Login | August 20, 2019

Law firm data breaches 2018 stats

Technology for Lawyers

Published: March 8, 2019

The 2018 ABA Techreport had some interesting tidbits on law firm data breaches.

One thing to note before we trot these stats out is that this is all self-reported, so maybe, just maybe, take these stats with a grain of salt.

As then-FBI director Robert Mueller said in 2012: There are two kinds of companies—those that have been hacked and those that will be hacked.

As we all know by now, a lawyer’s duty to keep clients’ matter confidential extends to data security. This means, again, that a law office data breach can be actionable as an ethics violation under Model Rules 1.1, 1.6 and their attendant comments.

So, anyway, the firms that responded to the ABA’s 2018 technology survey reported that about 23 percent of them had ever experienced a data breach of any kind at any time.

Breach in this survey is loosely defined to include anything from actual computer hacking to a lost laptop or cell phone. Believe that if you want.

Digging a little further down, as could be expected, the larger the firm, the larger the percentage of reported breaches. Fourteen percent of solos and 23 percent of mid-sized firms had data breaches, while anywhere from 30 to 40 percent of the larger firms experienced reported breaches.

As reported from other sources before, though, somewhere around 100 percent of the top 50 or so mega-firms have reported breaches. Because that’s where the most valuable data is, if you were wondering.

Nevertheless, the larger the firm, the less likely that the data breach compromised client data.

In fact, the largest firms reported that, no matter how many times they were breached in 2018, no client data was compromised. Or so they said—more than a third of the respondents “did not know” if client data was compromised. Nice, eh?

Again, believe that if you want to. That is in contrast to solos, who reported that up to a quarter of their data breaches compromised client data.

A substantial plurality of all firms did report that they had downtime, lost income and expenses related to data breaches.

That’s called “the cost of doing business” in the law world today.