The Wiley Rein Data Breach Lawsuit: Yet Another Cybersecurity Wake-Up Call
The Wiley Rein Data Breach Lawsuit: Yet Another Cybersecurity Wake-Up Call
Publish Date: 2026-06-02 10:46:00
Source Domain: abovethelaw.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Wiley Rein, one of Washington’s most prominent Am Law 200 firms, has now been sued for damages from a data breach. And it illustrates exactly what I and others have been warning about.
We have frequently written about the dangers of data breach and the lack of cybersecurity concerns among many law firms. Law firm management often doesn’t understand cybersecurity threats, thinks it won’t happen to them, leaves it entirely in the hands of IT and believes the cybersecurity insurance policy the firm has will protect them. They fail to see or don’t want to see the risks that can be significant to the very lifeblood of the firm.
But now add to already existing risks the fact that a breach might just get the law firm sued, compounding existing harms exponentially.
The Wiley Rein Lawsuit
Wiley Rein, which, somewhat ironically, touts its expertise in things like insurance and regulatory work, was recently sued for a data breach that allegedly involved thousands of individuals. Wiley Rein had no direct client relationships with many of these people but their personal information was nonetheless in firm files and thereby exposed. The suit was filed in federal District Court for the District of Columbia. It alleges the sensitive material was obtained by hackers and then sold on the dark web.
Also, according to the complaint, the hackers gained access in 2024, but the firm didn’t discover it until June 2025. In addition, the suit alleges that the firm failed to give proper notice to those affected until March 2026, some two years after the hackers got in.
Importantly, the suit, brought as a class action, alleges that the firm failed to employ reasonable and appropriate measures to protect against the hackers.
The Fallout
Any way you put it, if true, it’s not good for the firm, to put it mildly. And even if the allegations are not true, it is still a potential stain on the firm’s reputation under the theory that where there is smoke, there is often fire.
Think through the ramifications and impact of claims like this. The fact the suit is brought on behalf of those who were not clients of the firm, itself could create a huge exposure that is often overlooked by firm management. Law firms have tons of this kind of information of nonclients that needs to be protected just as client information does. And clients themselves may also end up with second thoughts about continuing a relationship with a firm that exposed sensitive information. Even if their information is not accessed, they may still wonder about the firm’s security commitment and whether there is more to the story yet to be revealed. As far as potential new clients, they may also balk at handing their matters over to the firm.
And there’s a potential for greater liability and claims. Many clients today insist on assurances by their firms upfront that certain cybersecurity protections are in place. If it turns out that those protections were not there to protect their material that could be grounds for a suit. Or, at the very least, clients might be suspicious and perhaps even demand for a refund of fees previously paid. Not to mention the potential ethical violations of failing to appropriately protect client confidences.
Moreover, the failure to give timely notice, if it happened, is certainly grounds for claims by a state attorney general for violations of various state statutory provisions.
Even if the claims are ultimately defeated, there’s also the disruption to the business of the firm. Think of all the hours that personnel and partners may have to spend dealing with the claims if they proceed. These are hours that could have been spent doing other things. And for partners, it means hours that could have been otherwise billed.
So all in all, the direct financial blow could be devastating. But there are also intangible harms like the impact on the ability to attract top talent. I’m not sure I would want to work for a firm with this hanging over its head and with this blow to reputation.
Insurance?
But wait, surely the firm has insurance. Maybe. But many malpractice policies specifically exclude claims related to data breaches. From a definition standpoint, a breach probably does not fall within the concept of malpractice.
Then there is the cyber policy, assuming the firm has one. (If it doesn’t, that’s another huge problem of omission). But as I have written, these days most cyber carriers require upfront assurances that certain cyber protections are in place, just as many clients do. If it’s later found out the firm failed to have these protections in place, the coverage may be voided. That’s why the claim that the firm failed to have reasonable and appropriate protections in place is important.
A Wake-Up Call
All in all, suits like these should be a wake-up call for law firms to take cybersecurity very seriously. To double down on cyber issues and spend the time and money necessary to protect the firm, its clients and even nonclients that may have information in the firm’s files. To make sure it has adequate protections in place. To be sure that it’s doing what it committed to do to its clients and its carriers.
To do things like tabletop exercises to be sure that if, a breach occurs, the discovery of which does not take eight months, and notice does not take more than two years to be given. To do vendor audits and keep current on changes in vendor contractual commitments. To dig in and question IT and what it’s suggesting. To have a sound and tested incident-response plan, not just one that serves to check a box.
Cybersecurity is serious business. Its impact can be devastating to a firm on so many fronts. Management needs to act like it is one of the most important things that it deals with. Not just an afterthought.
Just ask Wiley Rein.
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
