A new series of cyber-related class action claims against at least 15 law firms could have serious implications into how CPA firms, and many of their clients, manage their computer systems and view data security. The most troubling aspect of the only publicly available complaint centers on the fact that there was no actual breach of confidential client information, merely the possibility of a breach (Gabe Friedman, “Class-Action Suit Targeting Law Firm Privacy Protections Could Be Unsealed,” Bloomberg Law, May 5, 2016, http://bit.ly/2Fo0ryp). To make matters worse for potential defendants, claims such as these are probably uninsurable, so they could become quite costly to firms and their clients. It is no longer enough to simply avoid a data breach; firms and clients must become proactive and deliberate about network and data security.

Shore v. Johnson & Bell

In the above-mentioned publicly available complaint, two former clients of the law firm Johnson & Bell alleged that confidential client information had been put at risk due to inadequate data security [Shore v. Johnson & Bell, Case No. 16-cv-4363 (N.D. Ill. 2016), http://bit.ly/2osxhGr]. Namely, the complaint calls Johnson & Bell “a data breach waiting to happen” and claims that, amongst other computer-related issues, the “time record system could have been accessed without any username or password (or any other credential).” The complaint further alleges that if a breach of this system were to occur, sensitive information would be easily stolen. Hackers could also obtain sensitive information from Johnson & Bell’s clients by impersonating the firm’s lawyers via email.

The four-count complaint alleges breach of contract (legal malpractice), negligence (legal malpractice), unjust enrichment, and breach of fiduciary duty. While the exact monetary damages are not stated, “the amount exceeds $5,000,000.” In a conversation with the authors, Anthony Valach, counsel at BakerHostetler, said, “Since there was no breach, the class cannot allege out-of-pocket damages and must rely on the benefit-ofthe-bargain measure of damages. Essentially, the class representatives allege that a portion of the fees paid to Johnson & Bell was to cover the administrative costs of protecting their data. Plaintiffs argue that the firm did not employ adequate measures to protect the data and are due a refund of those amounts because they did not receive the benefit of their bargain.”

When asked whether this type of claim could expand to other professions such as accounting firms, Valach stated, “Absolutely. It is easy to imagine a situation where professional services firms become the target of lawsuits for failing to employ reasonable measures to secure client data. Unfortunately, I think we are still at a point where many firms don’t think they are a target or don’t have data hackers would want. That’s a dangerous and potentially fatal attitude for a business. People don’t realize that on the Internet, we all live in a bad neighborhood. Ultimately, we may see the same effect as the Dodd-Frank Act. Small firms will be forced to choose between drastically increasing their cybersecurity budget and posture, or face potential lawsuits and exposure from data breaches that can do lasting harm.”

The arbitration clause between the law firm and its former clients has, for the time being, saved the defendants from having to litigate this matter in the public eye. The court recently ruled that Johnson & Bell’s arbitration clause did not permit class-wide arbitration; only an individual action was permissible. As it currently stands, the plaintiffs will need to pursue individual arbitration, though their attorney, Jay Edelson, will likely appeal the decision (Derek Borchardt and Michael F. Buchanan, “Law Firm Sued for Alleged Lax Data Security Obtains Significant Win in District Court,” Patterson Belknap Data Security Law Blog, Mar. 8, 2017, http://bit.ly/2HGjg0L).

If Johnson & Bell wins the potential appeal, it may still need to weather two separate arbitration cases. In the meantime, the firm has filed a defamation suit against Edelson. Even if Johnson & Bell are victorious on all counts and cases, there may be irreparable reputational harm to their brand.

A quick Internet search for Johnson & Bell was telling. The first result was the firm’s website, followed by two headlines that could easily scare off existing or potential clients, resulting in unquantifiable future economic losses:

“Chicago’s Johnson & Bell First U.S. Firm Publicly Named in Data Security Class Action”

“Chicago Law Firm Accused of Lax Data Security in Lawsuit”

With data breaches constantly in the headlines, consumers are increasingly concerned about a company potentially mishandling their information. No matter how one views the merits of the case, no firm wants that type of publicity.