Chieftains of corporate America have long feared the financial and reputational fallout from a hacking breach. But a class action suit unveiled against a law firm last week could add to their data security anxiety. The suit claims that companies and law firms should be held accountable for lax security measures even if their customers’ data never falls into a hacker’s hands.
Some lawyers are skeptical that a court will agree to a new, wide-ranging theory that could essentially hold companies legally accountable for staying up-to-date with the latest data security protocols.
Either way, it is a new risk for law firms and corporations. The man behind the suit, noted data privacy plaintiffs lawyer Jay Edelson, said his firm has filed similar cases against other law firms that haven’t experienced a breach. He said he has found “success” with those cases in when they remained under seal or were sent to arbitration. Edelson declined to comment further.
With a track record of winning cases against some of the country’s biggest tech companies, and expanding liability for data privacy blunders in the process, Edelson is a difficult lawyer to bet against.
He has successfully argued that weak security measures warrant a refund in cases where the consumer paid for a higher level of security. But that argument has been made in cases where an actual data breach occurred. The question in the newest batch of cases is whether Edelson’s claims that a law firm is a “data breach waiting to happen” will be enough for a court to grant standing.
“It’s a scary lawsuit,” said Alfred Saikali, a Miami-based partner and chair of the data security practice at Shook, Hardy & Bacon. “If a court says this is enough to allow a case to proceed, then almost every company in America will be subject to a class action lawsuit, because the nature of information security is it’s impossible to say you have no vulnerabilities. Assuming a court understands the implications of that, I don’t think they’re going to say a vulnerability is enough for a case.”
The question arises from a suit filed in April by Edelson’s firm, Edelson PC, in Cook County Circuit Court in Chicago. The case was unsealed last week and has since been moved to arbitration, meaning a judge will not yet rule on the issue.
The suit claims that Chicago’s Johnson & Bell put client data at risk by operating outdated email, virtual private network and time entry systems. The suit seeks damages based on an unjust enrichment theory, arguing the firm did not provide security measures its clients paid for. Edelson and Johnson & Bell agree that there was no data breach, and the security holes at the firm no longer exist.
Edelson disagreed that a ruling in his favor in this type of case would lead to a wave of data breach cases across the country. He said firms and companies that did not “over represent” the security measures they offered would not face such a suit.
“What is new [in the Johnson & Bell case] is to push the overpayment theory without evidence of an actual data breach,” Edelson said. “The overpayment theory simply does not depend on [a breach] at all, in our view. And we’ll see how that plays out. But in our view, the class need not wait until there has been a disaster.”
The suit seeks to calculate damages as a portion or the whole of the legal fees that clients paid to Johnson & Bell. The complaint states that plaintiffs would not have hired the firm or they would have paid “significantly less” had Johnson & Bell “disclosed that it does not use industry standard data security measures.”
One comfort to law firms facing a similar claim from Edelson or others is that since the complaint against Johnson & Bell is couched as a legal malpractice claim, it is likely that typical legal malpractice insurance policies will cover the defense of the case, said Tom Ricketts, senior vice president and executive director at Aon Risk Solutions, a unit of insurance brokerage giant Aon plc.
Ricketts, who leads Aon Risk’s professional services group, noted that some cyber security insurance policies may also cover a claim such as that posed by Edelson’s suit against Johnson & Bell, especially if the policy wasn’t specifically tied to the existence of a data breach.
“[Edelson’s suit] does raise a fascinating question of do clients have an expectation of differential fees or costs between law firms based on the quality and quantity of data security available, and do they interrogate to that point,” Ricketts said.
Regardless of who is footing the bill, with the Johnson & Bell case proceeding in arbitration, it will likely be a long wait until a court answers the question of whether an easy target for a hacker is also a sitting duck for a plaintiffs firm.