While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms.

This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks of two well-known and highly-regarded U.S.-based firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges. It also has been reported that a Russian cybercriminal recently attempted to breach the systems of dozens of other major firms, seeking insider information on which to trade.

Law firms, which tend to lag behind businesses in other industries in data security preparedness, are entrusted with financial, intellectual property, medical, and embarrassing personal data that may draw cybercriminals. Breaches of this data expose law firms to potentially massive liability. Erosion of client confidence and reputational injury may be the most obvious (and hardest to quantify) examples, but firms also are exposed to malpractice lawsuits alleging negligent handling of confidential client data and to state agency and private actions for failure, in the wake of breaches, to timely notify affected individuals, including employees, clients, and other parties and witnesses to litigations. Attorneys employed by firms that experience breaches also may be found to have violated the rules of professional conduct.

In light of these risks, law firms should act expediently to safeguard the data under their care and should consider these recommendations for key actions they can take to prevent breaches from occurring and to effectively respond to them if they do.