Can you be Liable Even without a Cyber Breach?

cyber-liability-insurance.Novel Cyber-Related Lawsuits

A wave of class action litigation claims involving at least 15 law firms could change how law firms, accounting firms, and all other consulting organizations approach their Data Security responsibilities. Most concerning is that these cyber-related lawsuits show no actual breach of confidential client information. Rather the allegations focus on the fact that the firms are not doing enough to address security holes that leave client data vulnerable. Perhaps even worse is that these types of claims are likely not covered by insurance thus creating potentially catastrophic monetary exposure.

The complaint by two former clients of the law firm Johnson & Bell alleged that the firm had inadequate cybersecurity procedures that could potentially compromise client data [Shore v. Johnson & Bell, Case No. 16-cv-4363 (N.D. Ill. 2016), Calling these procedures “a data breach waiting to happen.”

The multimillion-dollar lawsuit alleges breach of contract (legal malpractice), negligence (legal malpractice), unjust enrichment, and breach of fiduciary duty arguing that the firm did not employ adequate measures to protect the data and are therefore are owed a partial refund of fees paid.

If successful, we should anticipate a surge of professional services firms being sued for failing to employ reasonable measures to secure client data. Small firms will face significant increases in cybersecurity spending requirements or face the prospect of devastating and costly preemptive lawsuits.


So what can you do?

  1. Consider arbitration clauses in your engagement letters with strongly written confidentiality terms.
  2. Perform a detailed security assessment to identify current readiness and a clear roadmap detailing how to improve your cybersecurity.
  3. Run regularly scheduled vulnerability scans and penetration testing exercises to identify known vulnerabilities and weaknesses in your Network Security.
  4. Assess the security capabilities of your third-party vendors’ ecosystem.
  5. Act on the results identified from these tests.
  6. Be transparent with your clients and communicate openly and collaboratively about the modern day cybersecurity challenges old organizations face.

Leave a Reply

%d bloggers like this: