RISKS
What happened
Bryan Cave Leighton Paisner (BCLP) is the latest Big Law firm to be struck by a cyber breach involving sensitive client data.
The breach exposed the personal data of more than 50,000 current and former employees of Mondelēz International, the snack food company that makes Oreo cookies and Ritz crackers.
BCLP in late February discovered it had been hacked, including in areas involving certain client files, according to a sample notice Mondelēz sent to affected employees June 15. The information stolen included employee dates of birth, Social Security numbers, and home addresses.
The firm initiated a “robust” investigation with the assistance of an outside cybersecurity forensics firm and also notified law enforcement, according to the notice obtained by the British tech website The Register. The firm informed Mondelēz of the breach March 24, the notice said.
“On May 22, 2023, based upon additional information received from Bryan Cave, Mondelēz determined that it finally had enough information to determine who was impacted and that affected individuals should be notified,” the company notice says.
The Mondelēz notice said the incident did not occur on or affect company systems “in any way.”
According to the Maine attorney general’s office, 51,110 people were affected by the breach.
According to a BCLP statement issued by a firm spokeswoman, “we immediately took measures to contain the incident” after learning of the issue. The firm was assisted by a leading forensics firm, coordinated with law enforcement, and is communicating with affected stakeholders.
“We remain able and focused on continuing to serve our clients as we resolve this matter,” the statement said.
“We take the security of our employee data very seriously,” said a Mondelēz statement provided by a company spokeswoman. “We took immediate steps once we were notified about this situation, and we are continuing to work with our partners to provide impacted employees with appropriate assistance.”
BCLP has been sued in a class action lawsuit filed in the Northern District of Illinois. The complaint, filed by law firm Turke & Strauss of Madison, Wisconsin, took issue with the three month period between the hack and the breach report, accusing the law firm and the company of leaving the employees vulnerable to identity theft.
The counts levied against Bryan Cave included negligence, breach of implied contract, breach of contract, unjust enrichment, and invasion of privacy.
BCLP is the latest in a long list of Big Law firms struck by cyberattacks and data breaches in attack, Gibson, Dunn & Crutcher, Loeb & Loeb and Orrick Herrington & Sutcliffe reported data
breaches to attorney general offices in Massachusetts and California.
Loeb & Loeb’s data breach occurred in June 2022, according to a report filed to the California Office of Attorney General, which means that notification occurred nearly a full year after the breach. As stated in the notification, the breach impacted “certain information related to current or former clients and employees.”
An unauthorized third party reportedly accessed two electronic file repositories at a Massachusetts office of Gibson Dunn, the firm said in a statement. Gibson Dunn hired “leading third-party cybersecurity experts” to investigate and contained the incident within one day. “There was no operational impact or impairment to Gibson Dunn’s network or systems. We have been working closely with federal law enforcement and have taken additional security measures to reduce the risk of future incidents,” the firm said. Public records indicate three residents of the state had Social Security numbers and driver’s license numbers accessed by the third party; the firm declined to say whether any client data was accessed.
The four June reports follow a string of law firm data breaches reported in the past year. In April, Proskauer Rose confirmed it was hacked through a third-party vendor contracted to set up the firm’s cloud site through Microsoft Azure. Cadwalader, Wickersham & Taft had its internal document management system taken offline for weeks in a November breach, and New Jersey-based midsize firm McCarter & English suffered a breach that hobbled the firm’s internal communications last April.
Why is this important?
Cyberattacks on law firms are growing in number and severity. According to American Lawyer, law firm data breaches compromised the personal data of at least 720,000 Americans in 2021, up from 46,000 Americans in 2020 and fewer than 20,000 in the previous six years.
Attacks on law firms aren’t limited to just the US. French and British authorities say that mercenary hackers increasingly are targeting law firms in a bid to steal data that could tip the balance in legal cases.
What does this mean to me?
If you’re a law firm, your firm’s data is under attack perhaps more than it ever has been. If you’re not a law firm, you’re relying on the law firm(s) you retain to protect your organization’s data. Many of them are failing to do so.
APPROACHES
Helpful Controls
- Multi-Factor Authentication (MFA)
- Incident Response Plan (IRP)
- Duty of Care Risk Assessment (DoCRA)
- Third-Party Risk Management (TPRM) Services
Commonality of attack
High
Article on story
Bryan Cave Hit by Cyberattack Involving Client Mondelez’s Data
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.
SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING