On the heels of a year that will likely go down as among the most tumultuous for the legal services industry, a recently unsealed class action suit poking a sharp stick at one of its greatest weaknesses has ushered in the new year with alarm bells warning that 2017 gets no easier.
The case, Shore et al v. Johnson & Bell, Ltd, is the first to allege legal malpractice over a law firm's data security practices, an accusation that may have profound ramifications in an industry where sub-par security is said by many to be the norm. According to the ABA, around a quarter of large and mid-sized law firms -- clearinghouses for their clients most sensitive business materials -- have fallen victim to data breach. While the vast majority go unreported, a pair of high-profile incidents over the last year, admission of breach by Cravath and Weil Gotshal and the so-called "Panama Papers" hack, have sent the industry reeling.
Although it is unclear whether the plaintiffs have actionable claims based on their complaint, its mere filing signals yet another loud wake-up call for law firms either uneasy about, or oblivious to, their ability to secure client data in unprecedented times.
'Systematically exposing confidential client information'
According to the complaint, from 2014 to 2015, plaintiffs Coinabul, LLC, a bitcoin exchange website, and Jason Shore retained the Chicago-based law firm Johnson & Bell for legal representation, spending about $30,000 total for the representation. During the course of that relationship, Coinabul and Shore allege they were instructed to send confidential information such as trade secrets and customer information to Johnson & Bell attorneys via email.
The firm also stored confidential client data in the firm’s computerized billing system, and this data remained on Johnson & Bell’s servers and billing systems after the representation concluded. The plaintiffs claim that they later discovered after terminating the representation, however, that Johnson & Bell’s security measures were out of date and vulnerable to hacking. In April, they filed a sealed complaint alleging breach of contract, negligence, unjust enrichment, breach of fiduciary duty, and legal malpractice. Specifically, the plaintiffs say the firm "systematically expose(d) confidential client information" by:
- Running billing software on an outdated version of the Java-run application server called JBoss -- now known as WildFly -- that is purportedly insecure.
- Using an insecure virtual private network (VPN) that could be accessed from public WiFi, leaving client data vulnerable to "man-in-the-middle" attacks.
- Using a self-hosted email server with obsolete encryption, exposing the firm to DROWN attacks, which allow hackers to steal sensitive communications, credit card information, trade secrets and passwords; and FREAK attacks, which can help hackers bypass SSL encryption protection on email and other servers.
Although the plaintiffs do not provide evidence that their data was actually compromised, they are requesting a preliminary injunction enjoining the defendant from exposing client data via its VPN, e-mail servers or billing software. They also seek a court order that:
(i) declares the firm’s conduct to be legal malpractice,
(ii) requires the firm to notify all clients about the data vulnerabilities and state that any information they submitted to the firm isn’t secure,
(iii) compels the firm to undergo a security audit to determine the extent of any data breaches that may have already occurred, and,
(iv) requires the firm to forfeit both attorneys fees earned during the breach and any profits diverted from spending on cybersecurity.
While the plaintiffs initially filed the lawsuit under seal to avoid tipping off hackers as to where to find their confidential data, they moved to unseal the complaint in December after Johnson & Bell implemented patches that fixed the vulnerabilities.
Pro-plaintiff ruling could have lasting fallout
While it is too early to tell if Shore will lead to any substantial legal precedent, the case has the potential to seriously impact the day-to-day operations of law firms, spawn copycat lawsuits, and create a new source of malpractice liability if the plaintiffs prevail.
But while the allegations are striking, it is what the suit lacks that is perhaps most unnerving for law firms, who must contend with a new world in which they can face reputation-tarnishing malpractice suits even where no real damage was done or even alleged. Indeed, the suit represents an instance of alleged malpractice where the plaintiffs appear to state no harm or causation of damages.
The remedies sought, nevertheless, are bold and far-reaching. The Shore plaintiffs, who bring the suit on behalf of other firm clients, are requesting sanctions and other redress from law firms that run any computerized system containing potential security flaws. While such a move in theory encourages law firms to take whatever steps necessary to meet professional duties to secure client data, it perhaps overlooks the likelihood that some firms don’t have the resources to do so. The complaint, for example, ignores in its discussion of the firm’s billing system that millions of organizations currently rely on legacy versions of the JBoss app because their systems are not compatible with newer, more secure versions. While well-heeled law firms can navigate this and similar challenges, a plaintiff-friendly holding in Shore could bring a wave of lawsuits against firms who are less well-positioned to quickly update their aging infrastructures.
A victory for the plaintiffs could also spur increased self-regulation or government oversight of law firm data protection practices, which could benefit clients by incentivizing law firms to do more to earn clients’ trust and business. As the complaint mentions, many BigLaw firms are already taking a self-regulation approach to cybersecurity, with some firms forming coalitions with cybersecurity experts to improve their practices, and others obtaining ISO-level security certifications.
However, as New York’s proposed cybersecurity regulations for financial institutions have demonstrated, government regulation typically does not achieve a one-size-fits-all solution, and often result in a number of burdensome regulations and administrative costs that could make it difficult for some law firms to operate.
Then again, it’s also possible that the complaint will not result in any new rules or regulations, but instead be another example of a highly publicized development from which no meaningful change comes. The claims themselves are indeterminate, as well: Although the plaintiffs go into detail about the various alleged vulnerabilities in Johnson & Bell’s infrastructure, they never once claim any of their own data was actually compromised as a result of those vulnerabilities. The firm was quick to highlight this, calling the lawsuit “specious” and “baseless”. It is yet to be seen if the suit will survive a motion to dismiss or if any new factual allegations will arise. But, regardless, it represents a novel shot across the bow to an industry whose security practices are already under siege.
