On February 20, the United States District Court for the District of Columbia ruled that a law firm must defend against a malpractice claim grounded in a data breach it suffered during a cyberattack.

In this case, the plaintiff, Guo Wengui, alleged that he was a well-known Chinese dissident who had exposed systemic corruption and widespread human rights abuses by the Communist Party of China (“CCP”), China’s ruling political party. Following this exposure, the plaintiff alleged, persecution from the Chinese government drove him to seek political asylum in the United States. The plaintiff further alleged that the Chinese government continued its persecution of him even after his arrival in the United States. This persecution allegedly involved the coordination of a “malicious negative propaganda campaign” against him, including the coordination of a demonstration outside his home.

Eventually, the plaintiff retained legal counsel. The plaintiff warned the firm that, as a result of representing him, the firm could face cyberattacks from the Chinese government. In response, the firm promised that it could and would take countermeasures to protect against such cyberattacks, including keeping the plaintiff’s confidential information off the firm’s computer server.

On September 12, 2017, the law firm suffered a cyberattack that targeted the firm’s computer servers. Despite the firm’s representations, its servers contained a substantial amount of personal information concerning the plaintiff and his spouse. Among other things, the attackers obtained their passport identification numbers and the plaintiff’s application for political asylum, and this information was published and disseminated on social media.

Following the breach, the plaintiff sued the law firm for legal malpractice, breach of fiduciary duty, and breach of contract. The firm moved to dismiss under Federal Rule of Civil Procedure 12(b)(6), alleging that the plaintiff’s complaint failed to state a claim.

First, the court addressed the plaintiff’s claim for breach of fiduciary duty. The court declined to rule that a corporation that fails to prevent a foreseeable cyberattack breaches fiduciary duties owed to its customers – a ruling that broke from prior data breach rulings in the District of Columbia and Georgia. However, the court ruled that, because attorneys owe their clients a fiduciary duty, the firm’s failure to fulfill its promise to keep the plaintiff’s information off its servers left the plaintiff vulnerable to precisely the attack about which he had forewarned. Additionally, the court found, the plaintiff’s allegations that the firm employed “inadequate [and] unreasonable” security measures pled a breach of fiduciary duty adequately to survive a motion to dismiss.

The law firm also claimed that the plaintiff did not allege that the data breach caused him sufficient harm to sustain a cause of action. However, the court found that the publication of the plaintiff’s confidential information, “in the context of a broader propaganda campaign orchestrated by the CCP,” constituted an actual injury.

Based on the foregoing analysis, the court denied the law firm’s motion to dismiss the plaintiff’s claims for legal malpractice and breach of contract. This decision contains lessons for the cybersecurity industry.

First, the court’s denial of the law firm’s argument regarding the plaintiff’s alleged harm may provide guidance for attorneys fighting data breach lawsuits. In the 2016 case Spokeo v. Robins, the Supreme Court ruled that a plaintiff lacked standing to sue for the defendant’s disclosure of incorrect information about him, notwithstanding the availability of statutory damages, because neither the disclosure nor the statutory damages constituted a sufficiently concrete injury-in-fact. That holding caused many courts to question whether a data breach, without more, imposed sufficiently concrete harm to maintain a lawsuit, with some courts holding that it does not.

However, the firm did not style its motion to dismiss as standing challenge pursuant to Rule 12(b)(1), choosing instead to challenge only the sufficiency of plaintiff’s allegations under Rule 12(b)(6). Because the motion to dismiss relied solely upon Rule 12(b)(6), the plaintiff could parry it with nothing more than his unsubstantiated allegations. Had the motion cited Spokeo to mount a jurisdiction challenge under Rule 12(b)(1), it could have demanded that the plaintiff prove standing by a preponderance of the evidence, which may have proven more difficult. Moreover, the plaintiff’s allegation – that the data breach was part of a “broader propaganda campaign” against him—might have lacked the requisite causal link or proven too attenuated to support Article III standing, even assuming the breach qualified as harm for purposes of a breach of fiduciary duty claim.

The court’s decision also demonstrates the continuing trend of law firm clients suing their attorneys for a data breach that careful observers predicted several years ago. Courts will continue to hold law firms to a fiduciary standard when it comes to protecting their client’s confidential information, and firms must meet that standard.

The court’s decision may be found here.