On the morning of June 7, 2021, Katherine Weall opened her laptop to file an answer in Manhattan federal court. She had drafted the document. She knew the deadline. What she did not know was that every attorney in the New York City Law Department, all 1,000 of them, had been locked out of their own systems.
She wrote to Judge P. Kevin Castel and asked for one more week: “I am therefore unable to access and file the answer I have drafted in this case, which is due today.”
A connectivity issue. That was what the Law Department called it.
Two days earlier, the city’s Cyber Command had detected unauthorized access inside the department’s network. Officials disconnected the entire system on Sunday. By Monday, government attorneys handling civil rights cases, police misconduct suits, and contracts involving eight million residents could not reach a single electronic file. The NYPD’s intelligence division and the FBI’s cyber task force opened a joint investigation. Weeks passed before full access returned.
The attackers did not deploy novel malware. They did not exploit an undiscovered vulnerability. They used a single employee’s stolen email password and walked through the front door. In the weeks that followed, investigators discovered what that stolen password had unlocked: personal data of thousands of city employees, evidence from police misconduct cases, medical records of plaintiffs, and the identities of children charged with serious crimes. New York City’s Cyber Command had directed all city agencies to implement multi-factor authentication in April 2019. The Law Department had not complied. A City Hall spokesperson called the failure “unacceptable.”
As “Why Hackers Target Law Firms” documented in this series, law firms and legal departments concentrate the most sensitive information from multiple clients in one location. That concentration makes every unlocked door a high-value target.
If you manage a fourteen-attorney litigation practice and assume this does not apply to you, the data disagrees. The Verizon 2025 Data Breach Investigations Report, analyzing over 22,000 security incidents, found that stolen credentials accounted for 22% of breaches as an initial access vector. Among basic web application attacks, the figure reached 88%. Attackers are not breaching fortresses. They are logging in.
Your firm’s credential security falls below the standard that courts and regulators now treat as the floor for “reasonable efforts” under Model Rule 1.6(c). The fixes cost less per month than a single partner bills in six minutes. The consequences of inaction extend from malpractice liability through disciplinary proceedings to the kind of Monday morning Katherine Weall experienced in Manhattan federal court.
What Twelve Graphics Cards Revealed
When I worked in EMC’s eDiscovery business, we watched password-cracking demonstrations the way trial attorneys watch mock juries: to understand what the other side could do before they did it to us. The gap between what attackers can accomplish and what organizations believe attackers can accomplish widens every year. Password cracking follows the same trajectory as every other computational arms race. The numbers that felt safe last year become this year’s punchline.
Hive Systems publishes an annual password table benchmarking cracking times against current hardware. The 2025 edition used twelve NVIDIA RTX 5090 graphics cards, a configuration costing roughly $24,000 at list price for the GPUs alone. That is well within the budget of any organized criminal operation, and a rounding error for a nation-state. The results against bcrypt-hashed passwords at standard strength settings:
An eight-character password using only numbers falls in fifteen minutes. Eight lowercase letters: three weeks. Add uppercase letters, numbers, and symbols to those same eight characters, and the estimate extends to 164 years.
Now flip the variable. Consider length instead of complexity. Fifteen characters using only lowercase letters resists cracking orders of magnitude longer than an eight-character password deploying every character type available. Length defeats complexity. This is not intuitive, but it is mathematical. A passphrase like “correcthorsebatterystaple” provides more protection than “P@s5w0rd!” and is easier to remember.
Security professionals no longer push complexity requirements that produce sticky notes on monitors. They push length, randomness, and uniqueness across accounts. The advice changed because the math changed.
The Obligation with Teeth
Password security is not a practice recommendation. It carries disciplinary consequences.
Forty states, the District of Columbia, and Puerto Rico have formally adopted the technology competence standard embedded in Model Rule 1.1, Comment 8, which requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” The remaining states have addressed the obligation through ethics opinions or court orders. No jurisdiction has concluded that attorneys may ignore the technology their clients’ data travels through.
Model Rule 1.6(c) converts that awareness obligation into a protection mandate: “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” A firm running email without multi-factor authentication and storing credentials in unencrypted spreadsheets cannot credibly claim reasonable efforts when a $24,000 hardware rig cracks its passwords in minutes. ABA Formal Opinion 477R (2017) made this connection explicit, requiring attorneys to “understand and use electronic security measures” and to train both lawyers and nonlawyer assistants in information security. The opinion sets a floor, not a ceiling. Sensitivity of the data raises the standard.
Regulators have already put dollar figures on noncompliance. In April 2021, the New York Department of Financial Services imposed a $3 million penalty on National Securities Corporation for failing to implement MFA across its email environment. The consent order cataloged four separate cybersecurity events between 2018 and 2020, every one exploiting accounts that lacked MFA. National Securities had also falsely certified compliance with MFA requirements in its 2018 filing. That false certification transformed a security failure into a credibility failure, the kind of aggravating factor that turns a fine into a precedent.
