It was only a matter of time before the legal industry was thrust under the cybersecurity incident magnifying glass in the form of litigation. On December 9, Chicago-based Johnson & Bell was named in the first public data security class action complaint against a U.S. law firm.
A law firm is a very attractive repository of personally identifiable information and other confidential data in the eyes of a cyber attacker. While law firms have for years played a key, and necessary, role in data security planning and data breach incident response on behalf of many of their clients, the legal industry itself had not fallen victim to a large attack or experienced far-reaching reputational damage as a result. Yet public disclosure of the filing against Johnson & Bell is the tip of the proverbial iceberg.
In May 2016, the Panama Papers leak of 11.5 million documents with detailed financial and attorney-client privileged information for numerous offshore entities revealed the vulnerability of the legal sector in an unprecedented manner. Panamanian law firm Mossack Fonseca’s initial response following the leak “did not address any of the specific due diligence failings uncovered by reporters,” per the Miami Herald. It was as though law firms had not taken the same risk management steps which they had historically advised their own clients to follow. Not only that, but whether law firms could communicate effectively with clients and key stakeholders regarding the level of data security preparedness within the firm was called into question.
Not unlike healthcare and financial services, information security is perhaps the biggest assurance that clients depend on when electing legal representation. The ability to protect confidentiality is also the most significant determining characteristic of a law firm’s reputation. But in a reality of increasingly frequent and sophisticated cybercrime, no organization, no matter its size or security, is safe. Johnson & Bell has said the firm is prepared to defend itself in court. Only time will tell whether other firms are prepared to defend their own operational security standards, or not.