By Kim Lyons / Pittsburgh Post-Gazette

In 2007, cybercriminals took more than 45 million credit and debit card numbers from the network of retailer TJ Maxx’s parent company. The cost to the company, TJX Cos., soared above $250 million, and drove the state of Massachusetts, where the company is headquartered, to enact some of the toughest cybersecurity rules in the country.

With so much money and potential damage to a company’s reputation at stake in the event of a data breach, it’s no wonder that law firms are devoting resources to cybersecurity, not only to protect their own firms’ data but also as a potentially lucrative practice area.

Buchanan Ingersoll & Rooney announced Oct. 23 it was launching a cybersecurity and data protection practice, expanding on its existing data security practice.

Pittsburgh-based shareholders Matthew Meade and Sue Friedberg, and Philadelphia-based shareholder Jack Tomarchio, a former intelligence officer with the U.S. Department of Homeland Security, will lead the practice.

Mr. Tomarchio said companies need to have a protocol, which a law firm can help write, in the event of a breach. “You have to know who you’re legally required to contact, who you have to notify,” he explained.

Ideally, a company doesn’t wait until it has a breach to reach out for help, he added. “We can help them determine weak points, design ongoing training and compliance programs, and keep them up to date on what rules touch them and affect them.”

Buchanan Ingersoll joins the growing list of law firms that have added cybersecurity practices in 2013, said David Bodenheimer, a partner with Washington, D.C.-based firm Crowell & Moring. He is also chairman of the American Bar Association Public Contract Law Section’s Cybersecurity Committee.

Mr. Bodenheimer said that, in 2013, many law firms expanded existing practice areas that dealt with health care and financial data protection issues. After President Barack Obama signed an executive order Feb. 12 directing federal agencies to develop cybersecurity standards for parts of the private sector, Mr. Bodenheimer said, firms recognized this as a practice area with great potential.

“When boards of directors started turning to senior management and asking, ‘What is this threat and what are we doing about it?’ they started to call their law firms,” Mr. Bodenheimer said.

There are several reasons a company dealing with a breach needs a lawyer, he said, not the least of which is making a legal judgment about what the company is required to do.

Determining how big and how far-reaching a data breach was is the first step, said Brett Creasy, director of forensics at bit-x-bit, an e-discovery and forensics investigations firm in Downtown.

“It can depend on what was taken, or what data was breached,” he said. “We tell companies, ‘You will be hacked, it’s just a matter of when, so you have to be prepared.’ ”

But a big part of the problem companies face, said Mr. Meade of Buchanan Ingersoll, is that aside from a few industry-specific sectors, there are no federal regulations governing breach notification. If a company is hacked or has data compromised, it may not know at what point it is legally required to contact clients whose information may have been accessed.

State laws have varying degrees of rigidity — for instance, even if a company doesn’t have an office in Massachusetts, if it has customer there affected by a data breach, the company has legal responsibility there.

California has a five-day turnaround after a security breach, Mr. Creasy said, meaning a company has five days to determine whether a hack was significant enough that it requires notification.

Mr. Bodenheimer agreed that the “patchwork” of state and federal regulations around data protection and privacy could stymie large firms and leave smaller companies unsure where to turn.

For larger law firms, having a practice dedicated to an area with so much growth potential makes sense, Mr. Bodenheimer said, noting that it may also be a practice area for smaller and medium-sized firms to consider.

“Some of it comes down to betting on the future,” he said, adding that there may come a time when companies will suffer breaches so substantial that they might not be able to survive the losses. “When those happen, the litigation and enforcement actions could be sufficiently lucrative for even mid-sized and smaller firms.”