As I explored in “Your AI Tool Doesn’t Keep Secrets,” the technology competence obligation extends beyond passwords to every platform that touches client data. “The Six-Week Silence” documented what happens after prevention fails: the obligation to disclose, and the cost of delay.
The Steelman, and Where It Breaks
Here is the strongest version of the counterargument: small and midsize firms lack the budgets, IT staff, and attack profiles that justify enterprise-grade credential security. Automated attackers target high-value organizations with deep pockets, not a twelve-attorney family law practice in Charlotte. Compliance burdens fall disproportionately on firms least equipped to bear them. The risk is theoretical.
That last claim is wrong. Everything before it contains a kernel of truth.
Compliance costs do fall disproportionately on smaller firms. A solo practitioner juggling client calls, court appearances, and office administration has less bandwidth for security configuration than an AmLaw 100 firm with a dedicated CISO. Nobody disputes the resource gap.
But automated credential-stuffing attacks do not select targets based on firm size, practice area, or revenue. In 2024, 2.8 billion passwords appeared for sale or free distribution on criminal message boards, encrypted messenger groups, and darknet markets, according to data cited in the Verizon DBIR. Automated tools feed those lists into every accessible login portal on the internet. When one finds a working combination at a family law practice in Charlotte, the attacker does not shrug and move on. That access gets monetized through ransomware, data exfiltration, or resale. The Verizon DBIR found that small and midsize businesses experienced ransomware in 88% of breaches. Smaller firms are not below the waterline. They are the waterline.
Bar counsel evaluating a breach ask one question: did the firm take reasonable precautions? A password manager runs $3 to $8 per user per month. For a twelve-attorney firm, that is $36 to $96 monthly. MFA is free on most platforms. The “we can’t afford it” argument fails at $96 a month. A single partner bills more than that before lunch.
Two Firms, One Phishing Email
[Note: The first firm described below is a composite illustration based on publicly documented credential-breach patterns. The structural elements, deployment of MFA and a password manager at described cost levels, phishing attempt blocked by MFA, zero data exposure, reflect documented outcomes from firms implementing these controls.]
A twelve-attorney plaintiff’s firm in the Southeast deployed Bitwarden across every workstation in 2019. The managing partner required unique, randomly generated passwords for every firm account and mandated MFA on email, document management, and banking platforms. Six months later, a paralegal received a phishing email that captured her primary credentials. The attacker hit the MFA wall. The attempt was flagged. Credentials were reset within the hour. Zero client data was exposed. Annual cost of the infrastructure that stopped the breach: $576 for the entire firm.
National Securities Corporation faced the same threat without the same preparation. Four cybersecurity events over two years. Customer data exposed in every incident. $400,000 in direct losses from unauthorized fund transfers. A $3 million regulatory penalty. A false compliance certification that compounded every other failure.
The gap between these outcomes is not sophistication. It is $48 per month.
As I detailed in “I Was Inside EMC When Hackers Stole the Keys to 40 Million Doors,” the RSA breach proved that one compromised credential can cascade through an entire trust chain. The password is the first domino. It has always been the first domino.
What Each Practice Area Faces
Corporate and M&A attorneys handle material nonpublic information during active transactions. A credential breach during a pending acquisition creates not only malpractice exposure but potential securities law liability under Regulation FD and insider trading statutes. Every shared credential during a deal is a door that stays open until someone remembers to close it. When I analyzed supply chain risk in the RSA breach blog, the parallel to vendor access during due diligence was direct.
Litigation practices face evidentiary consequences that precede the malpractice analysis. If opposing counsel argues that a credential breach compromised document integrity, the spoliation inquiry begins immediately. The Qualcomm v. Broadcom sanctions, examined in “The Tower of Babel in Your Own Building,” proved that courts treat technology failures as attorney failures when the consequences contaminate the litigation.
Family law and estate planning practitioners handle information clients consider more sensitive than any corporate secret: health records, financial details, custody evaluations, substance abuse histories. A breach causes immediate, personal harm to individuals who trusted their attorney with details they have not shared with their closest friends. “The Email Disclaimer Delusion” explored how attorneys in these practice areas routinely rely on disclaimers that provide zero actual protection for exactly this kind of data.
Criminal defense attorneys face a constitutional overlay. A credential breach that exposes defense strategy, witness lists, or plea negotiation details implicates the Sixth Amendment right to effective assistance of counsel. The professional responsibility analysis compounds rather than replaces the constitutional one.
Before Friday
Your firm’s email system is the single highest-value target in a credential-based attack. Every major email platform, Microsoft 365, Google Workspace, supports multi-factor authentication at no additional cost. Configuration takes less than an hour for a fourteen-person office. The setup guides are written for non-technical administrators. Enable MFA on every email account before the end of this week. Not next quarter. Not after the next partners’ meeting. This week.
