A prominent Chinese dissident may proceed with his malpractice case against a law firm based on allegations that the firm failed adequately to protect his personal data from hackers, a Washington, D.C. district court said in an opinion on February 20. In his $50 million suit, the plaintiff, Guo Wengui, alleges that after he retained the firm, someone (assumed to be associated with the Chinese government) penetrated the firm’s computer servers, gained access to his confidential information and published it on the Internet.

The district court turned back the firm’s motion to dismiss and allowed most of Wengui’s claims to go forward. The case bears watching as cyberattacks increasingly target law firms, and legal IT teams struggle to stay one step ahead of security threats.

“Expect to be” a target

Wengui alleged in his complaint that he is a well-known dissident who exposed corruption and human rights abuses of the Chinese ruling party while he lived there. After he fled China in 2015, Wengui came to New York. Nonetheless, he alleged, the Chinese government has continued to harass him with demonstrations outside his home and a “negative propaganda campaign.” He applied for political asylum and retained the law firm for potential assistance..

According to the complaint, the firm assured Wengui that it could protect his interests. Wengui alleges that he warned the firm of the risks attendant to his status as a prominent dissident, including that the firm “should expect to be subjected to sophisticated cyber attacks,” and that it should “take special precautions” to prevent intrusion into and disclosure of his sensitive confidential information.

Nonetheless, Wengui alleged, in September 2017, the firm’s computer system was penetrated, and the hackers obtained Wengui’ s and his spouse’s sensitive personal information, including his asylum application. The information was published and disseminated on social media, the complaint says.

Was cyber-breach a breach of duty?

The court held that Wengui pleaded viable claims for malpractice, breach of fiduciary duty and breach of contract. Wengui’s claim that the firm’s information security measures were inadequate and unreasonable rested on more than the mere fact that “there was a cyber incident,” the court said. And while it did not find that all failures to protect against a foreseeable cyberattack would be actionable standing on their own, the court said that here, there were additional factors: Wengui “sufficiently” pleaded that the firm had misrepresented the manner in which it would protect his information in order to obtain his legal business.

Wengui also alleged that, despite the firm’s promise to take special precautions, it violated his express instructions by placing his confidential information on its servers and conveying it by e-mail, and that he was actually harmed when the Chinese government used the allegedly-hacked information as part of its “persecution and harassment” against Wengui.

These factors also pointed to the breach of the duty of reasonable care sufficient to sustain a malpractice claim at the pleading stage, and to support a breach-of-contract claim (although the latter “just barely,” said the court).

Corporate duty to protect?

In at least two cases, courts have gone so far as to hold that corporations have a duty to protect against a third person’s criminal act if the organization has a reason to anticipate the crime, and breaches its duty to customers if it fails to prevent a foreseeable cyberattack. See Attias v. CatreFirst, Inc., 365 F. Supp. 3d 1, 21 (D.D.C. 2019); In re Arby’s Rest. Grp. Inc. Litig., 2018 U.S. Dist. LEXIS 131140 (N.D. Ga. Mar. 5, 2018). In 2016, two plaintiffs filed a bellwether class action in the Northern District of Illinois against a law firm in advance of any cyber-breach, a development we discussed and one that worried commentators. The putative plaintiffs later withdrew the complaint, and the law firm targeted in the suit later sued the putative plaintiffs’ lawyers.

We’ve written before about the reported susceptibility of law firms to data security breaches. And late last year, the influential Sedona Conference proposed a new “data breach” privilege to protect information prepared in a cybersecurity context, even when not involving communication with an organization’s lawyer.

Negligence claims against law firms for information security breaches are sure to proliferate in the future as cybercriminals become ever more skillful and experienced in their attacks. All lawyers should take note.