In the first public data security class action complaint against a U.S. law firm, Chicago-based Johnson & Bell was named in a lawsuit that says the firm failed to protect confidential client information.
The suit against the 100-plus lawyer trial firm was filed in Chicago’s federal court in April but made public on Friday following courtroom fighting over whether or not the firm had patched security holes a former client claimed existed in the firm’s time entry system, email system and virtual private network.
Brought by well-known class-action lawyer Jay Edelson, the case has been moved to arbitration, where Edelson says his firm is seeking class confirmation and will seek damages for allegations that the lax security put client information at risk. Edelson said it is the first class action against a law firm alleging inadequate data security measures.
The complaint makes no claim that data was stolen or used against clients. And the security holes identified in the complaint have been fixed, Edelson said, which is why his firm argued to unseal the case.
In a statement, Johnson & Bell called the lawsuit “specious” and said it would defend itself against the claims and would pursue action against the plaintiff when the case concludes.
Law firms and their troves of confidential information are well-known targets for hackers, and breaches have slowly trickled into the public view this year. Cravath, Swaine & Moore and Weil, Gotshal & Manges were said to be targets of successful hacking attempts in a March Wall Street Journal article. Earlier this week, Fortune reported those attacks were directed by hackers with ties to the Chinese government.
But the lawsuit unsealed Friday is a new reputation risk for an industry where confidentiality is a bedrock of client service. Johnson & Bell is unlikely to be the last firm named publicly. Even so, it’s unclear what damages could be awarded in cases where no data breach exists and when the alleged security deficiencies have been fixed.
Edelson earlier said he would bring a wave of class-action claims against law firms his firm identified as lacking basic security measures. In a March 30 article, Edelson told Bloomberg Big Law Business that he identified 15 such firms. The suit against Johnson & Bell was filed two weeks later.
“This is the first that has become public,” Edelson said Friday when asked if he had filed other lawsuits. “We’re not talking about (cases) that are not in the public record.”
Johnson & Bell president William Johnson said his firm’s data systems are secure and its clients’ information is protected.
“We will fully defend our firm against this baseless lawsuit and will seek appropriate action against plaintiffs after the lawsuit is concluded,” Johnson said in a statement.
The lawsuit has an incestuous backstory.
The data security lawsuit was brought on behalf of Coinabul LLC, a firm that once promised to trade gold for the digital currency bitcoin. Earlier, Coinabul had been sued in July 2014 by a plaintiff represented by Edelson PC, alleging the company defrauded its customers out of millions of dollars’ worth of bitcoin. Coinabul hired Johnson & Bell as defense counsel.
After Johnson & Bell withdrew from the case, Coinabul and co-defendant Jason Shore were hit with a $1.5 million judgment last year. In July, Shore was dismissed from that case with prejudice.
Shore and Coinabul are now represented by Edelson in the arbitration claim against Johnson & Bell, Edelson said.
The complaint says Johnson & Bell used a time-entry system that was 10 years old, known to be prone to hacking and had not been updated with security patches. The suit said the firm’s virtual private network, or VPN, was prone to what is known as a “man-in-the-middle attack,” which the complaint says is often used by hackers, spy agencies and foreign governments to “eavesdrop on private communications and steal confidential client information.”
The complaint also says the firm’s email system was susceptible to the same type of hack believed to be used against Panama’s Mossack Fonseca, known as a “DROWN” attack.
The lawsuit seeks damages for the potential that the systems were exploited.
Clients “have suffered a diminished value of the services they received from Johnson & Bell; and they are threatened with irreparable loss of the integrity of their confidential client information and further injury and damages from the theft of that information.”
In a May filing, Johnson & Bell argued Edelson’s complaint should be dismissed for a lack of standing.
“Plaintiffs are unable to demonstrate a ‘concrete and particularized injury’ because none exists,” the filing says. “There is no allegation of breach or that client confidences were ever disclosed and any claimed deficiencies no longer exist.”
Edelson’s firm moved to dismiss the data security case in federal court in May, and at the same time said they would continue to pursue an unsealing of the case. Edelson said the dismissal was based on an arbitration clause in Coinabul’s retainer agreement with Johnson & Bell.
“We are going to vigorously defend this to the very end,” said Joseph Marconi, a Johnson & Bell partner.