A new series of cyber-related class action claims against at least 15 law firms could have serious implications into how CPA firms, and many of their clients, manage their computer systems and view data security. The most troubling aspect of the only publicly available complaint centers on the fact that there was no actual breach of confidential client information, merely the possibility of a breach (Gabe Friedman, “Class-Action Suit Targeting Law Firm Privacy Protections Could Be Unsealed,” Bloomberg Law, May 5, 2016, http://bit.ly/2Fo0ryp). To make matters worse for potential defendants, claims such as these are probably uninsurable, so they could become quite costly to firms and their clients. It is no longer enough to simply avoid a data breach; firms and clients must become proactive and deliberate about network and data security.
Shore v. Johnson & Bell
In the above-mentioned publicly available complaint, two former clients of the law firm Johnson & Bell alleged that confidential client information had been put at risk due to inadequate data security [Shore v. Johnson & Bell, Case No. 16-cv-4363 (N.D. Ill. 2016), http://bit.ly/2osxhGr]. Namely, the complaint calls Johnson & Bell “a data breach waiting to happen” and claims that, amongst other computer-related issues, the “time record system could have been accessed without any username or password (or any other credential).” The complaint further alleges that if a breach of this system were to occur, sensitive information would be easily stolen. Hackers could also obtain sensitive information from Johnson & Bell’s clients by impersonating the firm’s lawyers via email.
The four-count complaint alleges breach of contract (legal malpractice), negligence (legal malpractice), unjust enrichment, and breach of fiduciary duty. While the exact monetary damages are not stated, “the amount exceeds $5,000,000.” In a conversation with the authors, Anthony Valach, counsel at BakerHostetler, said, “Since there was no breach, the class cannot allege out-of-pocket damages and must rely on the benefit-ofthe-bargain measure of damages. Essentially, the class representatives allege that a portion of the fees paid to Johnson & Bell was to cover the administrative costs of protecting their data. Plaintiffs argue that the firm did not employ adequate measures to protect the data and are due a refund of those amounts because they did not receive the benefit of their bargain.”
When asked whether this type of claim could expand to other professions such as accounting firms, Valach stated, “Absolutely. It is easy to imagine a situation where professional services firms become the target of lawsuits for failing to employ reasonable measures to secure client data. Unfortunately, I think we are still at a point where many firms don’t think they are a target or don’t have data hackers would want. That’s a dangerous and potentially fatal attitude for a business. People don’t realize that on the Internet, we all live in a bad neighborhood. Ultimately, we may see the same effect as the Dodd-Frank Act. Small firms will be forced to choose between drastically increasing their cybersecurity budget and posture, or face potential lawsuits and exposure from data breaches that can do lasting harm.”
The arbitration clause between the law firm and its former clients has, for the time being, saved the defendants from having to litigate this matter in the public eye. The court recently ruled that Johnson & Bell’s arbitration clause did not permit class-wide arbitration; only an individual action was permissible. As it currently stands, the plaintiffs will need to pursue individual arbitration, though their attorney, Jay Edelson, will likely appeal the decision (Derek Borchardt and Michael F. Buchanan, “Law Firm Sued for Alleged Lax Data Security Obtains Significant Win in District Court,” Patterson Belknap Data Security Law Blog, Mar. 8, 2017, http://bit.ly/2HGjg0L).
If Johnson & Bell wins the potential appeal, it may still need to weather two separate arbitration cases. In the meantime, the firm has filed a defamation suit against Edelson. Even if Johnson & Bell are victorious on all counts and cases, there may be irreparable reputational harm to their brand.
A quick Internet search for Johnson & Bell was telling. The first result was the firm’s website, followed by two headlines that could easily scare off existing or potential clients, resulting in unquantifiable future economic losses:
- “Chicago’s Johnson & Bell First U.S. Firm Publicly Named in Data Security Class Action”
- “Chicago Law Firm Accused of Lax Data Security in Lawsuit”
With data breaches constantly in the headlines, consumers are increasingly concerned about a company potentially mishandling their information. No matter how one views the merits of the case, no firm wants that type of publicity.
What If This Was a CPA Firm?
It is only a matter of time until cases such as the above are brought against CPA firms. Do firms’ insurance policies cover such liability? Even as brokers specializing in this area for CPA firms, the authors’ research and experience leads to an uncomfortable answer: Maybe, but it is unlikely.
Professional liability and cyber-insurance carriers generally cover claims when a client demands money or services for damages due to professional services rendered. In this case, there did not seem to be any damages per se, because a breach had not yet occurred. This leads to the potential for an uncovered claim, where the firm may have to pay entirely out of pocket for defense and damages awarded.
The ability to perform a wholesale security scan of a firm’s network is not only easy, it is free. According to Byron Patrick, managing director of the CPA Practice at Network Alliance: “Every vulnerability in this case is easily discernable from readily available online tools that are free. Port scans, vulnerability scans, penetration testing, etc., can be conducted by a savvy 15-year-old with no formal cybersecurity training. It’s unlikely the plaintiffs knocked the digital door down. All they needed to do was peek through the windows.” He adds: “A disgruntled client could perform a quick Internet search, watch a few videos, and you’re suddenly staring at a multimil-lion-dollar claim. It’s terrifying for the accounting profession, and everyone should take this very seriously.”
The authors reached out to the plaintiff’s attorney in the case mentioned above, Jay Edelson, to gain insight into his thought process on these types of claims. When asked whether he would eventually pursue other professional services firms, such as CPAs, he replied: “We aren’t specifically ‘targeting’ law firms, financial service firms, or any other companies. Rather, our focus is bringing cases where companies are (a) holding onto sensitive personal information, (b) likely can be the subject of cyber-attacks, and (c) not using reasonable security measures. In some sense, we are going to the same places that hackers are going; our motivation is to get there first to force negligent actors to use better security measures so that a data breach never occurs. We have been very pleased with the success we have had to date and look forward to having an active role in ensuring corporate cyber-responsibility.”
Taken in total, most CPA firms could easily match all three criteria mentioned. If Edelson is ultimately successful in any of his 15 class action claims, this will embolden other attorneys to pursue similar cases against CPA firms. For partner groups that have not yet taken a proactive and sustained approach to network security, the circumstances above should give them plenty to speak about.
Partner Action Items
In the Johnson & Bell case, an arbitration clause in an engagement letter proved valuable to the defendants. Firms should consider working with their professional liability insurers to review such engagement letters and inquire about including, or updating, the arbitration or mediation clauses therein.
These services attempt to identify susceptibilities in open ports, IP addresses, software, and operating systems. Once a system is scanned, a company specializing in this area can further assist with determining how much risk the firm is willing to tolerate in each component part of its computer system.
Third-party penetration testing.
This type of testing is performed by “white-hat” hackers to specifically target weaknesses and determine how vulnerable the firm is. It can be performed both outside and inside the network, to give the firm a more robust picture of its total network security.
As trusted advisors, CPA firms should ensure that clients are also aware of this new type of danger to their business. If the firm offers various IT services, this class action claim should serve as a serious warning. Clients may ultimately need to reallocate resources, update software, and improve security processes, which may require significant time and resources.
There is no time like the present to take a proactive stance towards cybersecurity. Previously, merely avoiding a breach counted as a success, but this is no longer the case.