Why You Need A Law Firm Data Breach Response Plan
Hacking was once again prominently in the news when it was announced right before the Democratic National Convention that Democratic Party emails had been compromised. This comes after an incident earlier this year when it was announced that hackers broke into the computer networks at a number of well-known law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies.
Sadly, we have grown accustomed to, and possibly numb, from the almost weekly announcements that major corporations, organizations and government agencies have been victims of cyberattacks. The potential vulnerability of law firms is raising concerns among their clients, who are conducting their own assessments of the firms they hire.
Law Firms in the Crosshairs
Law firms now recognize that cybercriminals are constantly looking for easy targets and sources of potentially valuable data that can be used to steal identities. Since law firms act as warehouses of extremely sensitive client and employee data, they are prime targets for cyberattacks. In the new, highly connected reality we operate in, law firms must consider the risks these cyberthreats pose and take the data protection steps necessary to reduce those risks. Otherwise, the oversight may prove costly.
It should be noted that, historically, most data breaches experienced by law firms are related to the loss or theft of a laptop, thumb drive, smartphone, tablet or other mobile device that contains sensitive client information. Such theft can be an open door for cybercriminals to gain easy access to a firm’s corporate network and steal confidential information. All that said, cybercriminals are much more savvy than ever before and have developed means of hacking into protected networks without using a piece of the organization’s hardware.
For example, according to a March 19 article in the Wall Street Journal, in February of this year, “a posting appeared on an underground Russian website called DarkMoney.cc, in which the person offered to sell his phishing services to other would-be cyberthieves and identified specific law firms as potential targets. In phishing attacks, criminals send emails to employees, masked as legitimate messages, in an effort to learn sensitive information like passwords or account information. As a result, security firm Flashpoint issued alerts to law firms in January and February about the threats and has acquired a copy of a phishing email that is aimed at law firms, according to a person familiar with the alerts.”
Communicating a Data Breach
Since no one can fully prevent the risk of a data breach, it’s important to have a crisis communication plan in place to inform stakeholders in case one occurs, and the media should they cover the story. The goal of the plan should be to address the situation as quickly as possible and restore trust with stakeholders. Tactics should include:
Identify a spokesperson for the firm.
Prepare written statements for employees, clients and media.
Craft message points for any media interviews.
Call key clients to inform them personally of the breach.
Post a statement on the firm’s website where it can be found easily.
As for the media, law firms should avoid the instinct to take a “head in the sand” approach. The conversation in the media, especially over social media, will take place whether you participate or not. It’s important to be honest and direct when telling your story. This will allow the law firm to better control the narrative.
The risk of your law firm’s computer network being hacked can never be completely eliminated. As the threats continue to increase, it’s critical to create a crisis communications plan to mitigate the fallout and reduce the likelihood that it will have a long-term negative impact on your firm’s reputation or bottom line.