The caper had Hollywood thriller written all over it.
It was an $80 million heist pulled off by thieves armed, apparently, with inside knowledge of their target — a pharmaceutical warehouse in Enfield.
It was about 9 p.m. on a Saturday night, so no one was around. According to authorities, brothers Amaury and Amed Villa, Cuban citizens who lived in South Florida, backed a tractor-trailer out of a blinding rainstorm and into the warehouse loading bay, all the while managing to stay out of view of security cameras.
They reportedly climbed onto the roof, cut a small hole to get inside, then rappelled down ropes, right into the room where the electronic security controls were located. There, they disabled the alarm so it would not send any alerts to out-of-state staffers monitoring the system operated by the ADT security firm.
"It appears that it was a very well planned-out and orchestrated operation," Enfield Police Chief Carl Sferrazza said of the March 13, 2010 heist. "It was not your run-of-the-mill home burglary, that’s for sure."
In a lawsuit filed this month in federal court in New Haven, the insurance company for drug maker Eli Lilly & Co. is seeking to hold security company ADT liable for failing to safeguard confidential information about the warehouse and the locations of its 13 security cameras. The lawsuit, which also alleges ADT failed to warn its customers of similar prior burglaries, is the first of its kind nationwide following a crime wave that authorities say involved warehouses in four states from 2008 to 2010.
The common thread was that thieves entered the buildings at "blind spots" in the security coverage. As in other warehouse burglaries in Texas, Illinois and Florida, the security system in Enfield was working properly, but rendered useless by the thieves’ knowledge of how to initially avoid surveillance and motion sensors, and then to disarm them by cutting the proper wires.
"Despite ADT’s knowledge that this and other burglaries had taken place utilizing information only available to individuals with access to sensitive information about the ADT security system, ADT did not notify Eli Lilly of the burglary or of the increased foreseeable harm created by detailed documentation of its security systems for the purpose of marketing potential improvements to the existing service," the lawsuit says.
Like Ocean’s 11
Twenty-two members of the loosely connected group of thieves from Florida have been indicted. Sixteen have already pleaded guilty. In addition to prescription medications, the group stole truckloads of cigarettes and whisky, which were then sold on the black market.
The ring’s exploits have been compared to those of the Ocean’s 11, a fictional gang of sophisticated thieves featured in a movie trilogy starring George Clooney.
At the Enfield heist, the intruders worked fast. They used the drug company’s own forklifts to load their tractor-trailer with 49 pallets of the antidepressants Prozac and Cymbalta, and left without a peep, leaving behind a few empty water bottles. In the morning, local police and FBI were called to investigate. It was DNA on the bottles that led to the arrest of the brothers; authorities say they had been caught on other surveillance cameras, at a Queens, N.Y., Home Depot, buying materials that were used in the heist.
The lawsuit filed by National Fire Insurance Co. of Pittsburgh is seeking to recover the $42 million the insurance company was forced to pay out for the drug company loss. The lawsuit is focused on the claim that the men somehow got specific information about security at the warehouse.
"Either they were given access to this data, or there was a weak link that allowed ADT to be hacked," said Elisa Gilbert, a New York attorney representing National Fire Insurance, which filed the claim against Tyco Integrated Security, which was formerly known as ADT.
Through a spokesman, Tyco has declined comment. The company has yet to file court papers outlining its defense.
Joining Gilbert in representing the plaintiffs is attorney Thomas L. Tisdale of Southport. Gilbert, who operates The Gilbert Firm in Manhattan, declined to discuss the litigation or anything about the case beyond what was laid out in her complaint, which was filed March 11. But it was clear the lawsuit was based at least in part on criminal evidence gathered by the FBI.
According to the lawsuit, ADT completed a report for Eli Lilly, called a Confidential System Proposal, three weeks before the crime. The report, which was part of a proposal by ADT to sell the drug company more security equipment, identified several shortcomings in the warehouse security system.
Although a prior report completed by ADT in 2004 did not list the exact locations of security cameras, the 2010 report did. It highlighted, with architectural drawings and charts, specific "faults and blind spots" of areas that were not being captured by each camera. The report, according to court documents, listed "the actual coordinates if every motion detector, beam, roof hatch, intercom, overhead door contact, fixed camera, panic button, card recorder, glass break sensor, control panel and keypad."
