Every law firm has to worry about data privacy. But when your clients are Madonna, Lizzo and Bruce Springsteen, the security of their personal information takes on a special edge.

New York-based Grubman Shire Meiselas & Sacks confirmed this week that it was hit by a ransomware attack, with the hackers reportedly demanding $21 million or they'll expose 756 gigabytes' worth of documents on the firm's clients, which also include AC/DC, Lady Gaga and Robert De Niro. Late in the week reports said the demand had been doubled, and paired with a threat to release "dirty laundry" on President Donald Trump.

"We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law," a spokesman for the firm said in a statement. "Even when enormous ransoms have been paid, the criminals often leak the documents anyway."

The firm said it has received "overwhelming support" from its clients since the attack, but cybersecurity experts gave mixed assessments over whether founder Allen Grubman—whom Vanity Fair has called "the most powerful attorney in the music business"—will be able to walk from this breach entirely unscathed.

Grubman Shire might be aided by the fact that data breaches a lot more common these days, said Frank Gillman, a former Big Law chief information officer and a principal at Vertex Advisors Group.

"People in general are more understanding about companies being hit by ransomware because it's become more and more commonplace," Gillman said.

But law firms can face additional reputational peril because clients entrust them with so much confidential data, said Lisa Sotto, the chair of Hunton Andrews Kurth's global privacy and cybersecurity practice and the managing partner of its New York office.

"If I entrust my data to an organization and that trust is broken, very often than not, that individual will not renew that relationship with the organization," Sotto said. "I would expect some impact on business. Lately, it's almost inevitable a lawsuit is following a data breach."

In order to succeed on a data breach lawsuit, a plaintiff would need to prove the breach caused actual harm, Sotto said. That's a high bar, she said, but celebrity client might have an easier time arguing harm than plaintiffs in other data breach cases.

"This compendium of data is more sensitive than others," Sotto said, who noted that, with other data breaches, a victim can steps to mitigate the harm of identity theft or account fraud. "This data is much more difficult to contain the potential harm because it's so amorphous and reputationally damaging. There might be an easier bar to claiming harm here."

The A-list clientele of a law firm like Grubman Shire is also potentially exposed to blackmail and extortion, said Austin Berglas, a former FBI agent who is now the global head of professional services for BlueVoyant.

"They can reach out to the entertainers and extort them directly," Berglas said said of the cybercriminals.

Clients would be more likely to forgive a data breach—and have fewer avenues for redress—if it took place despite stringent cybersecurity measures and wasn't caused by the firm's negligence, said Jeffrey Brandt, the chief information officer of Jackson Kelly. Conversely, those clients could leave if they worry their personal data remains vulnerable, he added. Brandt noted, for instance, that he still shops at Walmart even though the retailer has suffered data breaches.

Although Grubman Shire is a small entertainment boutique with boldface name clients, its obligations—and vulnerabilities—parallel those of any other law firm. The firm said this week that it had informed all its clients of the breach and has been working with federal law enforcement as well as "the world's leading experts."

"It's incumbent on all firms in this day and age to pay attention to security," Brandt said.

Some boutique firms may have less resources available to pay for cybersecurity measures than a firm like DLA Piper—also a former victim of a high-profile cyber attack—or a company like Target, cybersecurity experts said. But small firms can still enact measures like two or multifactor authentication and train employees to spot phishing attempts.

Even so, a $400 million firewall can be rendered entirely useless if a person clicks on the wrong email, Berglas said.

"All it takes is one malicious phishing email to be clicked on by an employee in your financial department," Berglas said. "Now that bad actor has gained the username and password for that employee, and circumvented that wall."

|

Read More

More Than 100 Law Firms Have Reported Data Breaches. And the Problem Is Getting Worse