Sample Claims

Law Firm Data Breaches: A Guide to Common Threats and Costs of Data Breaches

The ABA estimates the average cost of a data breach to be $7.2 million. To understand why that cost is so high, you need to know what a data breach really is. It's probably not what you think.

As a lawyer you know the importance of using careful, accurate words. Unfortunately, the phrase "data breach" is not very accurate when it comes to describing the liabilities that many law firm's face. There are thousands of kinds of data breaches, ranging from sophisticated attacks from hackers (like the kind you would see in movies) to simple dumb mistakes like using a thumb drive on an unsecured network.

Law firms store countless files containing private data. In order to fulfill your confidentiality obligations, business agreements, and other legal responsibilities, you need to protect that data from the thousands of ways it can be exposed.

To help you understand the different threats to your data, SafeLaw Solutions has compiled ten brief examples of data breaches. Most of these examples are adapted from real data breaches that occurred at real law firms. We'll give you the case, explain the breach, and estimate the cost to the law firm. Our top ten most familiar breaches are as follows:

  1. Stolen Device: One Stolen Device = Headaches for the Entire Firm.
  2. Data Backup Mishap: After a Malware Attack One Firm Loses All its Data.
  3. BYOD Liability: Personal Devices on Firm Networks Carry Risk.
  4. Trust Account Hacked: 6 Figures Stolen, Firm's Reputation Tarnished.
  5. Inside Job (Part 1 of 2): Theft of Hard Drive and Sale of Private Data.
  6. Inside Job (Part 2 of 2): Employee Theft of Old Hardware Leads to Accidental Data Breach.
  7. Encryption Error on Cloud Storage Leads to Data Breach.
  8. Accidental Disclosure: Workers' Comp Data Accidentally Posted Online.
  9. Email Hack: Stolen IP, Corporate Records, and Financial Data.
  10. M&A Liability: Digital Leaks Lead to Insider Trading Lawsuits and Lost Business.

Stolen Device: One Stolen Device = Headaches for the Entire Firm

The Case:

After working late preparing documents for a series C round of financing, an attorney leaves his laptop in his car. In the morning, he sees his back window has been smashed. Sure enough, the laptop has been stolen from the backseat. Though the computer is password protected, the hard drive was not encrypted. State law requires the law firm to inform each person whose personal data might have been stored on the computer. His laptop had investment documents and various spreadsheets with names, addresses, and other information for thousands of clients and investors.

The Breach:

The American Bar Association warns that a stolen laptop is one of the most common types of a data breach. An attorney may forget their laptop overnight in his car, or a criminal might break into a firm and steal any portable technology he can get his hands on. State laws typically require a business to contact each person whose data it lost.

The Impact:

The estimated cost for a breach at a small firm that lost data for 1,000-5,000 people is approximately $600,000. As a law firm, you could face even higher costs if the breach affects a deal in progress. Say the breach causes an investor to back out in the Series-C example we used above. A firm could see a major malpractice case. A client could sue the firm for hundreds of thousands of dollars in damages to their reputation.

Data Backup Mishap: After a Malware Attack One Firm Loses All its Data

The Case:

During peak tax season, a tax law firm is infected with ransomware, a common malicious program that encrypts a company's data and won't let you access it until you pay a ransom. The IT department at the firm, tells everyone not to worry because they have a backup of the data. However, after wiping their servers, the IT department mishandles the data and the backup is lost as well. Just like that, years of client documents are gone.

The Breach:

If this breach sounds implausible, think again. It's really happened to a multiple firms. And it even happened to one firm working to meet a tax season deadline. How did it happen? In one particular case, an employee opened an email that was disguised to look like a notice from their voicemail service. The email contained the ransomware software that locked the firm's data. Hackers have grown more sophisticated in these email attacks, disguising their attachments in run-of-the-mill emails that a firm employee wouldn't think twice about opening.

The Impact:

Let's say this breach happens at your average firm: a medium-sized firm with 20 attorneys who bill on average $240 per hour. The outage forces them to lose two-days worth of billable hours. Using an IT cost calculator, we can estimate that the cost of a two-day data outage would end up being $72,000, purely in lost productivity. That doesn't take into consideration the lawsuits and malpractice cases a firm would have. Conservative estimates would suggest lost data could easily end up costing a firm between $100,000 and $500,000.

