Law firms that rake in dollars defending companies against cyberattack lawsuits are increasingly finding themselves targets, with five class actions filed so far this year alleging the legal operations failed to protect client data.
Bryan Cave Leighton Paisner and other firms facing suits represent a sweet spot for corporate cyberattackers because valuable data is stored there—from employee information such as health and financial data, to Social Security numbers, to patent specifications and merger and acquisition plans.
“Whatever drawer you open, you will find something top secret and valuable,” said John Reed Stark, a cybersecurity consultant and former enforcer for the Securities and Exchange Commission. “This area is ripe for litigation.”
News of data breaches at prominent firms has become close to a weekly occurrence, with reports of cyber thieves gaining access to different types of data including “personally identifiable information,” commonly known as PII, from former employees of firm clients, among others. Proskauer Rose, Kirkland & Ellis, K&L Gates, Loeb & Loeb, and Orrick Herrington & Sutcliffe were just a few of the dozen-plus leading firms reported to have been targeted over the last year.
The five class action cases filed this year against Bryan Cave; Cadwalader, Wickersham & Taft; Smith, Gambrell & Russell; and two smaller firms—Cohen Cleary and Spear Wilderman—claim that they didn’t sufficiently guard against the possibility of cyberattacks. The suits against Cadwalader and Smith Gambrell were later dropped.
Other firms, such as Covington & Burling, are facing action from government regulators over divulging the extent to which clients have been harmed by cyberattacks. The Securities & Exchange Commission subpoenaed Covington in January over a 2020 cyber hack that may have resulted in client data being stolen.
Law firm security “is on everyone’s radar screens right now,” said Jim Jones, a senior fellow with the Center on Ethics and the Legal Profession.
Kevin Rosen, a Gibson, Dunn & Crutcher partner, said large law firms have sought him out in recent months about responding to the damage both they and clients may have suffered from cyberattacks and how to handle potential lawsuits.
He represents Covington in its fight against the SEC’s demand to release names of 298 publicly traded clients whose information may have been exposed in the 2020 cyberattack.
Firms are “very much focused” on allocating resources to combat the threat, Rosen said. They are in a unique situation, as they must defend their own internal data plus that of their clients, he said.
Rise in Hacks
Law firms are among industries scrambling to keep up with an increasingly unsafe cyber landscape. The rate of global weekly cyberattacks rose by 7% in the first financial quarter of 2023 compared with the same period in 2022, according to an April report by cybersecurity firm Checkpoint Research.
Organizations faced an average of 1,248 attacks a week, Checkpoint found. One out of every 40 of the attacks targeted a law firm or insurance provider, the report said.
More than a quarter of law firms in a 2022 American Bar Association survey said they had experienced a data breach, up 2% from the previous year.
The diversity of client data that law firms handle—financial statements, medical data, and criminal records—makes them a valuable target for cybercriminals, said Rey Martinez de Andino, chief executive officer of information technology management consultancy Tenace.
Despite that heightened risk, law firms he’s worked with lag behind industry best practices, de Andino said.
“The less they protect themselves on the cybersecurity side, the more open they’re going to be for litigation, because data—it’s currency nowadays,” he said.
Most firms lack economies of scale, or budgets, to invest sufficiently in cyber defenses, said law firm consultant Kent Zimmermann of the Zeughauser Group. This makes them “soft underbelly” targets of hackers seeking client data, because firms “know where the market-moving information is,” he said.
Jones said law operations often make client information accessible throughout the firm, which makes it hard to build adequate security.
“Balancing maximum security and being able to readily share data creates a certain level of risk,” Jones said. “A lot of law firms really struggle with this.”
‘No Excuse’
Plaintiffs sued Bryan Cave, which goes by the acronym BCLP, on June 30 over a cyber breach four months earlier that exposed the personal data of more than 50,000 current and former employees of Mondelēz International, the snack food company that makes Oreo cookies and Ritz crackers.
Tom Zimmerman Jr., who represents the plaintiffs, said the claim that law firms cannot afford to invest in adequate cyber defenses is “no excuse” for allowing breaches to occur.
“Everybody’s on notice,” Zimmerman said. “There are industry standards, and law firms need to adhere to them.”
BCLP declined comment. A separate suit against the firm over the Mondelez breach was voluntarily dismissed six days after being filed June 23.
Atlanta-founded Smith Gambrell was accused of failing to protect personal information in a Aug. 9, 2021, cyberattack that affected more than 19,000 people, according to a now-defunct suit filed by Felica Livingston, who described herself as a victim of the breach.
The firm didn’t respond to a request for comment about the suit, which was filed in March and dropped in May.
The since-dismissed Cadwalader suit involved claims that last November, more than 93,000 people had their personal identifying information stolen and were at risk of identity theft. Cadwalader did not respond to questions for comment.
Lawyers with two of the plaintiffs firms that had sued Cadwalader and then dropped the matter—Finkelstein, Blankenship, Frei-Pearson & Garber and Goldenberg Schneider—did not respond to requests for comment.
The cases against the two smaller firms, however, are ongoing.
Philadelphia-founded firm Spear Wilderman discovered it had been hacked in May of 2021, but it didn’t notify victims until November of 2022, according to a complaint against the firm. Spear Wilderman did not respond to a request for comment.
The hack against Massachusetts firm Cohen Cleary occurred last September, according to an April 17 complaint, and involved theft of the personal information of more than 12,000 people.
The firm said in its motion to dismiss the case that the plaintiff, former client Jewell Weekes, failed to include a sufficient factual grounding to state a claim.
“Plaintiff does not allege how the cyberattack occurred, nor does she identify any specific defect in Cohen Cleary’s security systems, procedures, or training that may have contributed to it,” the firm argued.
Cohen Cleary did not respond to a request for comment.
To contact the reporters on this story:
To contact the editors responsible for this story: