What Law Firms MUST Know About Protecting Themselves And Their Clients From Cyber Attacks

On November 7, 2013, we hosted a breakfast seminar titled “Cyber Criminals Are Targeting Law firms”. Here are the cliff notes.

George Schultzel , FBI:

  1. There are only 2 kinds of people.People who are about to be hacked; and those who’ll be hacked again.
    It’s as simple as that – either you’ve already been hacked and don’t know it (because most firms do NOT have the capability to detect breaches, data thefts, etc.) or those that are actively being attacked by their competitors, criminals and foreign governments.
  2. There are 3 types of assets you need to protect: Human, Intellectual Property and Financial Assets

Some recent FBI cases:

  • a law firm has $7 Million stolen, and they didn’t even know about it.
  • a group of 12-19 year olds was actively hacking D-list celebrities, just because they could.
  • Several law firms hired hackers to break into their competitors


  1. 90% of Zeus banking Trojan infections enter the network via email. You MUST invest in good spam filtering, network firewalls, and backups. And most importantly, keep a keen eye on your bank accounts.
  2. When you invite the FBI into your office, they conduct their investigations very discreetly.

For nation-state attacks, with your approval, they will monitor the attacks. During criminal attacks, they will come in, forensically image the systems, and take evidence. They WILL protect client confidentiality. They will NOT fix or repair your systems.

What can you to do protect your business?

According to Maria Treglia, PBC, a division of HUB International, Businesses and Organizations have an obligation to keep people’s information private.

Your existing Malpractice or General Liability policies do NOT provide appropriate coverage for hacks and cyber-theft.

In a recent study conducted by NetDiligence,

  • Personally Identifiable Information (PII) was the most frequently exposed data (28.7% of breaches), followed closely by Protected Health Information (PHI) (27.2% of breaches).
  • Lost/Stolen Laptop/Devices were the most frequent cause of loss (20.7%), followed by Hackers (18.6%).
  • Small‐Cap ($300M‐$2B) and Nano‐cap (< $50M) companies experienced the most incidents (22.9% and 22.1% respectively). Mega‐Cap (> $100B) companies lost the most records (45.6%).

The median number of records lost was 1,000. The average number of records lost was 2.3 million. Claims submitted for this study ranged from $2,500 to $20 million. Typical claims, however, ranged from $25,000 to $400,000.

So, unless you have $500,000 sitting around, doing nothing, you’re much better off buying Cyber Liabilitypolicy like Privacy/101.

Raj Goel, CISSP discussed several law-firm related case studies. Why are you being attacked? Because the criminals know you have valuable assets – sensitive data on mergers, purchases, law suits, etc. And because most law firms have the “I’ll never get hacked mentality”.

Some recent cases:

  • A former employee of a Pittsburgh, PA law firm and her husband were sentenced for hacking into the law firm
  • China-based hackers broke into 7 different Canadian law firms to get insider info on the Potash Corp/BHP Billiton merger
  • A partner in a small law firm discovered he’d been hacked when the FBI knocked on his door.
  • According to the Wall Street Journal, Client Secrets Are At Risk as Hackers Target Law Firms

George Schultzel, Special Agent, New York Division

Federal Bureau of Investigation
Desk: 212‐384‐3250, Cell: 646‐430‐2358

Maria Treglia, CPCU, RPLU

Chief Sales Officer and Senior Vice President, Program Brokerage Corporation
(PBC), a division of HUB International
Office: 516‐496‐1345, MTreglia@programbrokerage.com

Grab the slides from https://www.brainlink.com/lawfirmseminar