When Your Law Firm Gets Hacked
What Partners Wish They Fixed First โ Before It Was Too Late
It's Monday morning. You walk into the office. Every screen shows the same message: 'Your files have been encrypted. Pay $850,000 in Bitcoin within 72 hours or your client data is published online.' Here's what happens next โ and what every partner who's been through it wishes they had done differently.
The first 24 hours after a ransomware attack determine whether your firm survives. 60% of small law firms that experience a major breach close within 6 months.
The Monday Morning That Changes Everything
Partners who've been through a ransomware attack describe a specific feeling: a strange combination of disbelief and immediate dread. Not because of the ransom demand โ but because of the sudden realization of every conversation, every case file, every client communication that just became visible to strangers. And then the clock starts. Client notification deadlines. Court deadlines. Cyber insurer calls. Bar ethics hotline. All at once.
What Actually Happens in the First 72 Hours
Hour 1-2: Controlled Panic
IT is called. Or if there's no IT, a partner who 'knows computers' is called. Systems are unplugged from the network โ but the encryption has already run.
Hour 2-8: Scope Assessment
You try to understand what was encrypted. Everything? Just some files? Is email down? Is backup encrypted too? (For most firms: yes, yes, yes, and yes.)
Hour 8-24: Calling for Help
Cyber insurer is called. They begin the claims process. A forensic firm is engaged โ often chosen by the insurer, not you. The forensic firm's first report is never good.
Day 1-3: Client Notification Decisions
Legal counsel advises on notification obligations. Different states have different timelines. Some require notification within 72 hours. Who are the affected clients? Do you even know?
Day 3-14: Negotiation or Rebuild
If paying ransom, a negotiation firm is engaged. Ransom is paid in crypto. Decryption keys may or may not work. If rebuilding from backup โ when were the backups last tested? If never, they likely don't work.
What Partners Universally Wish They Had Fixed First
'We had backups. They didn't restore properly. We lost 18 months of work.'
'One attorney's email was compromised for three months. That's how the ransomware got in.'
'Because our files weren't segmented, every client was potentially exposed โ not just the ones from the compromised email.'
'We wasted 6 hours figuring out who to call. We should have known that before it happened.'
'Our policy had a $100K limit. The total breach cost was $1.4 million.'
'A paralegal clicked a link in an email that looked exactly like a UPS delivery notification. That's how it started.'
The Real Cost of a Law Firm Breach
"I would have paid $50,000 for proper IT security without thinking twice. Instead I paid $850,000 in ransom and another $600,000 in breach costs."
โ Managing Partner, post-breach interview
The 8 Things That Separate Firms That Survive From Firms That Don't
The One Question That Changes Everything
Every managing partner who has been through a ransomware attack says the same thing when asked what they'd do differently: 'I would have paid for a proper security assessment and fixed what they found. It would have cost a fraction of what the breach cost.' The tragedy is that proper IT security for a law firm costs between $1,500 and $4,000 per month depending on size. A breach costs 100 times that โ minimum.