The security company recommended that Eli Lilly add 15 external cameras "to create a virtual fence around the facility."
The thieves struck before Eli Lilly got a chance to take the advice.
Data Security Issues
The crux of the lawsuit relies on whether the thieves were able to get that information from the ADT report, and if so, how? The timing of the burglary suggests that the thieves had access to the confidential report and thus knew where the cameras were located. But would that circumstantial evidence be enough to hold the security company liable?
James W. Bergenn, a partner at Shipman & Goodwin whose practice includes complex civil and criminal litigation, thinks the case is ripe for settlement using alternative dispute resolution.
"This is the type of thing that strikes so at the heart of what ADT does and there is so much at stake, that it might be prudent for the lawyers to try and resolve this," Bergenn said. The fact that a pattern of similar burglaries is alleged means there could be additional claims filed. "If I was on the defense side of this, I’m looking for ways to avoid [litigation]. Just because I don’t want the publicity."
He and other Connecticut trial lawyers, especially those with an interest in liability concerns over data security issues, are watching closely.
"What is especially interesting about this lawsuit is the fact that it doesn’t really specify how the bad guys found out where to break in and how to deactivate the system," said Lenny Isaac, a Waterbury insurance defense litigator who also chairs the Connecticut Bar Association’s Litigation Section.
Unlike state court protocols, which require detailed claims, federal rules allow lawsuits to be filed with just bare-bones information. So, in this case, the plaintiffs can wait until later to offer their theory of how the thieves know so much about warehouse security. Right now, said Isaac, that "makes a case like this very tantalizing."
Isaac said the case will most likely home in on the contract the security company had with Eli Lilly. "With a storage facility, there will often be a contract that limits liability if there is a theft," he said. "A lawsuit like this would look to make a claim for negligence of something outside the scope of the contract. So this could be a case where the [security] data was inadequately stored and the company failed to protect the confidential information."
While the plaintiffs would not need to prove how the information was taken in order to be successful, such a revelation would help. "If you have to prove someone is responsible and you don’t know how the thieves got the [security] information, you could be facing an uphill climb," Isaac said.
Ralph Monaco, a partner with Conway, Londregan, Sheehan & Monaco in New London and former CBA president, said suing a security business for allowing a theft to occur is not new. However, "the theory that a security company owes a fiduciary duty and is an agent of the customer is very interesting," he said. "The strength of this theory will depend of the specific contract language and the course of dealings between the parties."
In that way, the lawsuit could have implications for technology companies that service law firms and corporations, such as companies that provide computer network support, Monaco said.
The complaint will also be of interest to lawyers in light of American Bar Association rules that were recently amended to require lawyer to "keep abreast" of technology changes and take "reasonable efforts" to prevent unauthorized access to confidential information. "The entire legal profession now recognizes the importance of securing electronic information," Monaco said.
This isn’t the first case plaintiff’s attorney Gilbert has handled involving system failures that led to massive financial damages. In several previous cases, she has represented insurance companies seeking to limit payouts following engineering failures.
In 2009, Gilbert and her litigation team won a verdict against the U.S. Army Corps of Engineers for damages that occurred in New Orleans during Hurricane Katrina. The Corps allegedly failed to maintain a canal system that was supposed to protect the city from flooding.
As a result, insurance companies paid out tens of millions of dollars to policyholders, which included everyone from homeowners to utility companies. Gilbert won a verdict that required the federal government to cover some of the damages and repay insurers. The Justice Department appealed the ruling and won at the circuit level. Gilbert has asked the U.S. Supreme Court to hear the case.
She is also representing insurers facing massive payouts following the structural failure of a water aqueduct in Puerto Rico and an explosion at a Nebraska ethanol facility. Gilbert, on behalf of her insurance company clients, has argued that those who designed the facilities — not those that owned them — should have to cover damages.
"Part of the process is you have to look at the negligent issues out there that might apply," she said. "What we do is take a bird’s-eye-view of what happened and almost go back to a law school approach of what the elements are of the proposed tort and what are the elements of the proposed cause of action that may fit together."
Asked if her engineering litigation actions have helped prepare her for the burglary lawsuit, Gilbert again declined comment on the suit. But, she said, "Of course it does prepare you. It puts you in a mindset to look at things that are not an average approach."•