By Alan Meneghetti, Esq., Natasha Ahmed, Esq. and Philippa Townley, Esq. of Locke Lord LLP What seems like a long time ago now, in 2011 PricewaterhouseCoopers (PwC) warned that aEURoethere is no question that law firms are among the companies being targeted by cyber criminals.aEUR? Despite this, many law firms believed (or just did not feel the risk significant enough) that they were unlikely to be the target of a cyber-attack. In the same 2011 report, PwC reported that aEURoea number of law firms believe they were too small or obscure to warrant the interest of professional hackers,aEUR? and Legal Week have also reported that law firms are far less likely (to the order of 35%) to have a response plan in place for cyber-attacks than non-legal professionals (a slightly better 52%). The issue of cyber-security at law firms has been brought to the fore in recent weeks due to two significant data breach incidents which have targeted the legal sector. In March 2016 New York security firm Flashpoint issued a statement to 48 prestigious law firms warning them that they had been targeted by a Russian cyber-criminal (known as aEURoeOlerasaEUR?). New York firm Cravath Swaine & Moore (which also has an office in London) confirmed that its systems had been breached the previous summer. Just a few weeks later news emerged of a major document leak from the off-shore Panamanian-based law firm Mossack Fonseca. This is the biggest document leak in history aEUR" bigger than the 2010 Wikileaks and the 2013 Edward Snowden disclosures combined. More than 11.5 million documents aEUR" or 2.6 terabytes of data aEUR" were leaked to German newspaper SA 1/4 ddeutsche Zeitung, which went on to share the leaked information with the International Consortium of Investigative Journalists. The fallout from the leak is significant and continues to bring headline news on a near-daily basis: so far, IcelandaEUR(TM)s prime minister Sigmundur Gunnlaugsson resigned after his family was accused of concealing millions of dollars in an offshore account; Uruguayan lawyer Juan Pedro Damiani resigned from his role as an ethics judge at FIFA, and FIFA president Gianni Infantino has been accused of signing off a contract entered into by two businessmen who have been accused of paying millions of dollars in bribes to South American football officials; on Tuesday 5th April and Wednesday 6th April, David Cameron and Downing Street confirmed that the prime minister does not benefit from any offshore funds, and on Thursday 7th April the prime minister revealed that he had owned shares in Blairmore Holdings, an offshore fund set up by his father. The UK Prime Minister, as well as various other ministers in the UK, have now made public their tax returns. And the repercussions continue on a daily basis. Founding partner of Mossack Fonseca, Ramon Fonseca, has been quoted as saying of the Panama Papers leak that aEURoeThis is not a leak. This is a hack.aEUR? Whether a leak or a hack, these recent stories raise concerns about the ability of law firms to protect themselves and their clientsaEUR(TM) data from data breaches. In April 2015, the UK Law Gazette reported that in 2014 the Information CommissioneraEUR(TM)s Office (the ICO, which is the UKaEUR(TM)s national data protection authority) investigated 173 law firms for potential breaches of the UK Data Protection Act 1998. The ICO has noted that data breaches reported by solicitors and barristers increased by 32% from 2013/2014 to 2014/2015, and accounted for 4.5% of all reported breaches. In its 2015 Annual Law FirmsaEUR(TM) Survey, PwC reported that 62% of the law firms reviewed had reported being the victim of cyber-attack(s), which represents an increase of nearly 20% from 2014 (45% of law firms reviewed had reported a cyber-attack(s) in 2014). Why are law firms being targeted by cyber-attackers? Cyber-attackers attack companies, including law firms, to obtain information for a variety of reasons, including economic (or industrial) espionage, insider trading, holding the victim to ransom, making fraudulent purchases and of course for ideological causes. In the case of the Oleras hack, reports have stated that the hackers were seeking insider information in relation to confidential, undisclosed mergers and acquisitions in order to use this information for insider trading. In 2012, an Anonymous offshoot, aEURoeAntiSec,aEUR? hacked a Washington law firm claiming to have done so in order to expose aEURoerich and powerful oppressors.aEUR? So why go for law firms? The Law Society of England and Wales believes it is because aEURoelaw firms are particularly attractive sources of information.aEUR? Law firms are often considered to be aEURoesoft targets,aEUR? providing easier access to confidential information about businesses than those businesses themselves due to the fact that, for the most part, they have relatively lax security systems in place. What can law firms do to protect themselves against data breaches? The ICO, the Law Society of England and Wales, and the English Solicitors Regulation Authority (the SRA) all recognize the increased threat of cyber-attacks to law firms and have each published guidance setting out practical steps that can be taken to improve security. The Law Society has set up a page dedicated to providing advice to lawyers and law firms on how to avoid cyber-attacks, and the SRA has published a document dedicated to highlighting cybercrime risks to law firms and also its latest Risk Outlook report, both of which provide practical advice for legal practitioners.