The Federal Bureau of Investigation (FBI) has warned law firms that they are targets for hackers and that the security firm Mandiant has been spending 10 percent of its time investigating data breaches in law firms. In fact, Mandiant has confirmed that it has worked with more than 50 law firms dealing with confirmed or suspected data breaches. Clearly, it can happen to any firm.
Now consider the fact that most lawyers do not have cyberinsurance to cover the expense of complying with data breach laws, which now exist in 47 states, the District of Columbia, and the Virgin Islands. A single data breach could be a financial disaster for a small law firm.
The last stumbling block for lawyers who are disinclined to focus on security issues is their belief that it won’t happen to them—particularly their belief that no one would be interested in their data. Most of us can understand why merger and acquisition firms would be a magnet for hackers—clearly there is a great deal of money to be made on Wall Street with insider information. But what about small law firms? What attractive data do they hold? Well, many small firms practice family law—and their computers contain Social Security Numbers, birth dates, credit card numbers, and other detailed financial information. This is precisely the kind of data that identity thieves are looking for. They routinely scan for vulnerable systems seeking such data.