Risk Update

Risk Reading — Law Firm Cybercrime/Reputation Mitigation, Law Firm Insurance Landscape, Firm Dodges Discovery-driven Disqualification

Protecting law firm data and reputation: A guide to cybercrime mitigation” —

  • “Whether it is identifying ransomware, phishing schemes, and data breach threats, or rolling out robust cybersecurity measures, comprehensive risk management strategies, tabletop exercises, and heightened internal awareness campaigns, the goal is to arm you to protect your reputation and data, and most importantly, your clients.”
  • “Law firms and their clients are facing an unprecedented rise in cybercrime, with 2024 being the biggest year yet for cybersecurity incidents. The American Lawyer and Bloomberg Law report that at least 21 law firms filed data breach reports to state attorneys general offices in the first five months of 2024, preceded by 28 law firm breach reports in 2023, and 32 in 2022 According to one survey, more than half of law firm respondents who experienced a security breach lost confidential client data — among the worst things that can happen to a law firm.”
  • “To a cybercriminal, law firms are a treasure-trove of sensitive and confidential information, including IP, internal personnel and financial records, and business, financial, and personal client information. Cyberattacks have exposed vulnerabilities within law firms, leading to significant financial losses, reputational damage, and legal repercussions. Law firms have been subject to class-action lawsuits and have unknowingly contributed to insider trading that has cost companies millions of dollars—all because of cyberattacks.”
  • “In a recent review of ransomware attacks:
    • 12 percent of attacks on law firms resulted in a lawsuit.
    • Of those, when you include the 25 percent of matters that were settled out of court, the law firm lost every time.”
    • Only 26 percent of law firms believe their firm is ‘very prepared’ to respond to cyber incidents.”
    • In one survey, 39 percent of law firm respondents reported awareness of a security breach in the last year, and56 percent lost confidential client data. Sixty percent identified the sophistication level of the attacks as the biggest challenge in reducing risk.
    • Law firms face an average ransom demand of $2.5 million, globally.”
  • “While all cyberattacks are concerning, once you have reason to believe your law firm has been targeted, it’s important to differentiate between a cyber incident and a cyber breach. The consequences and necessary responses can vary significantly.”
  • “Cyber incident (no data captured): A cyber incident refers to an event where a law firm’s security systems are compromised, but no sensitive data is captured or accessed by unauthorized parties. Examples include a successful denial-of-service (DoS) attack that temporarily disrupts operations or an attempted phishing attack that is caught by the firm’s security measures.”
  • “While these incidents may not result in the direct loss of data. they still expose vulnerabilities that need to be addressed to prevent future breaches.”
  • “Cyber breach (data compromised): A cyber breach, on the other hand, involves unauthorized access to sensitive or confidential information. This is the scenario that law firm IT departments fear the most. A breach can expose critical client data, such as Social Security numbers, financial records, HIPAA-protected personal information, or intellectual property.”
  • “The legal, financial, and reputational fallout from a breach can be catastrophic, often requiring significant resources to manage the aftermath and restore trust with clients and stakeholders.”

