Of 450 reported data breaches this year, only four traced to law firms

Last week, the Identity Theft Resource Center published its mid-year report, assembling into a terrifying rap sheet some 450 known breaches that together compromised more than 135 million records. Of those incidents, which the ITRC identified through media and government reports, and customer notifications, a grand total of four involve disclosure of client data by attorneys — this despite law firms continually ranking among the most vulnerable industries to data breach.

The causes of those four breaches are not particularly revelatory. In separate instances in San Francisco and San Diego, lawyers had their work laptops stolen in public spaces. In a San Bernardino suburb, a four-attorney firm suffered a ransomware attack. And in Florida (where else?), a lawyer chucked his client’s files in a dumpster.

There are, according to the ABA, about 50,000 law firms in the United States. Of the four firms that were either brave enough to come forward, or unlucky enough to court media attention, only the 140-attorney Atkinson Andelson employs more than 10 people. This is a curious statistic on its face, but particularly noteworthy in light of recent media analyses suggesting “virtually all” of the biggest firms have fallen victim to data breach, and “at least 80 percent” of the top 100.

There are two types of law firms… 

Given the absence of formal breach reports and the closeness with which law firms guard details of attorney-client relationships, most of these estimates appear to be based on a few high-profile, though isolated incidents, and very general assumptions. Earlier this year, for instance, Citigroup’s cyberintelligence unit circulated an internal memo chiding law firms for their poor security measures and unwillingness to share or disclose breach intelligence. That report, though it only mentioned four firms by name, was assumed by some observers to mean that all law firms are terribly vulnerable and routinely victimized.

Indeed, in recent years, a curious dynamic has emerged that has a close parallel in baseball’s steroids scandal, where the lack of formal reporting requirements and a dearth of actual evidence beyond a handful of big name revelations have spurred wild speculation about the scope of the problem — and led to blanket assertions and guilt by association. You’re either guilty, the implication is, or lying.

The most gung-ho assertions — that when it comes to data security, law firms are sieves — are often accompanied by a line of thinking that all but ends the conversation: “There are only two types of firms,” the common expression goes, “those that have been breached, and those that don’t know they’ve been breached.” How do you argue with that?

To be sure, there are reasons to believe that law firms, on the whole, have a serious problem with data security. There is a general resistance to move away from physical media and devices, porous IT infrastructures in some instances, and an odd willingness to produce highly sensitive information to outsiders — for instance, through discovery — without putting any safeguards in place. Then there’s the very nature of how law firms operate — as federations of individual attorneys under one banner — that isn’t necessarily conducive to enforcing security policies or administering formal training. And of course, firms are vulnerable to run-of-the-mill human fallibility (e.g. leaving your laptop on a trolley), which is hardly unique to law firms but magnified in a profession trading in highly confidential information.

On that front, there is an increasing awareness by hackers, state-sponsored terrorists and other malicious actors that U.S. law firms collectively act as the clearinghouse for all of the nation’s most sensitive business secrets, being the brokers of M&A and guardians of intellectual property.

Why so silent? 

As the calls for more transparency and greater collaboration around breach reporting grow louder, it is is important to consider why law firms by and large do not disclose data breaches — and whether, given strict professional codes, they are even ethically allowed to. Certainly the lack of formal reporting requirements contributes to the silence, but there are also more ambiguous considerations that are unique to the legal industry.

For one, there is an inherent conflict between a) the obligation of attorneys to protect — or “maintain inviolate,” as one code states — client confidences and b) the very act of reporting a breach. Given the broad professional mandate to prevent, with rare exception, the disclosure of information that could harm a client, there is perhaps an argument to be made that reporting a data breach involving a client constitutes a breach in and of itself — this time of professional and ethical duties.