Although data breaches and data breach litigation are not rare, trials concerning the appropriate response to cybersecurity incidents are. For this reason many, particularly those involved with incident response, have been keeping a close eye on a federal trial underway in Missouri. The case involved a law firm sued by its former client, an insurance company, for claims concerning the law firm’s purported mishandling of a data breach. Hiscox Ins. Co. Inc. et al v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo.). This dispute highlights the serious litigation risk across industries for cyberattacks and data breaches. Read on to learn more.
I. Case Background
In March 2020, Plaintiffs Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (collectively, “Hiscox” or “Plaintiff”) filed a complaint (the “Complaint”) in federal court in Missouri against Warden Grier LLP, a law firm located in Missouri (“Defendant Law Firm” or “Defendant”).
According to the allegations in the Complaint, Plaintiff retained Defendant Law Firm to render professional legal services to be carried out in conjunction with Plaintiff’s operations as an insurance provider. As such, Plaintiff asserted, for the duration of this attorney-client relationship, Defendant Law Firm received “highly sensitive, confidential, and proprietary information, including protected health and personally identifiable information belonging to [Plaintiff] and/or [Plaintiff’s] insureds.” Compl. ¶9. Central to Plaintiff’s claims was the core allegation that “[Defendant Law Firm] was obligated to take adequate measures to protect sensitive [personal information] (‘PI’) belonging to its clients, including [Plaintiff and Plaintiff’s insureds], and to notify [Plaintiff] of any failure to maintain the confidentiality of PI belonging to [Plaintiff] and its insureds.” Id. at ¶10.
In December 2016 an international hacking organization referred to as “The Dark Overlord” purportedly obtained unauthorized access to the law firm’s computer system containing all of the sensitive information, including PI, stored on Defendant’s servers (the “Data Event”). Id. at ¶11. The Data Event purportedly involved personally identifiable information copied from Defendant Law Firm’s server belonging to ~8,500 individuals.
However, unlike the approach taken by other entities targeted in a cyberattack, Plaintiff alleged that Defendant Law Firm “contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 [Data Event] or, if it did, has refused to provide [Plaintiff] with the findings of any such investigation.” Id. at ¶12. Plaintiff also alleged that the Law Firm “actively concealed or otherwise did not notify [Plaintiff] or [Plaintiff]’s insureds—all of whom were [Defendant Law Firm’s] clients” of the Data Event. Id. at ¶13.
In fact, according to the pleadings filed in the litigation, it was not until March 2018 that Plaintiff learned of the Data Event via a social media post that some of Plaintiff’s data had been posted on the “dark web.” Id. at ¶17. Plaintiff alleged that, due to the Defendant Law Firm’s failure to properly respond to and notify impacted individuals of the Data Event it occurred damages in excess of $1.5 million relating to incident response and notice costs and/or fees.
Plaintiff brought claims against Defendant Law Firm for (1) breach of contract (Count I), (2) breach of implied contract (Count II), (3) breach of fiduciary duty (Count III), and (4) negligence (IV). However, unlike many data breach litigations which are dismissed or settle, after Defendant Law Firm’s Partial Motion to Dismiss was denied, the case entered discovery, and Defendant Law Firm was subsequently unsuccessful at obtaining a complete exit from the litigation at summary judgment.
Last week the case culminated in a multi-day trial which ultimately resulted in a jury verdict for the Defendant Law Firm. However, the long path to victory and repeated setbacks along the way underscore the significant litigation risk to all entities in the wake of a cyberattack.
II. Litigation Takeaways
Below are our key takeaways concerning lessons learned from this litigation.
1. No Entity is Immune From Cyber or Data Breach Litigation Risk
This decision is a sobering reminder that all entities have exposure to cyber risk and accompanying litigation. As cyberattacks become more sophisticated and occur with increasing frequency, the number of data breach litigations filed has correspondingly increased year over year. And in the absence of a uniform federal cybersecurity or data breach statute, plaintiffs in such cases will continue to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (when applicable). Defeating such claims at the pleadings stage can be challenging for defendants—increasing the cost and time involved in defending data breach litigations.
Law firms, such as the one involved in this dispute, need to be especially careful given the sensitive nature of the information that is generally maintained on behalf of clients. Further, this sort of breach and a law firm’s response to it can implicate not only their business reputations but also the rules of professional conduct and their malpractice insurance.
2. All Corporate Entities Should Have an Incident Response Plan and Appropriate Technical Controls in Place Before a Cyberattack or Data Breach Occurs
This case also underscores an underlying truism in the realm of data privacy and cybersecurity: the best offense is a strong defense. All organizations should have a written cybersecurity policy, with practices and processes in place to protect sensitive business information. In conjunction with this policy, organizations should also have an up to date incident response plan (“IRP”) that addresses how an entity would respond to a cyberattack. Finally, employee training should be consistent with these practices, procedures and IRP. At the very least, organizations should practice their response to cybersecurity incidents, e.g. through tabletop exercises, to not only test the effectiveness of their IRP, but to ensure the team is adequately trained to work together through the fog of a cybersecurity attack.
As underscored by this litigation, claims brought in the wake of a data breach will focus not only on the scope of the event itself (including for instance, the scope and types of data involved) but also whether an organization responded appropriately in the wake of a data event. Therefore, to mitigate the litigation risks, organizations should invest in a good defense – particularly where there are additional industry specific concerns, such as the rules of professional conduct.
3. Cybersecurity and Data Breach Litigation Risk Exists Outside the Context of Putative Data Privacy Class Actions
Cyber threat actors are increasingly motivated not by individual financial gain (e.g., exfiltration and sale of personal data on the dark web) but also for nationalistic reasons in the case of state-sponsored attacks or for purposes of gaining access to proprietary information and trade secrets. This development, in turn, has resulted in a diversification of cyber risks and accompanying litigation risk. Although much attention has focused (for good reason) on large putative class actions brought in the wake of a data event, many cases brought do not fall into this model. For instance, litigation filed in the wake of the Colonial Pipeline litigation concerned consumer pricing claims brought by purchasers of gas and operators of gas stations.
Outside of this litigation, warning signs persist that the legal fallout from a data breach can extend to company executives and the board. As just one instance, in 2020 a company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.
For publicly traded companies, the fallout from a data breach can extend to shareholder derivative suits concerning claims that the board of directors failed to implement and maintain an effective system of internal cybersecurity controls to ensure that data breaches are prevented, among other claims. Additionally, the Securities and Exchange Commission and other regulatory bodies such as the Federal Trade Commission are also recently prioritizing cybersecurity and data privacy. Suffice to say, the litigation risk landscape concerning issues arising in the wake of a data breach and cyberattack are multifaceted.
This may be one of the few data breach lawsuits that goes all the way through to a verdict. Most lawsuits will settle long before trial. It takes exceptional circumstances – perhaps having the rules of professional conduct implicated – to bring a matter to trial. The circumstances of this defense victory likely depended on the specific contents of the contract between the defendant and plaintiff. There appear to be quite a few lessons to learn from the forensic investigation conducted by defendants based on information shown on the record, but as portions of it remain sealed, a comprehensive review is not possible.