A New Frontier In Law Firm Cyber Risk: Client Class Actions
That an actual breach of client information could expose your law firm to legal and business risks is unsurprising. The risks posed by a potential breach, however, may be something your firm has not yet carefully considered – but needs to. Law firms face a variety of cybersecurity-related risks. Firms have been targeted by cybercriminals with increased frequency in the past few years, and clients are growing concerned. In at least one instance – and likely more to follow – this concern has resulted in litigation between firm and client over the adequacy of the firm’s cybersecurity safeguards.
In April 2016, clients of a Chicago-based firm, Johnson & Bell, filed a class action lawsuit alleging that the firm failed to adequately safeguard their information. The case, which was subsequently moved to arbitration, is now back in the news. On March 28, 2017, Johnson & Bell sued Edelson PC, the firm representing the client class, for defamation. In its complaint, Johnson & Bell alleges that “[t]he Edelson defendants have engaged in numerous violations of their ethical duties, have illegally abused the process of the courts to further their own self-aggrandizement, and have engaged in a self-serving publicity tour spreading their lies and defamatory statements about J&B.” Perhaps ominously, Edelson has announced that the Johnson & Bell case is just its opening salvo; it plans to assert similar claims on behalf of clients of 15 other firms.
The Johnson & Bell Complaint, which was made public last December, is notable for a number of reasons.
First, it homes in on several of the potential vulnerabilities firm systems may be subject to, such as the high incident of employees working remotely, or the fact that less well-protected systems, like those for timekeeping or email, can serve as gateways to systems holding more sensitive data.
Second, the Complaint identifies categories of sensitive data that many firms are likely to maintain, such as financial records, trade secrets, sensitive communications, and personal information.
Third, it contends that there’s an “industry standard” level of data security that any firm charging and collecting market-rate attorneys’ fees must provide. This is significant because there are indications that the “industry standard” (or “reasonable”) level of protection that the law imposes on businesses is likely to become more expansive and onerous in coming years.
And fourth, in addition to seeking damages and attorneys’ fees, the Johnson & Bell Plaintiffs are seeking to compel a security audit by an outside auditor. This audit would, among other things, reveal whether the firm has conducted a thorough risk assessment, and whether it has developed a sufficiently robust data security plan that includes written policies and procedures, employee training, and vendor management processes.
The prospect of client lawsuits provides a compelling reason to take prompt and committed action on the cybersecurity front – even if your firm has not yet experienced a breach. For guidance on how firms can prevent and respond to cybersecurity incidents, please check out our past post on this topic.