Insight

Into the Breach

Data breaches have become inevitable. Here’s what you can do to respond.

Data Breaches
JE

John Ettorre

December 22, 2017 02:58 PM

For many years, data breaches were a subject discussed only within the IT industry. But as the sophistication of these attacks has grown and the costs associated with them has mounted, that has become a luxury no one can afford.

By 2012, with data breaches becoming such a common occurrence that they seemed all but inevitable, FBI Director Robert Mueller told an information security conference, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

With ever-evolving hacker sophistication, the philosophy for defending against data breaches has shifted.

Where IT security professionals might once have tried to erect impermeable walls around their systems, the emphasis is now on proper and timely detection and response to inevitable breaches.

Meanwhile, the prime targets are also changing. Major repositories of valuable commercial secrets—university labs, regulatory agencies, and corporate law firms—are increasingly being targeted by hackers intent on stealing clients’ secrets involving intellectual property or mergers and acquisitions. Government investigators believe, for instance, that the prominent M&A firms Cravath, Swaine & Moore and Weil, Gotshal & Manges were hacked for information that could be used for inside trading.

Wake-up Call

In the last few years, the scale of these breaches—and the consequent damage they can do to consumers’ privacy—has begun capturing wider attention.

A 2014 data breach at Home Depot potentially compromised the private information of 56 million individuals. Others followed at Chase bank (76 million), Anthem Blue Cross (as many as 80 million), and Target (110 million). The granddaddy was a breach of Yahoo’s system, which involved 1.5 billion user accounts.

The case involving the global law firm DLA Piper, which was attacked by ransomware in 2017 that all but shut down the firm for days, got everyone’s attention in the legal arena, says Sharon Nelson, an attorney who specializes in IT threat mitigation through her Virginia-based firm Sensei Enterprises.

“The DLA Piper leak was a showstopper for firms of all sizes. What we keep hearing is, ‘If it could happen to DLA Piper, what hope do any of us have when it comes to protecting client data?’”

What Not to Do

Given the ubiquity of the problem in recent years, endless suggestions have issued forth about what organizations should do in the wake of a data breach. So instead, we asked an expert for a quick rundown on some pitfalls you should avoid after an IT incursion. Here is Sharon Nelson’s list:

•Failing to notify the regional FBI office (some firms just call their local police departments).
•Failing to notify clients who may have been impacted in a timely manner.
•Failing to follow their state data breach notification law (many hide behind the “no one can ascertain for sure what data was compromised” argument).
•Moving too quickly to announce a breach, especially where there is no response plan in place and no facts have yet been gathered by digital forensics. Never let public statements outrun provable facts.
•Using IT generalist staff to conduct breach investigations rather than experts.
•Moving too slowly to announce the breach. It will look like concealment and have a bad PR response when and if the breach becomes public.
•Discussing the breach on social media. A carefully crafted statement on the website is a better idea.
•Failing to instruct employees on how to handle questions about the breach.

You’ll Need a Plan

The foundation of any organization’s effective data breach strategy should be having a solid incident response plan in place.

These IRPs would typically include such components as having a data breach lawyer and a digital forensic consultant lined up ahead of time and having internal IT systems logs and insurance coverage in place to cover such an eventuality, as well as a plan for containment of and recovery from the breach.

Even in the face of the mounting evidence that it’s disastrous to ignore proper IT security, many organizations continue to drag their feet.

Sometimes they’re forced to act by clients, who insist on security audits of their operations before doing business. “Client security audits have proliferated,” says Sharon Nelson. “This train is moving even faster than the adoption of incident response plans.”

Law Firms as Juicy Targets for Hacking

IF robbers target banks simply because that’s where the money is, sophisticated hackers often find law firms as an inviting target for similar reasons: they’re repositories of valuable information.

In 2009, the Federal Bureau of Investigation warned American law firms that they were being specifically targeted by hackers intent on breaching their computer security. Two years later, the bureau organized an educational meeting with the managing partners of top law firms, paying special attention to firms with offices in Russia or China.

If law firms needed that warning then, either about state-sponsored players or hackers with fewer resources, the threat is hardly news to them today.

After all, two-thirds of U.S. law firms were breached in 2016, and 18 firms reported losing a client after failing an IT security audit, according to one survey.1

An American Bar Association study2 found that 40 percent of firms that suffered a data breach in 2016 reported significant downtime and loss of billable hours.

The list of firms that have suffered breaches reads like a who’s who of marquee names. The Chicago-based firm Johnson & Bell was hit with a class action suit in late 2016 over its alleged failure to protect client information. The irony of the DLA Piper breach is that the firm promoted itself as a specialist in cybersecurity.

The Panama Papers case, which involved the leaking of 11.5 million legal documents from a Panamanian law firm that specialized in setting up offshore entities, represented an earthquake-sized wakeup call in the legal sector.

Related Articles

Bringing Cloud Liability Down to Earth


by Jim Steinberg and Lance McCord

Unlike most traditionally licensed software, cloud solutions also put the customer at risk by transmitting, storing, and processing the customer’s data outside of the customer’s networks.

Cloud Liability

Tampa Hospital Suffers Recent Data Breach


by Gregory Sirico

Tampa General Hospital, a non-profit research based medical center, suffered a sizeable data breach that put 1.2 million patients' information at risk.

Laptop reading hacked with translucent medical model in foreground

Are You Equipped to Manage the Internet of Things?


by Morgan Gebhardt

Are IoT technologies nice-to-have “apps” or necessary business components?

Manage the Internet of Things

Cyber School


by Elizabeth S. Fitch and Theodore M. Schaer

Cybersecurity and the Claims and Litigation Management Alliance’s School of Cyber Claims

Cyber School

Trending Articles

2025 Best Lawyers Awards Announced: Honoring Outstanding Legal Professionals Across the U.S.


by Jennifer Verta

Introducing the 31st edition of The Best Lawyers in America and the fifth edition of Best Lawyers: Ones to Watch in America.

Digital map of the United States illuminated by numerous bright lights

Unveiling the 2025 Best Lawyers Awards Canada: Celebrating Legal Excellence


by Jennifer Verta

Presenting the 19th edition of The Best Lawyers in Canada and the 4th edition of Best Lawyers: Ones to Watch in Canada.

Digital map of Canadathis on illuminated by numerous bright lights

Legal Distinction on Display: 15th Edition of The Best Lawyers in France™


by Best Lawyers

The industry’s best lawyers and firms working in France are revealed in the newly released, comprehensive the 15th Edition of The Best Lawyers in France™.

French flag in front of country's outline

Announcing the 13th Edition of Best Lawyers Rankings in the United Kingdom


by Best Lawyers

Best Lawyers is proud to announce the newest edition of legal rankings in the United Kingdom, marking the 13th consecutive edition of awards in the country.

British flag in front of country's outline

Announcing the 16th Edition of the Best Lawyers in Germany Rankings


by Best Lawyers

Best Lawyers announces the 16th edition of The Best Lawyers in Germany™, featuring a unique set of rankings that highlights Germany's top legal talent.

German flag in front of country's outline

Prop 36 California 2024: California’s Path to Stricter Sentencing and Criminal Justice Reform


by Jennifer Verta

Explore how Prop 36 could shape California's sentencing laws and justice reform.

Illustrated Hands Breaking Chains Against a Bright Red Background

Celebrating Excellence in Law: 11th Edition of Best Lawyers in Italy™


by Best Lawyers

Best Lawyers announces the 11th edition of The Best Lawyers in Italy™, which features an elite list of awards showcasing Italy's current legal talent.

Italian flag in front of country's outline

Combating Nuclear Verdicts: Empirically Supported Strategies to Deflate the Effects of Anchoring Bias


by Sloan L. Abernathy

Sometimes a verdict can be the difference between amicability and nuclear level developments. But what is anchoring bias and how can strategy combat this?

Lawyer speaking in courtroom with crowd and judge in the foreground

Things to Do Before a Car Accident Happens to You


by Ellie Shaffer

In a car accident, certain things are beyond the point of no return, while some are well within an individual's control. Here's how to stay legally prepared.

Car dashcam recording street ahead

The Push and Pitfalls of New York’s Attempt to Expand Wrongful Death Recovery


by Elizabeth M. Midgley and V. Christopher Potenza

The New York State Legislature recently went about updating certain wrongful death provisions and how they can be carried out in the future. Here's the latest.

Red tape blocking off a section of street

Tampa Appeals Court ‘Sends Clear Message,” Ensuring School Tax Referendum Stays on Ballot


by Gregory Sirico

Hillsborough County's tax referendum is back on the 2024 ballot, promising $177 million for schools and empowering residents to decide the future of education.

Graduation cap in air surrounded by pencils and money

Find the Best Lawyers for Your Needs


by Jennifer Verta

Discover how Best Lawyers simplifies the attorney search process.

A focused woman with dark hair wearing a green top and beige blazer, working on a tablet in a dimly

Key Developments and Trends in U.S. Commercial Litigation


by Justin Smulison

Whether it's multibillion-dollar water cleanliness verdicts or college athletes vying for the right to compensation, the state of litigation remains strong.

Basketball sits in front of stacks of money

Is Premises Liability the Same as Negligence?


by Jeremy Wilson and Taylor Rodney Marks

In today's age, we are always on the move, often inhabiting spaces we don't own. But what happens when someone else's property injures you or someone you know?

A pair of silhouetted legs falling down a hole with yellow background

Woman on a Mission


by Rebecca Blackwell

Baker Botts partner and intellectual property chair Christa Brown-Sanford discusses how she juggles work, personal life, being a mentor and leadership duties.

Woman in green dress crossing her arms and posing for headshot

Best Lawyers Celebrates Women in the Law: Ninth Edition


by Alliccia Odeyemi

Released in both print and digital form, Best Lawyers Ninth Edition of Women in the Law features stories of inspiring leadership and timely legal issues.

Lawyer in green dress stands with hands on table and cityscape in background