In what undoubtedly portends things to come, recently unsealed court files reveal that the first data security class action complaint against a domestic law firm was formally filed. Chicago-based Johnson & Bell, a firm of more than 100 attorneys that recently celebrated its 40th anniversary, was recently named in a lawsuit that alleged it failed to appropriately protect confidential client information. That lawsuit was filed by Johnson & Bell’s former clients, bitcoin-to-gold exchange Coinabul LLC, and its Chief Operating Officer, Jason Shore.
Coinabul and Mr. Shore set forth a four-count Complaint alleging breach of contract, negligence, unjust enrichment, and breach of fiduciary duty. Underpinning all of theses claims were the following core allegations: the defendant law firm’s time-tracking system (“Webtime”) was built on a “JBoss Application Server” which was out-of-date and suffered from a critical vulnerability, leaving it susceptible to hacking; its virtual private network (“VPN”) supported insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks; and, finally, the firm’s email system had broken security that left it susceptible to attack. In short, plaintiffs allege the firm failed to implement industry standard data security measures with respect to its Webtime, VPN, and email services, resulting in certain vulnerabilities that could expose confidential client information.
The hypothetical exposure of confidential client information makes this lawsuit all the more interesting – plaintiffs did not actually allege that Johnson & Bell’s Webtime, VPN, or email services were ever compromised, or that that confidential information was ever leaked. These points were all raised in Johnson & Bell’s subsequently-filed motion to dismiss. That motion was ultimately never ruled upon, as the parties are now engaged in a confidential arbitration.
While the outcome of this suit might never become public, the takeaway lesson is apparent – attorneys and law firms must remain diligent, and continue to take reasonable efforts to maintain client confidentiality and properly secure data.