Company Sues Its Law Firm Over Data Breach

The following is a post by guest blogger Sharon D. Nelson, Esq., President of Sensei Enterprises, Inc., a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.

Security Boulevard reported on April 20 that insurance company Hiscox has sued one of its law firms, Warden Grier, a four-person firm in Missouri. It had hired the firm to assist with “first party” non-marine insurance claims. The firm represented insureds who had purchased insurance from Hiscox – it therefore had both personal information about these clients and attorney-client privileged information.

In December 2016, hacker group Dark Overlord hacked the law firm’s computers and stole data concerning Hiscox, as well as the clients of the insurance company. The law firm hired its own law firm and contacted the FBI to investigate, ultimately paying ransomware to the hacker group to keep the stolen data private. It is unknown whether the firm hired an independent forensics firm to investigate the scope and extent of the breach.

Warden Grier did not tell Hiscox or clients of the insurance company about the breach.

At the end of March 2018, an employee of Hiscox was surfing social media and learned “by happenstance” that the Hiscox data was subject to the breach and the data from the law firm had been on the Dark Web. Hiscox confirmed that the breach had occurred and the data leaked. It then conducted its own forensic investigation and notified its customers who had been affected by the breach. Hiscox estimated that its costs exceeded $1.5 million.

On March 27, 2020, the insurance company sued Warden Grier in federal court in Kansas City. Hiscox Insurance Co., et. al., v. Warden Grier, Dkt. No. 4:20-cv-00237-NKL (E.D. Missouri). The company alleged that the law firm breached its legal obligations under the retainer agreement with the company, that it breached its ethical obligations to protect client confidences, and that it was negligent in failing to protect the client data. The company also asserted that the law firm itself failed to notify its customer (the insurance company) as required by Missouri law and that this caused the insurance company to fail to timely notify its own clients (the insureds) as required by the same statute.

It remains to be seen whether all the allegations in the complaint are true. But if they are, the law firm may be in trouble. Law firms have a duty to protect client confidential data and a duty to communicate with the client if data has been compromised.

The post cites a law review article:

“Law firms are attractive targets for attacks for several reasons. First, law firms, especially large law firms, are repositories for large amounts of highly valuable corporate data, including intellectual property, investment plans, trade secrets, and clients’ business and litigation strategies. According to the FBI, “[l]aw firms have a tremendous concentration of really critical, private information,” which both state and non-state actors may desire to steal in order to gain advantages in the marketplace or in court. Moreover, law firms represent more efficient targets than the clients they serve. Law firms “are usually involved in only their client’s most important business matters, meaning hackers may not need to sift through extraneous data to find the more valuable information.” Law firms are also seen as easy targets. Law firms are perceived as being more vulnerable to cyber incursions than their clients, and indeed generally have “significantly less cybersecurity protection in place than their clients . . . .” The FBI has called some law firms “clueless” when it comes to securing corporate data. Others have labeled law firms “weak links” and “the soft underbelly of corporate cybersecurity.” Due to these perceived deficiencies, some clients themselves have taken on the responsibility of ensuring that their legal counsel’s cybersecurity protocols are up to standard.”

See, CURRENT DEVELOPMENTS 2015-2016: Electronic Ethics: Lawyers’ Ethical Obligations in a Cyber Practice, 29 Geo. J. Legal Ethics 1237, 1238.

I have no doubt that many law firms have failed to report data breaches to clients. Whether there are extenuating circumstances in this case remains to be seen. I hope the law firm has one hell of a good cyberinsurance policy.