Expanding risks drive lawyers liability claims” —

  • “The market for lawyers professional liability insurance remains stable, with rate increases mainly in the single digits and ample capacity available, but claims are rising, and law firms’ exposures are changing.”
  • “As the corporate transactions on which large law firms provide legal services expand, lawyers’ liability exposures for issues such as conflict of interest and clerical errors are growing, experts say.”
  • “Also, firms of all sizes are grappling with how to reap the benefits of generative artificial intelligence without jeopardizing client confidentiality.”
  • “Law firms are facing increasingly large malpractice claims, said Eileen Garczynski, McLean, Virginia-based equity partner and senior vice president at Ames & Gough.”
  • “According to the specialty brokerage’s most recent claims survey of major lawyers professional liability insurers, about 10 settlements of over $100 million occurred between 2020 and 2024.”
  • “Conflict of interest was the most frequent cause of malpractice claims, followed by scrivener or clerical error claims.”
  • “In one high-profile conflict of interest case, Dentons was hit with a $32.3 million verdict in Revolaze LLC v. Dentons US LLP, a patent case in which it represented the patent owner and another office of the firm had legal relationships with one of the alleged patent violators. An appeals court upheld the verdict in 2022.”
  • “In the 14 years that Ames & Gough has conducted its survey, claims have closely tracked developments in the general economy, usually rising a couple of years later, Ms. Garczynski said. For example, claims of alleged malpractice related to tax advice rose in the years following significant tax code changes. In recent years, claims related to immigration law have grown in number.”
  • “Looking ahead, the recent growth in cyberattacks could lead to malpractice claims related to client data, though increasingly lawyers professional liability insurers are inserting cyber exclusions in policies, Ms. Garczynski said.”
  • “Medium-sized and large law firms are seeing more large malpractice claims as mergers and acquisitions and other transactions grow, and they are hitting high excess coverage layers, said Noreen Calisto, New York-based associate director, professional services practice, at Willis Towers Watson PLC.”
  • “‘Law firms are doing more big transactions, and they’re so big, even a small error could result in significant exposure,’ she said.”
  • “‘Some clients might ask for the firm to use AI because it could be a cost-cutting measure for searching documents and things like that, but they’re very careful when using it and in putting parameters around how their lawyers can access AI tools,’ said Maggie O’Donnell, Chicago-based chief client officer for professional services at Aon PLC.”
  • “The market for lawyers professional liability insurance is largely stable, experts say. ‘There’s plenty of capacity in the market right now. Currently, there might be as much as $680 million of capacity for U.S. law firms to access,’ Ms. O’Donnell said.”
  • “But with claims rising, underwriters are closely managing their capacity, she said. ‘As the deals firms work on get bigger, they may look to buy more capacity, but the markets are very careful about the capacity that they put out,’ Ms. O’Donnell said.”
  • “‘Pricing has been moving up steadily, not double-digits but single-digits,’ since 2021, she said. And that trend will likely continue through year-end, she said.”

GRSM50 Won’t Be Disqualified In Detroit Hotel Firing Suit” —

  • “A Michigan federal judge has refused to disqualify Gordon Rees Scully Mansukhani LLP from representing an upscale Detroit hotel in a retaliation suit filed by three fired employees, but flagged the firm for being ‘negligent’ in its handling of discovery in the case.”
  • “In an opinion Thursday, U.S. District Judge Linda V. Parker ruled that plaintiffs Maria Victoria Ferrer, Charles Lisée and Miya Shani Hooks can amend claims in their complaint, but rejected the bid to disqualify Gordon Rees as defense counsel. However, the judge ordered the firm’s client, The Detroit Club, to pay attorney fees the plaintiffs incurred in connection with its sanctions bid and in preparing summary judgment filings.”
  • “‘This court cannot conclude that defendants engaged in ‘contumacious conduct,” Judge Parker said. However, certain ‘discovery violations appear to have been willful, at least on the part of defendants as opposed to their counsel,’ the judge said.”
  • “Documents uncovered during discovery ‘reflect that defendants were aware of previous complaints of racism brought by Detroit Club employees, workers, and patrons,’ despite the club’s prior denial ‘that anything of the sort had ever occurred’ and its failure ‘to disclose electronic communications discussing these matters,’ the opinion said.”
  • “‘Counsel, on the other hand, seems to have been simply negligent in overseeing defendants’ responses to plaintiffs’ discovery requests — for example, not providing sufficient guidance to defendants to locate relevant electronic documents responsive to plaintiffs’ discovery,’ the opinion said. ‘More importantly, however, there is no evidence to suggest that counsel was more involved.'”
  • “The workers who filed the suit weren’t ‘significantly prejudiced’ by the discovery conduct, the judge said, and have now obtained the documents at issue, including ones the trio contend show that the club’s managers lied during depositions.”
  • “‘To the extent the now-obtained discovery shows that a witness testified untruthfully at his or her deposition, the ability to present that falsehood to a jury to impeach the witness is a far more powerful weapon than most of the sanctions this court would be inclined to impose,’ Judge Parker said.”
  • “The judge said she was not convinced that Gordon Rees should be booted as defense counsel, citing case law in saying that ‘disqualification is an extreme sanction reserved for ‘when there is a reasonable possibility that some specifically identifiable impropriety actually occurred.””
  • “In this case, it isn’t clear whether ‘the failure to disclose the documents at issue was due to inadequate search terms, as opposed to defendants’ unwillingness to produce what was found,’ the opinion said.”