Choosing and Being a Cyber-Safe Partner: The Consequences of One Weak Link  

One of the best ways for law firms to manage their technology needs and create a high-performing tech stack is to work with a third-party vendor. Unfortunately, it can also be one of the riskiest decisions firms face.  

In August of 2024, South Carolina law firm Riley Pope & Laney experienced a data breach exposing not only the firm’s own clients—corporations that oversee highly sensitive data—but the data of these corporations’ clients as well. This has led to a class action lawsuit wherein over 7,000 class members allege that their sensitive data was exposed though they had never consented to the firm’s holding of their PII in the first place. The suit alleges the cause of the breach is, as quoted from Law.com, “due to inadequate training of IT and data security agents[.]” 

Essentially, this firm served as one link in a chain of vendors—the initial company holding the PII, then the firm, then the IT and data security agents. When one link breaks, it causes consequences for the entire chain. Riley Pope & Laney was accused of failing to properly notify and protect the affected parties, and now faces the consequences of a class action lawsuit with plaintiffs seeking, per Law.com: 

“[…]declaratory and injunctive relief to enjoin Riley Pope & Laney from further deceptive practices and making untrue statements about the data breach. They also are seeking punitive damages and restitution, along with attorney fees and costs.” 

This story underscores the importance of understanding the risks that vendors may impose on your law firm and subsequently choosing a safe third-party vendor. By doing so, your firm positions itself as a safe partner for your law firm’s clients—a position that is critical to the sustainability of your business. 

Liability and Lawsuits: How U.S. Law Firms Fall Victim  

Law firms make excellent marks for targeted cyberattacks due to the sheer amount of personal information kept in their records. From identifying information like social security numbers, financial records, and employment records to HIPAA-protected medical records, a breach of one law firm can yield goldmines for bad actors looking to steal from individuals or sell their sensitive data for large sums.  

Amidst similarly targeted attacks on organizations handling large volumes of sensitive information, including healthcare and background checking companies, NYC law firm Wolf Haldenstein Adler Freeman & Herz LLP (also referred to as Wolf Haldenstein) was swept up in a breach of records that exposed the sensitive data of more than 3.4 million individuals, including their protected medical information. 

After suspicious network activity was detected, Wolf Haldenstein swiftly engaged a third-party digital forensics company to help contain and quantify the threat, but due to complications in the process, notification of the exposed and potentially stolen data only reached consumers over a year after the incident occurred.  

Similarly, the law firm Thompson Coburn LLP and client Presbyterian Healthcare Services are facing a class action lawsuit after over 300,000 client records were accessed by a bad actor in an apparent breach. In the suit, reports Forbes,  the plaintiffs “argue that Thompson Coburn and PHS were negligent in their cybersecurity measures, pointing to inadequate protections against recognized cyber threats.” 

Third-Party Vendors Put Law Firms At Risk 

According to SecurityScorecard, 98% of companies have a relationship with a third-party who has been breached, and 75% of attacks targeted the supply chain of software and technology. In plain terms, this indicates that a third-party technology vendor is one of the highest vectors of risk for a company, and a likely conduit for a third-party breach.  

When a vendor faces a security breach, the risk and consequences are not limited to their own purview. When it comes to cybersecurity, vendors, clients, and those individuals and organizations affiliated with either company form an ecosystem. A risk to one is a risk shared by all, and an attack on one can have far reaching effects on the livelihood and privacy of everyone involved. One breach affects not only the vendor, but also their clients, and clients of those clients, and so on.  

As evidenced by the headlines referenced just above, a law firm working with an IT partner who experiences a breach will almost certainly face severe legal, financial, and/or regulatory consequences, even if the breach occurred through no fault of their own.  

This is why it is incredibly important to choose an IT business partner who maintains their cybersecurity to the highest degree. One easy way to protect your firm by choosing a highly secure vendor is to look at their compliance and certification standards—the most powerful of which is attaining SOC 2 Type II compliance. 

Choosing the Safest IT Partners: SOC 2 Type II Certification  

The SOC 2 Type II Compliance is a globally acknowledged auditing standard evaluating an organization’s security, availability, processing integrity, confidentiality, and privacy. This assessment qualifies providers to the highest caliber of cybersecurity standards. Those who hold the certification are considered among the best in class in cybersecurity standards.  

The SOC 2 Type II audit process requires a company to undergo a detailed evaluation and monitoring of security practices across key areas: 

• Privacy: Ensuring appropriate and discerning access to information  

• Confidentiality: Keeping data safe with encryption, firewalls, and access controls 

• Processing Integrity: Managing and strengthening internal processes to avoid errors and establish predictable, strategic methodology 

• Availability: Assurance of quality service and incident response acumen to best serve team and clients 

• Security: Proper controls, tools, and other measures are in place to protect business and clients 

What Value Does a SOC 2 Type II Certified Partner Add for Law Firms? 

Law firms evaluating IT partners should consider the SOC 2 Type II certification as a sign of trustworthiness, quality, and dedication. By partnering with a certified MSP or IT partner rather than one who has not achieved SOC 2 Type II compliance, law firms see benefits like: 

• Maximized security of confidential business and client information  

• Reduced risk of a data breach revealing sensitive client information 

• A partner who better understands compliance standards and processes  

• Greater insight and wisdom surrounding cybersecurity practices 

• A safer, more reliable relationship with an IT provider  

When partnering with a SOC 2 Type II certified firm, law firms can expect an elite level of understanding and proactivity that yields lower risk and greater protection for their firm and clients.  

STS Earns 5^th Consecutive SOC 2 Type II Compliance Certification 

As a boutique MSP working exclusively with legal professionals, we understand the gravity of our unique responsibility: protecting high volumes of sensitive data on behalf of our clients and their clients as well.  At STS, we’re committed to going the extra mile for our clients’ safety. For the past 5 years, we have elected to undergo the rigorous auditing process required to achieve our  SOC 2 Type II certification. We’re proud to announce that we have achieved compliance for another consecutive year. 

---

Knowing the far-reaching consequences of a breach affecting law firms, we are deeply committed to mitigating the risk to our clients by maintaining our internal security protocols, and in turn, expanding our ability to aid our clients in their own risk assessments. Through insights gained from our years of experience with SOC 2 processes and procedures, we have become a highly secure IT partner for law firms and a trusted guide and mentor for growing their cybersecurity maturity. 

Get a Free Security Scan from The IT Compliance Experts  

The Strategic Technology Solutions team takes pride in being a trusted and preferred choice for law firms. If you’re ready to get protected or simply want to learn more about our elite suite of cybersecurity programs for law firms, our Free Security Vulnerability Scan is a great place to start.  

Our scan will uncover your firm’s security strengths and weaknesses and provide you with actionable insights for protecting your organization. By evaluating your organization to these highest standards, we can identify critical issues and uncover pressure points that threaten the safety of your law firm and clients.  

Click the button below to learn more or schedule your Vulnerability Scan with our cybersecurity experts.