Blog
← Back to Blog
January 10, 2022 legal

Law Firms Are Now the #2 Ransomware Target. Here's Why.

Ransomware attack targeting law firms with encrypted files

According to recent data from cybersecurity firms tracking ransomware incidents, law firms have become the second most targeted industry after healthcare. The reasons are straightforward: law firms hold extraordinarily sensitive data, often have weaker security than their clients, and face enormous pressure to pay ransoms to protect client confidentiality.

Why Law Firms Are Attractive Targets

Data Value

A single law firm may hold: merger and acquisition details worth millions in insider trading, intellectual property from patent filings, personal injury medical records, real estate transaction details, trust and estate documents with financial information, and litigation strategy that opposing parties would pay for. The data density in a law firm rivals any industry.

Ethical Obligations Create Pressure

Attorneys have ethical duties of confidentiality under ABA Model Rule 1.6. A ransomware gang that steals client data and threatens to publish it puts the firm in an impossible position: pay the ransom or face potential bar complaints, malpractice claims, and client exodus. This leverage drives higher ransom payments.

Weaker Security

Most law firms, especially small and mid-size firms, invest less in IT security than comparably sized businesses in other industries. Many still use shared passwords, lack 2FA, run outdated software, and don't have incident response plans.

Notable Law Firm Attacks

  • Grubman Shire Meiselas & Sacks: Celebrity law firm hit by REvil. Client data for Lady Gaga, Madonna, and Bruce Springsteen stolen and published when the firm refused to pay $42 million.
  • Campbell Conroy & O'Neil: Major litigation firm breached, affecting clients including Fortune 500 companies.
  • Dozens of smaller firms: Unreported because small firms often pay quietly to avoid publicity.

What Law Firms Must Do

  1. Encrypt everything. Full disk encryption on every device. Encrypted email for client communications. Encrypted cloud storage for documents.
  2. Implement MFA immediately. On email, document management systems, remote access, and cloud services. This is now a cyber insurance requirement and increasingly an ethical obligation.
  3. Segment client data. Matter-based access controls ensure a breach of one client's data doesn't expose all clients.
  4. Get cyber insurance. Malpractice insurance typically excludes cyber incidents. Dedicated cyber coverage is essential.
  5. Have a breach response plan. Include bar notification requirements, client notification procedures, and engagement with forensic investigators.
  6. Review ABA Formal Opinion 483. It specifically addresses lawyers' obligations when a data breach occurs, including the duty to notify affected clients.

Your clients trust you with their most sensitive information. That trust requires investment in protecting it.