BYOD Liability: Personal Devices on Firm Networks Carry Risk

The Case:

A lawyer brings his personal Android phone into the office and logs onto to the firm's Wi-Fi. Unbeknownst to him, there's malware on his phone, which once connected to the firm's network harvests data from the firm's computers.

The Breach:

BYOD (or Bring Your Own Device) is tech-slang for situations where a personal device (or any device not owned by a business) is used on a business's network. Proper security protocol would mandate that only devices owned and strictly monitored by the company can be used on its network. There are many reasons for this. Say a lawyer's kid downloads a game on their iPad. The game could contain malware or a security flaw. If you let that device access your network, you're in for a load of trouble.

The Impact:

The data stolen from the firm's computers contains 3,000 records with a mix of personal information (SSNs, names, addresses, etc.) of current and former clients and their employees. The firm has to contact each client and their employees, which amounts to weeks of embarrassing phone calls. The head of the firm makes himself available to talk to important former clients to comfort them. All told this breach ends up wasting a lot of the firm's time and money...

  • Cost of breach and credit monitoring: $300,000.
  • Damage to reputation: $100,000.
  • Lost productivity: $50,000.

Estimated total: $450,000.

Trust Account Hacked: 6 Figures Stolen, Firm's Reputation Tarnished

The Case:

By using a key-logging program, which tracks passwords as they are typed in a computer, hackers are able to break into a firm's IOLTA, stealing $250,000 of client money. While this virus seems sophisticated, for hackers it’s a run-of-the-mill attack. They draft an email to look like normal correspondence the firm receives, send it to an employee at the firm, and hide the malware as an attachment.

The Breach:

In recent years, law firms have seen their trust accounts (and other bank accounts) targeted by hackers. If you think about it, it makes sense from a criminal's perspective: law firms document everything. If a hacker breaches a firm's network, they can find access not only to trust accounts, but also bank account numbers, wire transfer numbers, and more sensitive data.

The Impact:

Data breaches are complicated and take months (or years) to resolve. A case like this will have many expenses associated with it...

  • Stolen money: $250,000.
  • Response time: the firm loses a week's worth of hours from staff as they have to contact clients, the state bar, their malpractice insurance carrier, and other entities. This adds up to $40,000 in lost productivity.
  • Legal expenses: $250,000 in lawsuits from clients.
  • Reputational damage: $100,000 in lost revenue; $50,000 in reputational damages when junior attorneys leave the firm to work at a crosstown rival.
  • IT expenses: $10,000 to wipe the computers clean, undergo a security audit, and increase security standards.

Estimated total: $790,000.

Inside Job (Part 1 of 2): Theft of Hard Drive and Sale of Private Data

The Case:

An employee at a law firm steals a hard drive from the office. The firm works with medical companies and the drive contains countless BAA data (Personal Health Information). After stealing the hard drive, the employee tries to make quick money by selling the data online on a black market identity theft website. A month later, FBI investigators track the spree of identity theft back to the firm, which now has to pay HIPAA fines and deal with a massive lawsuit.

The Breach:

In this case, an employee physically stole a hard drive and sold its contents online. But often, employees can simply download data from the firm and sell it online. These "inside job" data breaches can be costly because an employee has access to scores of data. Breached medical data also means that a firm will have pay HIPAA / HITECH fines which can range from $1,000 to $1.5 million.

The Impact:

The law firm's damages will break down as follows:

  • Damage to firm's reputation & lost business: $100,000.
  • HIPAA fine: $200,000.
  • Data breach lawsuit: $250,000.

Data breach lawsuit: $250,000.

Inside Job (Part 2 of 2): Employee Theft of Old Hardware Leads to Accidental Data Breach

The Case:

An employee is tasked with destroying old desktop computers, laptops, and storage devices. The computers are mostly out of date, but the employee thinks he might be able to make a little bit of money by selling them. Rather than take the computers to a company that will securely destroy them and wipe the contents of the old hard drives, he drops them off at pawnshop for a couple hundred dollars.

The Breach:

This breach is a helpful example because it points out that breaches can be an unintentional result of employee actions. Simply by taking these devices from the firm and not immediately disposing of them, the employee committed a data breach. The firm will have to notify clients whose data might have been affected. To make matters worse, explaining that a firm's employee tried to steal computers and sell them to a pawnshop isn't going to make the firm the look very professional.

The Impact:

The computers contained old data of bank accounts, routing numbers, SSNs, and other private data for 2,000 individuals. For this breach, let's assume a best-case scenario: no one is sued. The only costs to the company result from fixing the problem and repairing its reputation...

