Hepler Broom, LLC

Law Firm Faces Off Against Carrier/Client for Data Breach

May 5, 2020

An Unexpected Adversary and Risk in Notice Decisions?

You expect consumer complaints and even class action threats in the wake of a law firm data breach. But does a defense law firm expect to be sued by the carrier for the clients it represents? Whether surprising or not, it is happening and law firms must take note. In today’s world there are sometimes tensions between the interests of insurance companies and the law firms engaged to represent the ultimate client—the insureds. Now, it appears that law firms’ decisions following information security incidents have advanced up the list of potential tensions. Is there a better way forward?

Making a Federal Case Out of It

Late last month a carrier sued one of its long-standing law firms for breach of express and implied contracts, breach of fiduciary duty, and negligence for failing to: (1) maintain appropriate response plans to deal with a data breach; (2) conduct a prompt and adequate investigation of what occurred; and (3) notify the carrier and the insureds of a data breach. Hiscox Insurance Company Inc. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. 03/27/20).

For client matters assigned to the law firm, they received the carrier’s confidential and proprietary information and protected health (“PHI”) and personal identifiable information (“PII”) regarding its insureds. According to the complaint, the carrier and the law firm entered into two contracts in 2011 governing their engagement for first-party business and casualty business. The express terms of engagement contracts required the law firm to “retain either originals or copies of all file documents relating to the claim” and “have in place an appropriate disaster recovery plan with appropriate back-up to ensure the continuity of services in the event of a disaster.” The carrier contends that these provisions embrace the kind of calamity that activates a disaster response plan, but the agreements do not specifically reference cyber breaches or more recently widespread cyber breach incident response plans.

The carrier also alleges that the terms of engagement agreements at least implicitly included ethical obligations to secure client information. The complaint cites Missouri Rules of Professional Conduct, Rule 4-1.6, which provides: “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.” The carrier also refers to paragraph 8 of the Comment to ABA Model Rule 1.1, which states, in part, that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of technology….”

As an aside, the complaint is silent as to the steps taken by the carrier to evaluate the integrity of the data protection measures in place at the law firm. It is now commonplace for insurers to vet law firm information security systems and policies with extensive questionnaires and discussions prior to engagement. Insurers also takes steps in the underwriting process for commercial policies to evaluate insureds’ preparedness for cyber and information security incidents and breaches.

A Very Bad Day in 2016: The Breach

In December 2016 hackers gained access to sensitive information during what appears to be a ransomware attack on the law firm’s computer system and servers. The law firm contacted the FBI and engaged outside counsel but allegedly failed to engage an outside forensic firm to investigate. The law firm decided to pay the ransom to protect its clients’ personal information but did not notify the clients or the carrier of these events. The complaint is silent as to what reasonable protective measures could have avoided the intrusion. It primarily takes issue with the law firm’s decision that notification was not required, which can happen in ransomware situations depending on what state’s law applies and if there is no indication the criminals accessed or exfiltrated the protected data. But this is a difficult judgment call as hackers today are reneging on ransom deals and stealing the data for future profit.

According to the carrier, in March 2018 it discovered that someone had leaked its information and insureds’ PII on the dark web following the 2016 incident. Following discussions with the law firm, the carrier conducted its own forensic investigation to determine whether it had privacy notification obligations. It then made its own determination to notify its insureds and consequently alleges it suffered operational losses and costs, and notification and client accommodation costs in excess of $1,500,000. As is often the case, there is no allegation that any specific insured has yet been harmed.

Lawyers and Law Firms in the Crosshairs

Law firms and lawyers are targets for cyber attacks—that is nothing new. Law firms are a target-rich environment for computer system compromise due to the massive volume of PHI, PII, trade secrets, non-public transactional details, and attorney-client privileged communications they hold. And like any other commercial enterprise, law firms must comply with myriad state notice requirements, general data security and privacy laws, content specific laws and regulations, and regulatory requirements.

If that were not enough to incentivize reasonable compliance efforts, the exposure and costs of dealing with an intrusion can be staggering. Consider:

  • Forensic investigations
  • Network remediation and new safeguards
  • Data recovery and restoration
  • Potential ransom and cyber extortion payments
  • Business interruption
  • Compliance with state notifica­tion laws:
    • Legal advice as to extent of notice obligations
    • Mechanics of actual notice
  • Legal defense/potential civil penalties from potentially multiple regu­latory investigations
  • Reputational harm and potential Attorney Malpractice Liability
  • Potential Third Party Liability:
    • Statutory damages, potentially class-wide
    • Legal defense
    • Credit monitoring services, and on and on.

Comment 18 to ABA Model Rule 1.6(c) helps define what constitutes an attorney’s “reasonable efforts” to prevent disclosure of client data by explaining that the sufficiency of an attorney’s efforts to safeguard client infor­mation requires evaluation of “the sen­sitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing addi­tional safeguards, the difficulty of imple­menting the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” ABA Model Rule 1.6(c).

These considerations, the elements of negligence and fiduciary duty claims, and the technical aspects of the context virtually assure that any case against a law firm will survive dismissal and involve lengthy proceedings for the firm and likely its insurer.

Lessons in the Aftermath

It is unclear on the pleadings alone what safeguards the law firm deployed. In the aftermath of a breach, hindsight is 20-20 and insurance companies will have no shortage of best practices to compare to a law firm’s efforts, much in the same way exclusions may be evaluated. The law firm as a victim of a third-party’s criminal act, with no indication of real harm to its clients, will have defenses. But are the parties taking actions that make sense or assuming costs that could have been avoided?

The point is that this type of litigation is a bad thing for both insurance companies and defense lawyers. It can be avoided by clear communications and clear expectations. The simple fact of a ransomware incident does not mean that a law firm has failed. Pitting the law firms’ cyber liability carrier against the client carrier may create satellite litigation which comes at a cost. Publicly highlighting an exposure of information will draw the eye of class action lawyers. Law firms must build into their networks the protection of client data—an obvious given. If there is a clear duty on the part of a law firm to report a cyber incident (not necessarily a breach) within a reasonable time frame of discovery, the likelihood of this situation occurring is drastically reduced. If there is advance discussion on whether any notification or other remedial actions are required in a given situation, the parties can resolve matters far more efficiently and better serve the interests of all stakeholders.

COVID-19 Updates

HeplerBroom is pleased to announce that its physical offices have reopened. While the health and safety of our clients, employees, and families, remain our top priority, HeplerBroom attorneys and staff are returning to our offices on full-time or modified schedules. Our offices are open to visitors and clients with scheduled appointments, with appropriate screening of visitors and social-distancing protocols. HeplerBroom will continue to follow CDC recommendations for cleaning and sanitizing.

We are very proud of the dedicated efforts of our attorneys and staff to provide great service and work product to our clients during the pandemic. This would not have been possible without the incredible support provided by the HeplerBroom IT Department and other essential personnel who supported our personnel and clients from the office locations while the rest of our teams worked remotely.

If you have questions about visiting our offices, please do not hesitate to contact us. We look forward to seeing you in person again in the near future.