroys trust and will inevitably lead to client loss. “When private matters become public, the future of your firm may be at stake,” he said.