  • Costs to contact clients: $10,000.
  • Reputational damage: $50,000.
  • Loss of productivity: $10,000.

Minimum estimated total: $70,000.

Encryption Error on Cloud Storage Leads to Data Breach

The Case:

The law firm does everything right, but forgets to make sure that its cloud storage (e.g., Dropbox) encrypts all data even when that data is passing between servers. The firm was obligated under BAA agreements to uphold HITECH and HIPAA standards. The unencrypted data breaks those standards and is considered a data breach.

The Breach:

This is a bit of a nerdy explanation so bear with us. Data can be encrypted, which means it's scrambled and made nearly impossible to read when it leaves the firm's network and travels to an online storage site. There, it will remain encrypted until you download it again. Unfortunately, in this example the storage site unencrypted the data while it was being stored and moved on its servers (this is a common security issue with cloud storage). Law firms are responsible for making sure that standards.

The Impact:

For a data breach involving 10,000 protected health information records, a firm can expect the following costs.

  • Notification, credit monitoring, crisis management costs: $140,000
  • HIPAA and regulatory sanctions: $1,250,000.
  • Client lawsuit: $100,000.
  • Damage to firm's reputation: $100,000.

Estimated total: $1,590,000.

Accidental Disclosure: Workers' Comp Data Accidentally Posted Online

The Case:

In an absolutely boneheaded move, an employee at a law firm posted the wrong spreadsheet online. Though it was only up for a day, the employee exposed hundreds of employee Workers' Comp records online. After the blunder, the law firm was obligated to inform its client (and their employees) about the breach of confidentiality.

The Breach:

Accidental disclosures are one of the leading causes of data breaches. Certain laws like HIPAA, HITECH, and Workers' Compensation regulations will require you to protect any private data. If that data is accessed or posted on an unsecure network, a law firm might be required to contact all the parties involved.

The Impact:

  • Costs to contact clients: $15,000.
  • Reputational damage: $100,000.
  • Loss of productivity: $20,000.

Estimated total: $135,000.

Email Hack: Stolen IP, Corporate Records, and Financial Data

The Case:

A law firm is targeted by a foreign government that hacks into its network to gain access to data from the firm's biggest client, Company X. Company X has used the firm throughout the years and the firm has records of everything from IP agreements to employment data. Company X is planning on acquiring a smaller competitor, which makes the timing of the attack suspicious.

The Breach:

A breach like this may sound like a James Bond story, but it's a serious threat corporate law firms face. A few years ago, the FBI began warning law firms about this specific type of attack because foreign governments will target U.S. law firms, knowing that law firms often have weaker network security than their big clients. Once inside a firm's network, hackers can get access to all sorts of corporate data. The New York Times has also profiled how many large companies are requiring their corporate attorneys to meet higher data security standards and have data breach insurance before sharing any data with them.

The Impact:

Impacts for this kind of breach can be huge. A lawsuit over stolen IP can have million-dollar judgment. Experts estimate that U.S. businesses lose $300 billion in IP theft each year.

  • Lost IP cost: $1,000,000
  • Firm's reputational damage: $600,000.
  • Lost productivity: $100,000.
  • Lost productivity: $100,000.

Estimated total: $1,750,000.

M&A Liability: Digital Leaks Lead to Insider Trading Lawsuits and Lost Business

The Case:

One of New York's top mergers and acquisition firms is embroiled in an insider trading scandal after a staff clerk uses digital access to documents to glean data they can leverage in the stock market. While billing hours to clients for related projects or due diligence work, he accesses the "data room," a supposedly secure digital environment containing important M&A docs. Under the guise of doing clerical work, the clerk is able to steal information and leak it to insiders on Wall Street about future mergers and acquisitions.

The Breach:

While you can build a bulletproof firewall, there's little you can do to stop a malicious act by an employee or one caused by a simple human error. Common employee-caused breaches include: physical theft of devices (mobile phones, laptop, old hardware, etc.), stealing IP from clients, mishandling of data, accidental disclosure (e.g. attaching the wrong document to an email), and other crimes and mistakes.

The Impact:

M&A leaks can lead to all sorts of trouble. On the client-side, they've actually caused deals to fall through completely. But from a firm's perspective, you're looking at lost clients, lost productive, and other major expenses.

000webhost logo