Recent Class Action Lawsuits
Two recent class action lawsuits should cause law firms of any size to deeply consider the effectiveness of their cybersecurity programs. In the class action lawsuit against Orrick Herrington & Sutcliffe LLP, the law firm agreed to pay $8 million to settle claims stemming from a March 2023 data breach. In the other case, law firm Bryan Cave Leighton Paisner LLP was unable to convince a judge to dismiss negligence claims related to a February 2023 data breach at the firm.
The Data at Risk
Both cases revolve around personal data that the law firms were holding on behalf of their clients, who were ultimately the businesses that were responsible for collecting the data in the first place. In the Orrick case, they were holding data for over 600,000 people on behalf of clients Delta Dental of California and EyeMed Vision Care. Meanwhile, Bryan Cave was holding data for over 51,000 employees of snack food manufacture Mondelez Global. In neither case were the law firms soliciting personal information from consumers, yet they both ended up storing massive amounts of sensitive personally identifiable information (PII).
Understanding Risk Awareness
This is notable in that many of the decision-makers in law firms may not understand the risks their firms are taking on when determining how much budget to allocate to their information and technology security budgets. Without proper risk awareness and a thorough understanding of what controls they currently have in place, law firms are in danger of having a control environment that is misaligned with their actual risks.
Legal Implications and Court Rulings
In the June 3, 2024 ruling by United States District Judge Jorge L. Alonso, the judge refused to dismiss negligence claims against Bryan Cave, noting that “the Court is in no position to conclude that, as a matter of law, defendants had no duty to safeguard plaintiffs’ personal information.” In this case, the plaintiffs were current and former employees of Mondelez who had personal information such as Social Security Number, name, address, and other PII stolen in a large breach of Bryan Cave’s computer network.
Conversely, in the Orrick case, the law firm settled with plaintiffs for $8 million while denying any liability or wrongdoing. Yet, the firm proclaimed that “it regretted the ‘inconvenience and distraction that this malicious incident caused.’” Remember that this $8 million settlement is on top of any costs the law firm had to pay to recover from the attack itself, which undoubtedly was also in the millions of dollars.
Financial and Operational Impact
So, whether law firms settle or continue the legal battle against class action lawsuits resulting from data breaches, the costs are going to be significant. It can already be assumed that even if a ransom is avoided, there still will be recovery costs, increased insurance premiums, additional investment in security controls, and the almost-certain class action lawsuit to deal with.
Proactive Measures for Law Firms
Additionally, law firms can be proactive and more vigorously assess risk within their organization and then rationally apply more stringent technical controls and stronger internal policies. In its simplest form, law firm risk management processes should include an annual risk assessment: not just using a proven control framework like the NIST Cybersecurity Framework, but also looking at the data that they are housing on behalf of their clients.
The data that is being held needs to be risk-rated so that appropriate controls can be implemented. The data will drive the impact. Is it PII? Or Personal Health Information? Sensitive merger & acquisition data? Undoubtedly, the law firm is holding sensitive client data; the firm needs to protect that data appropriately.
Conclusion
Many of my previous blogs touch on the reasons for the increased need of cybersecurity investment by law firms, including Raising the Bar on Cybersecurity and Legal Association Urges Increased Cybersecurity Practices. If a firm has any doubts about the effectiveness of its cybersecurity controls, they should consult an experienced and well-qualified expert.
These two high-profile court cases show that the game is changing, and data breaches will bring lawsuits. It is up to law firm leadership to assess the risks appropriately, assign budgets accordingly, and reduce the risk of the impending data breach.
Author
-
Earl Duby is a proven cyber security leader with over 25 years of experience leading security teams in multiple industries, ranging from large financial services companies to Fortune 150 manufacturers. Recently, Earl spent 6½ years as the Chief Information Security Officer (CISO) for Lear Corporation in Southfield, Michigan. Before that, he was Vice President of Security Architecture for Synchrony Financial as it spun off from General Electric. Earl has held several other security leadership roles and has earned Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE), Certificate of Cloud Security Knowledge (CCSK), SABSA Certified Foundation and Certified Information Systems Auditor (CISA) certifications.