How Vendor Data Breaches Are Putting Law Firms at Risk
Records show that law firms' relationships with third-party vendors are a frequent point of exposure to cyber breaches and accidental leaks.
October 17, 2019 at 05:45 PM
11 minute read
In the early morning hours of Oct. 10, 2012, a laptop belonging to accounting firm WeiserMazars, a vendor to Blank Rome, was stolen from an employee's car in Philadelphia.
That triggered a series of letters from Blank Rome notifying state officials and others that the incident may have exposed the personal information of the law firm's personnel, affecting nearly 60 people.
"A file on the laptop may have included your name and social security number," according to a template letter signed by a Blank Rome attorney and sent to affected individuals. "Because the incident may have compromised this personally identifiable information, we are bringing this situation to your attention."
Also in This Series:
While law firms are often considered a weak point in the security of corporations' sensitive information, firms or their employees have frequently suffered potential leaks through their own third-party vendors, according to Law.com's investigation of law firm data breaches across the country. The breaches that law firms reported to state authorities varied in severity, and some incidents were unrelated to the strength of the law firm's cyber defenses and didn't risk or relate to client data.
External breaches, including phishing and hacking as well as vendor incidents, were the most commonly identified source of data exposure events reported by law firms, according to Law.com's investigation, which examined data breach notifications from more than a dozen states. Stolen or lost devices were the second most common type of security incidents reported by law firms.
In the case affecting Blank Rome, the firm told New York state officials that WeiserMazars, now called Mazars, was investigating the incident and had notified law enforcement authorities.
A Blank Rome representative declined to comment to Law.com, citing client confidentiality. A spokeswoman for Mazars said it abides by ethical and professional rules and "is diligent with adhering to our duties and obligations to clients, which include comprehensive internal controls." The company, now in the headlines for its accounting work for President Donald Trump, declined to comment further.
Less than two years after that incident, in early 2014, Jeff Haidet, then chairman of McKenna Long & Aldridge, told New York state officials that the personal information of about 1,300 people could have been affected in a security breach.
The firm learned of "suspicious computer activity on servers" belonging to a vendor and that "some information related to current and former employees was accessed" around Thanksgiving Day through the unauthorized use of an administrator's login credentials, according to the letter from Haidet, now U.S. chairman of successor firm Dentons.
In a statement to Law.com, a Dentons spokeswoman confirmed that, about six years ago, the systems of a former vendor of McKenna Long were breached. However, she said, a thorough investigation "confirmed that no McKenna Long systems were improperly accessed."
More recently, Philadelphia litigation boutique Goldberg, Miller & Rubin reported that it learned in October 2016 that a security researcher was able to access electronic files relating to some of its cases. It appeared that a "service provider made an error in configuring the backup device," the firm reported to state authorities.
"We have the data because we represented you or another party in a claim or lawsuit," the firm said in a template letter to those affected.
A partner at Goldberg Miller declined to comment.
According to Law.com's analysis, several large firms reported that their employees were potentially affected through corporate breaches that made national news. For instance, Jones Day reported that an unauthorized individual gained access to the reservation system of Sabre Hospitality Solutions, a third-party vendor for the firm's travel services provider, between August 2016 and March 2017.
"This was not an incident that was suffered by the firm or by our travel agency, it was by a vendor of the travel agency," said Jones Day partner Mauricio Paez in an interview, adding his firm submitted the security report because the state statute requires that the entity that actually has the relationship with the employees and who engaged the third parties is responsible for notifying employees. "We just forwarded the notice that we received from Sabre Hospitality Solutions."
The firm continues to "vet any third-party provider for their own security controls and information security program," Paez said.
Both McDermott Will & Emery and Akerman reported in 2015 that their firm's participants in group health plans could have been affected by a widely reported Anthem cyber hacking that year. A McDermott representative declined to comment. Akerman representatives did not respond to requests for comment.
Jon Washburn, the chief information security officer at Stoel Rives, said the legal community has become more attuned to the risk of vendor threats, with many firms ramping up their efforts to address third-party risk.
Some law firms now require that vendors that access, store, process or transmit confidential information be able to demonstrate through certifications or reports that the vendor has strong controls in place to reduce the risk of a data breach, Washburn said.
In addition, some law firm clients are now including third and even fourth party risk management requirements in their outside counsel guidelines and representation agreements, Washburn said.
|From the Complex to the Routine
Besides external breaches, law firm data security incidents ran the gamut from ransomware attacks to stolen hard drives to mixed up letters in the mail, according to the data breach reports obtained by Law.com.
Some data breaches were surprisingly sophisticated in capturing client data.
Texas boutique Schachter Harris reported in 2017 that it was subject to an attack by "unknown criminals" that could have affected people who filed or were involved in lawsuits alleging asbestos-related injuries.
"The attackers used encryption ransomware to make some information on our computers inaccessible to us," the firm told authorities. "When we did not pay the ransom, the criminals claimed to possess the data from our computers. Based on our investigation, we believe that the attackers were able to acquire some files stored by our firm, relating to at least one of our clients."