The same week, deploy a password manager. Bitwarden, 1Password, and Dashlane offer enterprise plans between $3 and $8 per user per month. Require unique, randomly generated passwords for every firm account. This eliminates reuse, the specific behavior that makes credential-stuffing effective. When attackers harvest credentials from an unrelated breach and test them against your firm’s login portal, unique passwords give them nothing useful.
While the password manager rolls out, run every firm email address through HaveIBeenPwned.com. The service is free. Any account appearing in a known breach database requires an immediate credential reset, not a note for the next IT review, not a calendar reminder. Reset it and enable MFA before close of business.
Set a minimum password length of fourteen characters across all firm systems. At that length, even with a simpler character mix, the Hive Systems 2025 data shows cracking timelines that stretch well beyond any practical attack window.
Then document what you did. Written policies. Training records. Configuration logs with dates. If a breach occurs, the gap between a regulatory warning and a suspension narrows to one question: can you prove you took reasonable precautions? “The Policy You Paid for but Cannot Use” documented how cyber insurers ask the identical question. Your application attested to MFA. Your carrier will verify that attestation the day you file a claim. The answer is either true or it is not.
The Filing That Changed a Monday Morning
Katherine Weall’s letter to Judge Castel did not describe a cyberattack. It described a connectivity issue. That framing reveals the distance between what happened and what the Law Department was prepared to say about it.
Weall was not negligent. She drafted the answer. She met the internal deadline. But her clients experienced the same outcome they would have experienced if she had simply forgotten: their filing was late, their case was disrupted, and their attorney stood before a federal judge explaining that the largest municipal law office in the country could not open its own files.
Remove the technology entirely. If Weall had stored every client file in a locked cabinet and handed a copy of the key to a thousand people, and someone with a stolen key walked in and changed the lock, no one would call it a connectivity issue. They would call it what it was. The digital version is no different. The obligation is no smaller.
Microsoft research found that MFA blocks over 99.9% of automated account compromise attacks. One measure. Free on most platforms. Available for years. Every day your firm delays implementation is a day it operates below the floor that regulators, courts, and insurers enforce.
Weall got her extension. The question is whether your clients will get theirs.
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
Connect: LinkedIn | X | Bluesky
References
ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8 (Am. Bar Ass’n 2012). Technological competence requirement.
ABA Model Rules of Professional Conduct, Rule 1.6(c) (Am. Bar Ass’n 2012). Confidentiality; reasonable efforts to prevent unauthorized disclosure.
ABA Formal Opinion 477R (2017). Securing communication of protected client information.
ABA Formal Opinion 483 (2018). Lawyers’ obligations after an electronic data breach or cyberattack.
Ambrogi, Robert J. LawSites. Tech Competence tracker: 40 states, D.C., and Puerto Rico have adopted technology competence requirements. https://www.lawnext.com/tech-competence
City & State New York. “How is New York protecting itself from cybercrime?” (July 7, 2021). Corroborating report on stolen email password and failed MFA directive.
Expert Insights. “The Most Significant Password Breaches of 2021.” Source for NYC Law Department breach details: stolen email password, exposed data categories, and April 2019 Cyber Command MFA directive.
Hive Systems. “2025 Password Table” (May 2025). Benchmarking password cracking times using 12x NVIDIA RTX 5090 GPUs against bcrypt (cost factor 10).
Microsoft Security Blog. “One simple action you can take to prevent 99.9 percent of attacks on your accounts” (August 2019).
Morris, JD. “I Was Inside EMC When Hackers Stole the Keys to 40 Million Doors.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Email Disclaimer Delusion.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Tower of Babel in Your Own Building.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “Your AI Tool Doesn’t Keep Secrets.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Six-Week Silence: What Happens When Your Firm Waits Too Long to Disclose a Breach.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Policy You Paid for but Cannot Use: Cyber Insurance, Compliance Gaps, and the Documentation Trap.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “Why Hackers Target Law Firms: Where All the Secrets Are Buried.” Morris Legal Technology Blog, The Technology Blind Spot.
New York City Law Department cyberattack. Reported June 7, 2021. Weall letter to Judge P. Kevin Castel, Manhattan federal court. Reporting: NBC New York, Fox Business, Wall Street Journal, Infosecurity Magazine, New York Daily News. Subsequent investigation confirmed attack via stolen email password; data exposure included employee personal data, police misconduct evidence, plaintiff medical records, and identities of children charged with serious crimes.
New York Department of Financial Services. Consent Order, In the Matter of National Securities Corporation (April 14, 2021). $3 million penalty for MFA failures, unreported cybersecurity events, and false compliance certification.
Verizon. “2025 Data Breach Investigations Report.” 22,000+ security incidents analyzed; stolen credentials as initial access vector in 22% of breaches; 88% of basic web application attacks involved stolen credentials; SMBs experienced ransomware in 88% of breaches; 2.8 billion passwords posted on criminal forums in 2024; 60% of breaches involved the human element.
