Law Firm Liability for Inadequate Cybersecurity Just Became a Lot More Real

Law Firm Liability for Inadequate Cybersecurity Just Became a Lot More Real

Companies are increasingly threatened with financial and reputational fallout from security breaches and compromised sensitive client and customer information, and a growing number of law firms are profiting from advising their unfortunate clients on how to deal with the fallout from cyber-incidents. While some well-known firms—think Cravath, Swaine & Moore and Weil, Gotshal & Manges—have apparently been successfully hacked, up to this point no firm has faced legal consequences from its own lack of cyber-preparedness.

This may be changing. For the first time, a client—Coinabul LLC—sued its (former) attorneys, claiming that the law firm’s insufficient, out-of-date IT systems and cybersecurity measures failed to adequately protect its sensitive information.

A complaint filed in April, but unsealed only last week, alleged that Chicago-based law firm Johnson & Bell, Ltd. committed malpractice, including breach of contract, negligence and breach of fiduciary duty,  by failing to keep its clients’ confidential information secure, that its computer systems  suffered from critical vulnerabilities and that, as a result, information entrusted to the firm “by its clients has been exposed and is  at great risk of further unauthorized disclosure (if it hasn’t  already been disclosed).”

In particular, the complaint alleges that Johnson & Bell’s:

  • Ten-year-old timekeeping software has, since 2013, been included in the National Vulnerability Database maintained by the National Institute of Standards and Technology (NIST) because it contains a vulnerability described as “network exploitable,” with a “low” level of access complexity—meaning that it permits access to hackers with little effort.
  • Virtual private network (VPN) is vulnerable to Man-in-the-Middle Attacks.
  • Email system supports SSL 2, which is obsolete, insecure and is exploited by the “DROWN” attack; and 512-bit export suites vulnerable to the “FREAK” attack.

Lady Justice Statue with Sunset BackgroundThe complaint did not allege any specific data breach or compromise of client information. Even so, it sought injunctive relief and unspecified damages on behalf of a class of plaintiffs that, according to the complaint, is likely to include thousands of individuals and entities.

The future of this suit is unclear. No matter its outcome, it is significant because, for the first time, law firms must reckon with the real-world possibility that they will face real-world consequences if their cybersecurity measures are found lacking.

Assured’s cybersecurity software, systems and components offer law firms and their clients, the tools necessary to identify cybersecurity vulnerabilities hidden within their software applications. AssuredScanDKV® searches binary executable files, libraries and DLLs for known vulnerabilities and provides a prioritized list of those found and the remediation pathway for each identified vulnerability. TripleHelix℠ enables the Assured Enterprises team to conduct a comprehensive cybersecurity risk assessment, which gives the firm a thorough understanding of the risks and, more importantly, a readily actionable roadmap to improve its security posture. Together, they provide the tools necessary for law firms to meet the increasing threat of client litigation by identifying known vulnerabilities and providing the means to tighten their cybersecurity defenses.

Anita Finkelstein is in-house corporate counsel and assistant secretary at Assured. She is a graduate of Yale Law School and has more than 30 years of experience in sophisticated corporate transactions.