In an email responding to Law.com's inquiry on the matter, partner Ray Harris said "this was a serious crime" and "the criminals to our knowledge, have not been caught." The firm declined to comment further.
Some law firm theft incidents were also reported to have exposed client data. One of the largest law firm breaches Law.com found, as measured by the number of people reportedly affected, was at a Los Angeles criminal defense firm, Imhoff & Associates, which notified authorities in at least six states that a hard drive containing backup files for one of the firm's servers was stolen from the locked trunk of an employee's vehicle.
In its notification letter, Imhoff, which worked with the Santa Monica Police Department and forensic experts, said "the hard drive may have contained files with differing amounts of employee and client information," such as Social Security numbers, driver's license numbers and contact information. The firm reported to New York officials that personal information from 13,026 people could have been exposed.
In an interview, the firm's managing director, Vincent Imhoff, said he doesn't "think any information was actually breached," but confirmed that "they took an external hard drive from the trunk of my car."
Imhoff said his firm has changed the way it stores information, declining to discuss details. He said his firm has been working with a third party to ensure cybersecurity since 2016.
As the Imhoff event demonstrated, some of the most troubling security incidents occurred when law firms never learned what happened to missing devices.
Ice Miller, in letters in 2016 sent to affected individuals, said a firm employee took a hard drive with files on it home to continue working on it, but that "the hard drive was stolen from her residence along with other personal belongings by her estranged husband."
The law firm concluded that her estranged husband had no interest in the Ice Miller files, but the hard drive contained certain IRS forms, "which, in turn, may have contained your social security number," the firm said in its notification letter.
In a statement to Law.com, Ice Miller said that although the hard drive was not recovered, the firm "determined the hard drive was likely destroyed and no confidential nor personal information was accessed. Only a very small number of people were affected, and the firm reached out to each of them individually." (The firm reported to state authorities that 52 people were affected.)
Other large firms also reported theft. In 2012, Wilson Sonsini Goodrich & Rosati told Massachusetts officials that it became "the victim of a computer equipment theft" and that the stolen equipment "contained unencrypted personal information," including a person's Social Security number.
In a separate incident, Wilson Sonsini reported in 2011 that a "small number of our computers used to process customer orders were infected by a previously unknown virus."
A Wilson Sonsini spokeswoman confirmed to Law.com that the "data breach incidents happened at the firm." In a statement, Jeff Lolley, Wilson Sonsini's chief information security officer, said the firm took appropriate steps "to inform the proper authorities regarding these minor incidents." He added, "We also take very seriously our obligation to protect our client and employee data, as we did then, and continue to focus on implementing technology and process solutions that not only meet, but exceed regulatory and client requirements for data protection and privacy."
Still, not all data breaches were malicious or deliberate widespread attacks. Several law firms reported paperwork errors on the part of firm employees and attorneys, such as sending the wrong document to a client or inadvertently including personal information in a court document.
Fragomen reported to New York state authorities in 2014 that a law clerk at the firm shared certain information with another law firm "without the firm's authorization," affecting one person. Meanwhile, Squire Patton Boggs informed state authorities last year that, when mailing out tax forms, it "mistakenly" mixed up documents in an envelope, possibly affecting 256 people. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo reported last year than a human resource employee, responding to an employee's request for a W-2, "inadvertently sent an email and attachment to someone with a similar name outside the company."
In a statement, Fragomen said the incident was an "extraordinary event, which occurred a half-decade ago as the result of a single employee's willful and confined malfeasance." The firm said it is "in no way indicative of the robust cybersecurity guidelines and practices Fragomen has long had in place" and that it was fully committed to safeguarding clients' personal information. Squire Patton Boggs and Mintz Levin did not return messages seeking comment.
Ultimately, whether it was a cunning hack or a missing laptop leading to a breach, law firms often responded the same way: hiring forensic experts to track and assess the exposure, training staff on prevention and implementing new cybersecurity guidelines.
Large firms often dedicate vast resources and time to maintaining high cybersecurity standards, said some cybersecurity experts, but they note criminals and hackers are also becoming more sophisticated.
"They're moving at an equal pace," said Claudia Rast, Butzel Long's cybersecurity group leader and a member of the American Bar Association's cybersecurity legal task force. "The bad guys are moving as quickly as we are."
This article is the second in a Law.com series focused on law firm data breaches. Next up: How law firms have ramped up cybersecurity efforts, and what weaknesses remain.
Samantha Stokes contributed to this report.
|Read More:
More Than 100 Law Firms Have Reported Data Breaches. And the Problem Is Getting Worse
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThese Law Firm Leaders Are Optimistic About 2025, Citing Deal Pipeline, International Business
6 minute read‘A Force of Nature’: Littler Mendelson Shareholder Michael Lotito Dies At 76
3 minute readRemembering Am Law 100 Firm Founder and 'Force of Nature' Stephen Cozen
5 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250