By Helen Geib and Greg English
Can a law firm data breach be legal malpractice? Some clients have answered “Yes,” but the jury is still out. This article examines four groundbreaking cases in this unresolved area.
Cyberattacks are everywhere–and law firms are tempting targets
Law firms are repositories of valuable business and personal data. That makes them tempting targets for cybercriminals of all stripes. It comes as no surprise that recent years have provided ample evidence the legal sector is under attack.
Now defunct Panama firm Mossack Fonseca of “Panama Papers” infamy was only the first high-profile victim. Following a 2017 breach multinational firm DLA Piper temporarily lost phone service and had to take its email system off-line for six days. Jones Day is today’s headline news after client data was published on the dark web because of a breach at file transfer vendor Accelion.
This is only a small sampling of law firm security incidents. And it’s not just big law sporting the bullseye. In a survey for the 2018 ABA TechReport, 23 percent of lawyers reported their firms had already experienced a data breach. Adjusted for firm size the percentages were even higher for mid-sized and small firms.
Malpractice cases based on law firm data breaches are few but alarming
Some clients have concluded their lawyers’ data security failures constitute legal malpractice. Our research did not find very many such cases and none that have proceeded to verdict. However, cases have ended in settlement and survived motions to dismiss.
The four cases examined in this article have little in common. The dissimilarity illustrates the wide variety of law firms targeted by cybercriminals, types of cyberattacks and legal theories of liability for data breaches.
1. Millard v. Doran, No. 153262/2016 (Sup. Ct. N.Y. Cty.)
The Millards sued their real estate lawyer for malpractice and breach of fiduciary duty after a data breach. Cybercriminals had hacked into the lawyer’s email account as the first step in successfully perpetrating a $2 million wire transfer theft of the clients’ funds. The case settled soon after filing.
Millard demonstrates the importance of security awareness and education for lawyers. The allegations outline basic user security failures. Doran used an AOL email account even though it was well known the AOL email service had been compromised. In addition, her computer reportedly had not been updated and was infested with malware.
Some cyberattack types are universal (ransomware being a prominent example). Others however concentrate on specific sectors or activities. Wire transfer fraud, which frequently targets real estate transactions, is a prime example. Millard also speaks to the importance of knowing the top attack types connected to a lawyer’s practice area.
2. Shore v. Johnson & Bell, Ltd., 16-cv-04363, 2017 WL 714123 (N.D. Ill. 2016)
A class action claim was filed in 2016 against Chicago-based Johnson & Bell, Ltd. based on purported weaknesses in the law firm’s data security. The complaint alleged the firm used a 10 year old time entry system known to be prone to hacking and that had not been updated with security patches in addition to security holes in email and VPN systems.
Allegations of a data breach, compromised client information or indeed any actual harm were notable by their absence. That the claim was based on the existence of a security vulnerability, and not a security incident causing specific harm, likely explains why there has been no public report since the case was referred to pre-trial arbitration in 2017.
Shore is more curiosity than litigation template. However, it is significant as one of the few cases in this area and for the commonplace nature of the alleged security failings.
3. Wengui v. Clark Hill, PLC, (D.D.C. Feb. 20, 2020)
State-sponsored hacking isn’t an attack type most law firms need to worry about. But that’s exactly what happened to an AmLaw 200 firm handling an immigration matter.
Guo Wengui is a Chinese dissident living in New York City who retained Clark Hill PLC to represent him in his application for political asylum. The firm’s systems were breached by hackers – assumed by all involved to be affiliated with the Chinese government – who published the application and other personal information on social media. Guo sued for legal malpractice, breach of fiduciary duty and breach of contract.
Guo asserted he had repeatedly informed the firm prior to entering into the engagement that he was a target of politically motivated cyberattacks. The firm allegedly offered security assurances in response. These included agreeing to take special precautions such as not storing his personal information on the firm’s file server. However, his information was on the server and was also circulated by email.
The court emphasized the firm’s security representations in denying a motion to dismiss last year and the case is now in discovery. Wengui thus offers a cautionary tale of data security promises unkept.
4. Hiscox Ins. Co. Inc. v. Warden Grier, LLP, 474 F. Supp. 3d 1004 (W.D. Mo. 2020)
In 2016, Warden Grier, LLP fell victim to a major ransomware attack. Data belonging to client Hiscox Insurance Co., as well as data of Hiscox’s clients, was exfiltrated in the attack. Hiscox learned of the breach indirectly two years later when one of its employees discovered insureds’ personal information had been published on the dark web.
Hiscox sued for breach of contract, breach of fiduciary duty and negligence. Warden Grier argued all the claims were legal malpractice claims under another guise and moved to dismiss the contract and fiduciary duty counts as duplicative of the negligence count. The motion was denied in full.
Hiscox is significant for not being a legal malpractice case. In response to the motion to dismiss, Hiscox argued its claims did not arise out of the provision of legal services. The court agreed, likening the situation to a data breach occurring at a legal services vendor. Hiscox and Wengui are reminders that a malpractice claim is not the sole legal option for clients affected by a law firm data breach.
Law firm data breaches have not led to a tsunami of legal malpractice claims. Direct financial damage, lost revenue and reputational harm remain the more immediate dangers from a security incident. Nonetheless as these cases demonstrate, the risk of a legal malpractice claim is real and should be taken seriously.
About the Authors
Helen Geib is Of Counsel with Hoover Hull Turner LLP. She joined the Executive Committee of the E-Discovery, Cybersecurity and Information Governance Section in 2021. Greg English is a J.D. candidate at IU McKinney School of Law and a law clerk for Hoover Hull Turner LLP.