Lady Gaga's Law Firm Got Hacked. Now What?
Allen Grubman's New York firm says its celebrity clients have shown "overwhelming support" despite a multimillion-dollar ransomware demand. But do entertainment boutiques face special risks, both before and after an attack?
May 15, 2020 at 01:56 PM
5 minute read
The original version of this story was published on The American Lawyer
Every law firm has to worry about data privacy. But when your clients are Madonna, Lizzo and Bruce Springsteen, the security of their personal information takes on a special edge.
New York-based Grubman Shire Meiselas & Sacks confirmed this week that it was hit by a ransomware attack, with the hackers reportedly demanding $21 million or they'll expose 756 gigabytes' worth of documents on the firm's clients, which also include AC/DC, Lady Gaga and Robert De Niro. Late in the week reports said the demand had been doubled, and paired with a threat to release "dirty laundry" on President Donald Trump.
"We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law," a spokesman for the firm said in a statement. "Even when enormous ransoms have been paid, the criminals often leak the documents anyway."
The firm said it has received "overwhelming support" from its clients since the attack, but cybersecurity experts gave mixed assessments over whether founder Allen Grubman—whom Vanity Fair has called "the most powerful attorney in the music business"—will be able to walk from this breach entirely unscathed.
Grubman Shire might be aided by the fact that data breaches a lot more common these days, said Frank Gillman, a former Big Law chief information officer and a principal at Vertex Advisors Group.
"People in general are more understanding about companies being hit by ransomware because it's become more and more commonplace," Gillman said.
But law firms can face additional reputational peril because clients entrust them with so much confidential data, said Lisa Sotto, the chair of Hunton Andrews Kurth's global privacy and cybersecurity practice and the managing partner of its New York office.
"If I entrust my data to an organization and that trust is broken, very often than not, that individual will not renew that relationship with the organization," Sotto said. "I would expect some impact on business. Lately, it's almost inevitable a lawsuit is following a data breach."
In order to succeed on a data breach lawsuit, a plaintiff would need to prove the breach caused actual harm, Sotto said. That's a high bar, she said, but celebrity client might have an easier time arguing harm than plaintiffs in other data breach cases.
"This compendium of data is more sensitive than others," Sotto said, who noted that, with other data breaches, a victim can steps to mitigate the harm of identity theft or account fraud. "This data is much more difficult to contain the potential harm because it's so amorphous and reputationally damaging. There might be an easier bar to claiming harm here."
The A-list clientele of a law firm like Grubman Shire is also potentially exposed to blackmail and extortion, said Austin Berglas, a former FBI agent who is now the global head of professional services for BlueVoyant.
"They can reach out to the entertainers and extort them directly," Berglas said said of the cybercriminals.
Clients would be more likely to forgive a data breach—and have fewer avenues for redress—if it took place despite stringent cybersecurity measures and wasn't caused by the firm's negligence, said Jeffrey Brandt, the chief information officer of Jackson Kelly. Conversely, those clients could leave if they worry their personal data remains vulnerable, he added. Brandt noted, for instance, that he still shops at Walmart even though the retailer has suffered data breaches.
Although Grubman Shire is a small entertainment boutique with boldface name clients, its obligations—and vulnerabilities—parallel those of any other law firm. The firm said this week that it had informed all its clients of the breach and has been working with federal law enforcement as well as "the world's leading experts."
"It's incumbent on all firms in this day and age to pay attention to security," Brandt said.
Some boutique firms may have less resources available to pay for cybersecurity measures than a firm like DLA Piper—also a former victim of a high-profile cyber attack—or a company like Target, cybersecurity experts said. But small firms can still enact measures like two or multifactor authentication and train employees to spot phishing attempts.
Even so, a $400 million firewall can be rendered entirely useless if a person clicks on the wrong email, Berglas said.
"All it takes is one malicious phishing email to be clicked on by an employee in your financial department," Berglas said. "Now that bad actor has gained the username and password for that employee, and circumvented that wall."
|Read More
More Than 100 Law Firms Have Reported Data Breaches. And the Problem Is Getting Worse
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250