Jay Edelson (Courtesy photo)
In a win for the first law firm to face a class action for lax data security, a Chicago federal judge ruled Wednesday that claims against Chicago-based Johnson & Bell for allegedly failing to protect client information must be heard individually in arbitration, not lumped together as a class.
The suit, filed by well-known class-action lawyer Jay Edelson, made headlines when it was unsealed in December and seemed to represent Edelson making good on an earlier promise to bring a spate of data privacy complaints against law firms. He had said he identified 15 firms with lagging security.
So far no other complaints against law firms have become public, and the ruling this week is a setback for Edelson, who said he will appeal to the U.S. Court of Appeals for the Seventh Circuit.
The lawsuit against Johnson & Bell did not claim any client data was stolen, and Edelson has said the alleged security holes identified by a former client have since been patched.
But the case remains a reputational and financial risk for Johnson & Bell and potentially other firms. Edelson argues that Johnson & Bell’s rates include an expectation that the firm provides industry-standard data security measures. The case, which had already been moved to arbitration before it became public last year, seeks as damages a refund of some portion of the rate clients paid.
U.S. District Judge John Darrah of the Northern District of Illinois ruled Wednesday that the court, not an arbitrator, had the power to decide whether the arbitration was eligible for class-action status. He also ruled the firm’s engagement letter did not agree to class arbitration.
“The court is saying that we have to bring thousands of individual arbitrations against Johnson & Bell,” Edelson said in an interview. “We’re obviously appealing that decision. We think the most efficient way to proceed is through one class-action lawsuit, and we feel very good about our chances in the Seventh Circuit.”
Joseph Marconi, head of the business litigation department at 100-plus lawyer Johnson & Bell, said the firm was pleased with the court’s decision and declined to comment further. In an earlier statement, Johnson & Bell president William Johnson promised to fight the case, calling it “specious,” and saying the firm may pursue counter-litigation after the suit is resolved.
The complaint alleged that Johnson & Bell used a time-entry system that was 10 years old, known to be prone to hacking and had not been updated with security patches. It said the firm’s virtual private network, or VPN, was prone to what is known as a “man-in-the-middle attack,” which the complaint says is often used by hackers, spy agencies and foreign governments to “eavesdrop on private communications and steal confidential client information.”
The complaint also said the firm’s email system was susceptible to the same type of hack believed to be used against Panama’s Mossack Fonseca, known as a “DROWN” attack.
The arbitration proceeding will face the question of how to calculate damages in a case where no data breach occurred. Edelson argues that clients, in effect, didn’t get the data security they implicitly paid for.
Clients “have suffered a diminished value of the services they received from Johnson & Bell; and they are threatened with irreparable loss of the integrity of their confidential client information and further injury and damages from the theft of that information,” the suit alleged.
Johnson & Bell, in an earlier court filing, argued that no “concrete” injury exists in the case.
“There is no allegation of breach or that client confidences were ever disclosed and any claimed deficiencies no longer exist,” Johnson & Bell’s filing said.