Names have been named. On December 9, Chicago-based law firm Johnson & Bell was revealed as the defendant in a class-action suit. The revelation came after a federal judge ruled in favor of a motion to unseal a complaint filed by Edelson PC. The complaint alleges that the members of the plaintiff class, comprising former Johnson & Bell clients, had incurred damages as a result of the defendant firm’s failure to take necessary precautions to secure data on its servers.
At issue is whether the firm’s failure to fulfill a promise to protect client data establishes harm before a third-party intrusion has even occurred.
That a firm such as Johnson & Bell, ranked by ALM Intelligence as the 385th largest U.S.-based law firm by attorney headcount, was named as the defendant marks a fitting end to Big Law’s terrible, horrible, no good, very bad year with regard to internal data security.
At the center of this imbroglio sits maverick plaintiff’s lawyer Jay Edelson, founder of the firm Edelson PC, and described by The New York Times as “Tech’s Least Friended Man.” Edelson, who earned this epithet for his dogged pursuit in suing technology companies, made waves in late March when he asserted in an article published by Bloomberg that his firm was setting its sights on Big Law. At that time, Edelson indicated his firm had “identified 15 major law firms with inadequate cybersecurity,” and he intended to “file a series of class-action lawsuits against the firms that will seek injunctive relief on behalf of all clientele and lay out specific preventive steps necessary to harden their security systems.” In April, he followed through on the threat, filing the now unsealed complaint against Johnson & Bell with the United States District Court for the Northern District of Illinois.
The allegations in the compliant should serve as a cautionary tale for firms everywhere, especially given the results of a recent ALM Intelligence report on the state of data security in the legal services sector. According to an ALM Intelligence survey, more than 75% of law firm respondents agreed that they are comfortable with their firms’ ability to withstand a breach, a full 10 percentage point increase in confidence compared to the previous year. However, this confidence appears gravely misplaced.
Core tenets of cybersecurity preparedness include assessment, planning, and testing. The assessment stage involves understanding the sensitivity and value of firm data and risk-profiling the data accordingly. The planning stage requires taking assessment-level results and implementing solutions such as preparation of a data breach plan and appointment of a response team. Leveraging results from both the assessment and planning stages, the testing stage seeks to ensure an effective response in case of breach.
The survey results reveal (see the graphic below) that firms suffer significant drop-offs in commitment at each subsequent stage. These results demonstrate that the confidence and comfort expressed by at least some members of the legal services industry is unfounded and clients should keep a closer eye on law firm data security practices.
Now, consider the survey results in light of the allegations in the complaint against Johnson & Bell. The plaintiffs claim Johnson & Bell’s exposure of client data makes a data breach inevitable, specifically citing deficiencies in securing the firm’s billing records, email system, and VPN server. According to the complaint, as a consequence of this failure, “Johnson & Bell has exposed Confidential Client Information. It is only a matter of time until hackers learn of these vulnerabilities (if they have not already). As a result, Johnson & Bell’s clients not only face the current harm of having their Information exposed but the risk that hackers will gain access to confidential billing records, be able to intercept and decrypt attorney-client communications, and obtain additional documents stored by Johnson & Bell.”
Moreover, the complaint alleges that the security deficiencies are compounded by Johnson & Bell’s promises to keep information secure and efforts to market itself as a cybersecurity expert. To support that claim, the complaint cites a 2014 article written by a shareholder and associate at Johnson & Bell, showcasing Johnson & Bell’s purported expertise, noting that “[d]ata management safeguards can prevent possible legal malpractice from cyber-security breaches.”
How many firms in Big Law could be similarly described as marketing themselves as a cybersecurity expert? The answer is probably more than you might think. When examining the market for legal services related to data security, ALM Intelligence found that more than 85% of Am Law 200 firms identify as having a practice group dedicated to issues of data privacy and security.
Johnson & Bell is likely to respond with a defense of “no hack, no harm.” And it is important to remember that these are all only allegations in a complaint. But if Edelson overcomes the defendant’s prima facie objection, then, it’s Katy bar the door.
Next year could make Big Law’s cybersecurity woes in 2016 look like a cake walk.
ALM Intelligence Notes:
- Equity Bloodbath: As a result of its biennial equity reallocation, Kirkland & Ellis has changed its framework for allocating equity partner profits, while cutting the shares of its top partners and others. According to The American Lawyer, Kirkland’s litigation partners were particularly hard hit.
- Lateral Hiring Due Diligence: A new ALM Intelligence report examines the obstacles firms phase when navigating the due diligence phase of the lateral partner hiring life cycle.
- Intelligence in Your Inbox: Subscribe to the ALM Intelligence Analysts Brief, featuring the latest thinking from our analysts, delivered straight to your inbox each week.