Earlier this year, Bloomberg Law reported that Edelson PC, a leading plaintiffs’ firm in privacy and data security law, filed a class action lawsuit against a regional law firm that had vulnerabilities in its information security systems. This week, the identity of the firm and the allegations of the lawsuit were unsealed. The case, Shore v. Johnson & Bell, LTD, No. 1:16-cv-04363 (N.D. Ill. Apr. 15, 2016), alleges that Johnson & Bell (“the firm”), a Chicago-based law firm, was negligent and engaged in malpractice by allowing information security vulnerabilities to develop that created risks to client information. This blog post explains the alleged vulnerabilities, analyzes the merits of the lawsuit, and discusses what it means for other law firms, their clients, and service providers.
By coincidence, Fortune reported earlier this week that China stole data from major U.S. law firms: “The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.” These developments are reminders that information security must be a high priority for all law firms.
The Johnson & Bell Lawsuit
The lawsuit is based on three alleged vulnerabilities in the firm’s information security infrastructure. According to a court filing, the vulnerabilities have now been addressed and fixed.
First, the lawsuit alleges that the firm’s Webtime Server, an application attorneys use via any web browser to remotely log in and record their time, was based on the 2005 version of the Java application JBoss. The Complaint alleges that the 2005 version of JBoss has been identified by the National Institute of Standards and Technology as having an exploitable vulnerability. Plaintiffs also allege hackers have taken advantage of the vulnerability in other situations to conduct ransomware attacks.
Second, the lawsuit alleges that the firm’s virtual private network (VPN) server contains a vulnerability. Companies use VPNs to allow their employees to remotely access company information in an encrypted, secured manner. The secured nature of a VPN connection allows companies to feel comfortable providing access to highly sensitive internal resources and databases. Sometimes, a temporary disconnection occurs while an employee is using a VPN connection. The Complaint alleges generally that when the firm’s VPN sessions were disconnected, the renegotiation (or re-connection of the VPN session) was insecure, making it vulnerable to a “man-in-the-middle” attack. A man-in-the-middle attack is a cyberattack in which the hacker gains access to a system to eavesdrop on communications and steal confidential information.
Finally, the Complaint alleges that the firm’s email system was vulnerable because it supports version 2.0 of SSL. Secure Sockets Layer (SSL) is a form of technology that creates an encrypted tunnel between a web server and a browser to ensure that information passing through the tunnel is protected from hackers. Version 2.0 was replaced by version 3.0 in 1996. In 1999, Transport Layer Security (TLS) replaced SSL entirely. Since then, TLS has been updated at least twice. According to the Complaint, the use of SSL 2.0 made the firm susceptible to a DROWN (Decrypting RSA with Obsolete Weakened Encryption) attack that could allow hackers to access the contents of the firm’s emails and attachments. The Complaint claims that the Panama Papers breach was a result of a similar attack.
Notably, the Complaint does not allege that the firm actually suffered a compromise of sensitive information, that a successful cyberattack occurred, or even that a cyberattack was attempted. In other words, the lawsuit is based on the firm’s alleged state of security that may make it vulnerable to an attack in the future.
Who is the class? Plaintiffs (Jason Shore and Coinabul, LLS) are former clients of the Johnson & Bell firm. The firm defended Plaintiffs in a class action lawsuit alleging that Plaintiffs defrauded consumers by accepting payments in the form of bitcoins while refusing to ship gold or silver ordered by customers. See Hussein v. Coinabul, LLC, No. 14 C 5735 (N.D. Ill. 2014). Plaintiffs define the class as all of the firm’s clients within the statute of limitations period except insurance companies and clients operating in the healthcare industry. Why insurance and healthcare companies are not included in the proposed class is not evident from the allegations. It could be that those industries are more highly regulated in privacy and data security and therefore would have had a greater duty to ask questions of the firm about its information security practices. Though why financial institutions, the most highly regulated sector in data security, would not also have been included in this group is not clear.
The Complaint is based on four causes of action:
- Breach of implied contract – Plaintiffs allege that, as a term of the engagement agreement, the firm promised to keep a file for the work they performed on Plaintiffs’ matter. The Complaint claims there was an implied promise that the firm would use reasonable methods to keep Plaintiffs’ information confidential, which was breached by the firm’s security vulnerabilities.
- Negligence – Plaintiffs claim the attorney-client relationship automatically created a duty to adopt industry standard data security measures, which was breached as evident by the alleged vulnerabilities.
- Unjust enrichment – Plaintiffs argue that a portion of the attorney’s fees they paid to the firm was for the administrative cost of data security to maintain the confidentiality of client information. Plaintiffs seek return of that amount of the fees paid.
- Breach of fiduciary duty – Plaintiffs claim that the failure to implement industry standard data security measures and resulting vulnerabilities were breaches of the firm’s fiduciary duty to Plaintiffs.
What is the injury? Plaintiffs allege they were injured because the security vulnerabilities created (1) a diminished value of the services they received from the firm, and (2) a risk that their sensitive information may be compromised at some point in the future (which could result in damages from that theft). Plaintiffs measure their damages as the portion of fees paid to the firm that were meant to be for the administrative cost of securing client information. Plaintiffs have also asked the court to require an independent third-party security audit of the firm’s systems.
Is a Vulnerability by Itself Enough to Meet Standing Requirements?
In my opinion, the lawsuit is fatally flawed because there was no attack or attempted attack on Plaintiffs’ information, let alone actual unauthorized access or acquisition of the information. The firm’s security system was analogous to an unlocked door to a home that nobody burglarized. The plaintiffs indisputably suffered no financial damages as a result of the alleged vulnerabilities, and the vulnerabilities were identified (albeit by this lawsuit) and addressed before any actual harm occurred.
If the mere risk of harm at some point in the future is enough to allow a lawsuit to proceed, then every company in America should be concerned. Most companies probably have similar unknown vulnerabilities in their systems. The challenge with information security is that it is like a game of “Whack-A-Mole” — the fast-paced and constantly changing threats and defenses means that new vulnerabilities are always emerging so it is almost impossible to eliminate all vulnerabilities entirely. The floodgates will be blown wide open if a lawsuit based only on the mere existence of a vulnerability is considered actionable.
That said, the Edelson firm is one of the most creative plaintiffs’ privacy and data security firms in the country. They have made their name by doing things differently from their peers. They are known for pushing the envelope and expanding the boundaries of liability in privacy and data security law. For example, in Resnick v. AvMed they were the first firm to persuade a U.S. Circuit Court of Appeals to apply the unjust enrichment theory to data breach class actions. Other courts have since applied that theory in allowing data breach class action lawsuits to proceed. The Resnick case subsequently settled for over $3 million.
In In re: LinkedIn User Privacy Litigation, No. 5:12-cv-03088 (N.D. Cal. 2012), at a time when other plaintiffs firms were pursuing data breach liability based on a failure to adopt reasonable security safeguards, they persuaded the court of a new theory: that the gravamen was not the failure to adopt certain security safeguards, but the misrepresentations in consumer-facing statements about the safeguards that were actually in place. The LinkedIn case settled for $1.25 million.
In Spokeo v. Robins, a case that was appealed all the way to the U.S. Supreme Court, the Edelson firm argued to the Court that the mere violation of a privacy statute without other damages or harm is sufficient to confer standing on a plaintiff. The Court’s decision gave plaintiffs a roadmap for circumventing the standing problem.
But no case has gone this far – to hold that a mere vulnerability without a compromise of information, an attack, or an attempted attack, is actionable. Doing so would essentially change the data security class action litigation “ball game” once again.
The Impact on Everyone Else
This lawsuit is important because of its potential impact to several key groups. First, is other law firms. Every firm should immediately determine whether it has the same vulnerabilities alleged in the Complaint. Law firms should be concerned that similar vulnerabilities could lead to similar lawsuits, whether or not an actual attack has occurred. They should be prepared to respond to client inquiries explaining what safeguards they have adopted to protect sensitive client information, consistent with their legal and ethical obligations. (For a discussion of these obligations, read my July 2013 blog post on the subject). Firms should review and update their engagement letters for promises and disclaimers to their clients about information security.
This leads to the second group of impacted individuals: the law firms’ clients. Every company should have in place a vendor management program that incorporates information security as part of the due diligence process, and law firms are service providers like the rest of the companies’ vendors. Companies should be asking their outside counsel as part of the due diligence process how they protect client data: what administrative, technical, and physical safeguards are in place? Has the firm obtained an independent third-party certification (like ISO 27001) or performed a risk assessment by an information security expert? (I was pleasantly surprised to see the Complaint refer to Shook, Hardy & Bacon’s ISO 27001 certification as an example of what law firms should be doing).
Beyond asking questions, clients need to identify what they expect from their law firms in terms of specific security requirements and communication about vulnerabilities or notifications of data incidents. This lawsuit may have been avoided if the engagement letter had required notice of material vulnerabilities. The questions clients should be asking their law firms can (and will) be the focus of an entirely separate blog post.
The third group impacted by this lawsuit will be the service providers law firms use for information security services. Small firms commonly outsource most or all of their information security to these providers. Even large firms use service providers for information security services that include threat detection, data loss prevention, firewall implementation, and cloud storage.
Firms also purchase licenses for applications that may present security risks, similar to the alleged vulnerability in the Webtime service. These applications require a separate security vetting by the law firm before they can be used.
I suspect this is the first of what will be a series of lawsuits relating to law firm security brought by the Edelson firm and plaintiffs’ firms that follow their lead. It will be interesting to see whether courts allow a lawsuit based on a security vulnerability alone to proceed or dismiss it for lack of standing.