The American Lawyer (sub. req.) reported on December 9th that in the first public data security class action complaint against a U.S. law firm, Chicago-based Johnson & Bell is accused of failing to protect confidential client information.
The suit against the 100-plus lawyer trial firm was filed in Chicago's federal court in April but made public on December 9th following courtroom skirmishes over whether or not the firm had patched security holes a former client claimed existed in the firm's time entry system, e-mail system and virtual private network.
The suit was brought by well-known class-action lawyer Jay Edelson. It has been moved to arbitration, where Edelson says his firm is seeking class confirmation and will seek damages for allegations that the lax security put client information at risk. Edelson said it is the first class action against a law firm alleging inadequate data security measures.
The complaint makes no claim that data was stolen or used against clients. Also, the security holes identified in the complaint have been fixed, Edelson said, which is why his firm argued to unseal the case.
Law firms are well-known targets for hackers, and breaches have slowly come into public view this year. Cravath, Swaine & Moore and Weil, Gotshal & Manges were said to be targets of successful hacking attempts in a March Wall Street Journal article. Last week, Fortune reported those attacks were directed by hackers with ties to the Chinese government.
These suits are certainly a reputation risk for law firms, where confidential of client information is critical – and ethically required. It remains unclear what damages could be awarded in cases where no data breach exists and when the alleged security deficiencies have been fixed.
Edelson earlier said he would bring a number of class-action claims against law firms his firm identified as lacking basic security measures. In a March 30th article, Edelson told Bloomberg Big Law Business that he had identified 15 such firms. The suit against Johnson & Bell was filed two weeks later. The other firms have not been publicly named.
"This is the first that has become public," Edelson said Friday when asked if he had filed other lawsuits. "We're not talking about (cases) that are not in the public record."
Johnson & Bell president William Johnson said his firm's data systems are secure and its clients' information is protected. "We will fully defend our firm against this baseless lawsuit and will seek appropriate action against plaintiffs after the lawsuit is concluded," Johnson said in a statement.
There are some odd twists and turns in this case. The data security lawsuit was brought on behalf of Coinabul LLC, a firm that once promised to trade gold for the digital currency bitcoin. Earlier, Coinabul had been sued in July 2014 by a plaintiff represented by Edelson PC, alleging the company defrauded its customers out of millions of dollars' worth of bitcoin. Coinabul hired Johnson & Bell as defense counsel.
After Johnson & Bell withdrew from the case, Coinabul and co-defendant Jason Shore were hit with a $1.5 million judgment last year. In July, Shore was dismissed from that case with prejudice. Shore and Coinabul are now represented by Edelson in the arbitration claim against Johnson & Bell, Edelson said.
The complaint says Johnson & Bell used a time-entry system that was 10 years old, known to be prone to hacking and had not been updated with security patches. The suit said the firm's virtual private network, or VPN, was prone to what is known as a "man-in-the-middle attack," which the complaint says is often used by hackers, spy agencies and foreign governments to "eavesdrop on private communications and steal confidential client information."
The complaint also says the firm's e-mail system was susceptible to the same type of hack believed to be used against Panama's Mossack Fonseca, known as a "DROWN" attack. The lawsuit seeks damages for the potential that the systems were exploited.
The suit alleges that clients "have suffered a diminished value of the services they received from Johnson & Bell; and they are threatened with irreparable loss of the integrity of their confidential client information and further injury and damages from the theft of that information."
In a May filing, Johnson & Bell argued Edelson's complaint should be dismissed for a lack of standing.
"Plaintiffs are unable to demonstrate a 'concrete and particularized injury' because none exists," the filing says. "There is no allegation of breach or that client confidences were ever disclosed and any claimed deficiencies no longer exist."
Edelson's firm moved to dismiss the data security case in federal court in May, and at the same time said they would continue to pursue an unsealing of the case. Edelson said the dismissal was based on an arbitration clause in Coinabul's retainer agreement with Johnson & Bell.
I have some difficulty figuring out how a firm can be held liable where no damages are shown to exist and where vulnerabilities were admittedly fixed. It would certainly appear that there was, if the facts alleged are true, some lax security. But it is hard to imagine a law firm where some laxity cannot be found. Stay tuned – there is certainly more to come.
Hat tip to Dave Ries.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology