Law firms continue to be prime targets for cybercriminals, and the latest high-profile case involves Blank Rome. A proposed class action lawsuit filed this week in Pennsylvania federal court accuses the firm of failing to adequately protect sensitive client data after a May 2026 breach.
This isn’t an isolated incident. With hackers increasingly going after firms that hold troves of financial records, litigation materials, Social Security numbers, and other highly sensitive client information, data breaches in the legal sector are becoming all too common.
What Happened at Blank Rome
According to the complaint filed by plaintiff Laura Delapaz (a California resident and allegedly one of 57,554 affected current, former, or prospective clients), hackers gained access to personal information including names, birth dates, addresses, and taxpayer identification numbers.
The firm reportedly waited more than a month to notify affected individuals. The breach was disclosed following a social engineering attack: attackers impersonated the firm’s IT department and tricked an attorney into uploading files to an external site.
Blank Rome described it as a “limited incident” and stated they believe the lawsuit has no merit, promising a vigorous defense. The plaintiff’s lawyers allege the firm failed to provide adequate employee cybersecurity training and lacked reasonable security safeguards.
Broader Trend: Law Firms Under Siege
Blank Rome joins a growing list of major firms facing similar litigation. In the past year, firms such as Fox Rothschild, Wiley Rein, Pillsbury, and Kelley Drye have been hit with breach-related class actions. Others, including Gunster Yoakley & Stewart, Orrick Herrington & Sutcliffe, and Bryan Cave Leighton Paisner, have settled claims in recent years.
Why law firms? They store exactly the kind of high-value, sensitive data that hackers crave — without always having the same level of cybersecurity maturity as large banks or tech companies. Many still rely on traditional practices that create vulnerabilities to phishing and social engineering.
Law Firm Compliance and Risk Lessons
This case underscores several critical issues for law firms and any organization handling sensitive personal data:
- Notification Timelines Matter: Delayed breach notifications can strengthen class action claims and draw regulatory scrutiny under state data breach notification laws.
- Employee Training Is Non-Negotiable: Social engineering remains one of the most successful attack vectors. Regular, realistic training and phishing simulations are essential.
- Vendor and Access Controls: Strict protocols around file uploads, external sharing, and verification of IT requests can prevent many incidents.
- Incident Response Planning: Having a tested plan that includes rapid investigation, clear notification procedures, and client communication strategies is critical for damage control.
For clients of law firms, this is also a reminder to ask about data security practices during engagements, especially when sharing highly sensitive information.
Law Firm Privacy Compliance
If your organization (law firm or otherwise) handles significant volumes of personal or confidential data:
- Conduct a thorough review of current cybersecurity policies and training programs.
- Implement multi-factor authentication everywhere possible and zero-trust principles for sensitive systems.
- Update incident response plans and test them regularly.
- Consider cyber insurance that specifically covers breach notification and class action defense costs.
- Document all security measures — strong documentation can be a powerful defense in litigation.
The legal industry’s handling of client data is under increasing scrutiny. Proactive compliance isn’t just about avoiding lawsuits — it’s about maintaining client trust in an era where data breaches can make national headlines.
Stay vigilant — in today’s threat landscape, cybersecurity is a core compliance responsibility.