As if the threat of hackers wasn’t bad enough, lawyers now have to worry about being sued for lax data security – even if no breach has occurred and no client information has actually been compromised.
It’s happening in Illinois, where a class action lawsuit against the Chicago-based Johnson & Bell alleges the 100-lawyer firm is a “data breach waiting to happen.”
The complaint alleges specific security gaps inside the firm, including an insecure email platform and an online timekeeping system that had not been updated in 10 years.
What it doesn’t allege is that any of the lapses led to an actual breach.
“Notably, the complaint does not allege that the firm actually suffered a compromise of sensitive information, that a successful cyberattack occurred, or even that a cyberattack was attempted,” reports Bloomberg Big Law Business. “In other words, the lawsuit is based on the firm’s alleged state of security that may make it vulnerable to an attack in the future.”
The case is the first-ever class action against a law firm for inadequate cyber-security. Some observers fear that if successful it could open the floodgates for similar suits.
The defendants call the lawsuit “specious” and say that any vulnerabilities have been fixed.
Is Threat of Harm Sufficient?
The class action was brought on behalf of two former Johnson & Bell clients. They are represented by Edelson PC, a leading plaintiffs’ firm for privacy and data security litigation, who say the alleged negligent handling of confidential information has put their clients at risk.
“It is only a matter of time until hackers learn of these vulnerabilities (if they have not already),” according to the complaint. “As a result, Johnson & Bell’s clients not only face the current harm of having their information exposed but the risk that hackers will gain access to confidential billing records, be able to intercept and decrypt attorney-client communications, and obtain additional documents stored by Johnson & Bell.”
At least one commentator doesn’t think this adds up to malpractice.
“In my opinion, the lawsuit is fatally flawed because there was no attack or attempted attack on plaintiffs’ information, let alone actual unauthorized access or acquisition of the information,” writes Miami attorney Alfred Saikali in the Data Security Law Blog. “The firm’s security system was analogous to an unlocked door to a home that nobody burglarized. The plaintiffs indisputably suffered no financial damages as a result of the alleged vulnerabilities, and the vulnerabilities were identified (albeit by this lawsuit) and addressed before any actual harm occurred.”
More Malpractice Suits On The Way
The complaint alleges four causes of action:
- Breach of implied contract. An essential term of the engagement agreement was that the firm would take reasonable steps to safeguard the client’s data, which was not done.
- Professional negligence. The attorney-client relationship created a duty to comply with industry standard data security measures, which was not met.
- Unjust enrichment. A portion of the attorney fees was used for the administrative expense of maintaining data security. Because security was substandard, the funds should be repaid.
- Breach of fiduciary duty. The firm’s alleged failure to implement proper safety procedures was a breach of its fiduciary duty to the plaintiffs.
Among the specific allegations: the firm’s Virtual Private Network (VPN) was vulnerable to attack, its online timekeeping system allowed risky remote access and lacked security patches, and its email platform was deficient.
“Most companies probably have similar unknown vulnerabilities in their systems,” writes Saikali. “The challenge with information security is that it is like a game of Whack-A-Mole — the fast-paced and constantly changing threats and defenses means that new vulnerabilities are always emerging so it is almost impossible to eliminate all vulnerabilities entirely. The floodgates will be blown wide open if a lawsuit based only on the mere existence of a vulnerability is considered actionable.”
The case is presently in confidential arbitration. Regardless of the outcome, one thing is certain: similar suits are on the way. The plaintiffs’ lawyers say they have been conducting a “wide-ranging investigation” of security issues at other law firms.
“Our view has always been that law firms are prime targets for hackers,” says an Edelson lawyer. “Law firm data security has been abysmal. You will learn about other lawsuits.”
- Shore et al v. Johnson & Bell (N.D. of Illinois, 16-4363) https://www.bloomberglaw.com/public/desktop/document/Shore_et_al_v_Johnson__Bell_Ltd_Docket_No_116cv04363_ND_Ill_Apr_1?1494345795
- Bloomberg Big Law Business https://bol.bna.com/chicago-law-firm-accused-of-lax-data-security-in-lawsuit/
- Lexology http://www.lexology.com/library/detail.aspx?g=cae2ee82-a31a-40ab-ac6a-a3f9f0b5cc32