In a novel lawsuit, an insurance company has sued one of its law firms because the law firm was the victim of a data breach that exposed client information.
Let me start with a disclaimer: All the information in this post is based on allegations in the complaint that was filed on March 27, 2020 in the United States District Court of the Western District Court of Missouri. The law firm has not responded yet, and the veracity of these allegations are untested.
Relationship between the Insurance Company and Law Firm
According to the Complaint, in 2002, the insurance company engaged the law firm to provide professional legal services to the insurance company and the insurance company's customers.
During the relationship, the law firm obtained highly sensitive, confidential, and proprietary information, including protected health and personally identifiable information belonging to the insurance company or its customers (collectively, “PI”). The insurance company alleges that the law firm was obligated to take adequate measures to protect sensitive PI belonging to its clients.
The Alleged 2016 Breach
In December 2016, an international hacker organization known as “The Dark Overlord” gained unauthorized access to the law firm's computer system containing PI.
The insurance company believes that the law firm contacted outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to investigate the 2016 Data Breach or, if it did, refused to provide the insurance company with the findings of any such investigation.
The insurance company claims that the law firm did not notify clients about the 2016 Data Breach.
Apparently, the law firm paid the hackers a ransom in exchange for the hacker's promise that they
would not disseminate clients’ personal information.
Accidental Discovery of the 2016 Data Breach
By mere chance, in 2018, an employee at the insurance company learned, through social media, that the insurance company's PI had been leaked on the dark web. After a preliminary investigation, the insurance company learned that the PI made its way to the dark web as a result of the 2016 Data Breach. The insurance company then called the law firm about the data breach.
The insurance company promptly commenced its own investigation to evaluate whether it may have any notification obligations given the sensitive nature of the information that the hackers accessed and the apparent failure to:
protect that information;
properly investigate the 2016 Data Breach; and
notify the insurance company's customers of the 2016 Data Breach.
The Insurance Company Takes Matters Into its Own Hands
The insurance company decided to notify its customers—also clients of the law firm—of the 2016 Data Breach, and to engage in efforts to protect against further exposure or dissemination of PI.
The Complaint states that, as a direct result of the law firm's conduct, the insurance company has
suffered significant internal operational losses and costs and has incurred damages in excess of
$1,500,000.00, including, but not limited to:
costs and fees incurred to conduct a thorough investigation of the 2016 Data Breach; and
costs and fees incurred to make the necessary notifications and accommodations and to protect affected persons against harm from future PI dissemination.
The Expense of a Data Breach
Pay attention: As a result of the law firm's alleged data breach, the insurance company suffered a loss of over a million dollars to conduct an investigation, send notifications, and make necessary accommodations.
My investigation revealed that the law firm has four attorneys. This means the law firm is a small-to- medium sized business (with only four attorneys this is a small law firm). Most small law firm's would not have $1.5 million sitting in the bank account waiting to pay for the consequences of a cyber incident. Without some type of insurance, $1.5 million for investigation and notifications, probably means bankruptcy for a small company.
Another interesting point is that, apparently, the law firm paid a ransom in exchange for the hacker's promise to forgo disclosing the information on the dark web. Law enforcement discourages the payment of ransoms in cyber incidents because, there is no guarantee the hackers will live up to the promise, and it encourages hackers to continue with this unlawful but profitable conduct. On the other hand, to continue business operations, a company may decide to risk paying the ransom with the hope that the hackers are honorable. The law firm's decision in this case might become a prime example of a situation where paying a ransom was unwise.
An interesting question is whether the law firm has insurance to cover this type of lawsuit. Not only is the demand $1.5 million in damages, there is also the possibility of significant legal fees to defend the lawsuit (unless it tries to defend itself).
Another case to keep an eye on.
This lawsuit is cited as Hiscox Insurance Company Inc. et al v. Warden Grier, LLP, Case Number: 4:20-CV-00237, U.S. District Court, Western District of Missouri (Kansas City).
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP