The Continuing Evolution Of Cybersecurity Risk Management
In April 2015, a client of the Chicago based law firm Johnson & Bell, LTD (“J&B”) filed a class action lawsuit in federal court in Illinois against its attorneys charging that they failed to protect their clients’ confidential information (“Action”). The Action and the claims asserted therein are compelling reminders of the evolving risks facing those entrusted to protect their clients’ confidential data. Plaintiffs allege in the Action that, notwithstanding the fact that J&B had not suffered a cybersecurity breach to date that had caused them any harm or damage, the firm nonetheless should be adjudged liable for failing to maintain “industry standard” cybersecurity protections.
Beyond those industries that are covered by a specific statute or regulation, plaintiffs’ novel claims — if sustained — would arguably expose any party who is responsible for protecting confidential information to potential liability for failure to implement “industry standard” cybersecurity protections. This article presents a summary of the Action, an analysis of the Action’s potentially far-reaching consequences, and guidance on how those who are responsible for protecting their clients’ confidential information may mitigate their risks.
Plaintiffs, Coinabul, LLC (“Coinabul”) and its CEO, filed the Action on behalf of all J&B clients in order “to put an end to [J&B’s] practice of systematically exposing confidential client information and storing client data without adequate security.” Plaintiffs allege in their thirty page Complaint that J&B’s failure to provide “industry standard protections for client confidentiality,” while continuing to charge and collect “market-rate attorneys’ fees,” has caused them injury — in effect, that plaintiffs are not receiving the full “benefit of their bargain.” Based on J&B’s alleged failure to protect confidential client information, plaintiffs assert four causes of action: (1) legal malpractice for breach of contract, (2) legal malpractice for negligence, (3) unjust enrichment, and (4) breach of fiduciary duty.
More specifically, plaintiffs allege that J&B failed to maintain industry standard protections in three distinct ways. First, they allege that because J&B’s billing software is out-of-date and insecure, hackers could and would inevitably gain access to confidential client information. Citing certain publicly available sources (including the National Institute of Standards and Technology (“NIST”)), plaintiffs assert that J&B’s billing software, which is more than ten years old and which has been characterized as deficient by various authorities, is vulnerable to cyberattack. Plaintiffs conclude that, because industry experts agree that cyberattacks against outdated software are widespread, it is inevitable that hackers will exploit J&B’s outdated billing systems to gain access to their confidential client data.
Next, plaintiffs assert that J&B’s implementation of its virtual private network (“VPN”) compromises J&B’s clients’ confidential data. A VPN is a widely used tool that allows off-site employees to access files and other data located on a company’s internal network. In contrast to claims concerning J&B’s billing software, plaintiffs do not allege that the firm’s VPN software is obsolete or otherwise infirm. Instead, plaintiffs assert that J&B’s use of a VPN network is inappropriate because any such use necessarily exposes client information to hackers. In other words, plaintiffs assert that, regardless of the quality of the technology used, by merely permitting its employees remote access to its internal computer network, J&B breached its duty to protect its clients’ information.
Finally, plaintiffs allege that J&B’s email systems inadequately encrypt client communications, leaving the confidential data transmitted by email open to unauthorized conversion. Again, plaintiffs assert that J&B’s use of obsolete technology exposes its clients’ information to the prying eyes of hackers or other unauthorized third parties. Plaintiffs further assert that third parties can easily gain access to email servers that use technology similar to the J&B software — that “in under 8 hours at a cost of $440” a hacker can gain access to a company’s internal networks. Plaintiffs’ Complaint highlights the devastating nature of attacks of this kind by referencing the highly publicized hack of the Panamanian law firm in which more than two terabytes of client information — an estimated 11.5 million files — was stolen and leaked to investigative journalists.
The Action Has Broad Potential Impact Across Diverse Industries
While the focus of the J&B Action is clearly the conduct of a single defendant, a law firm (whose conduct is also subject to ethical, statutory, and common law duties to maintain client confidences), there can be no question that plaintiffs’ claims, if sustained, would have the potential to be applied and extended to a wide variety of industries and service providers who are entrusted to protect their clients’ confidential information.
The Action highlights the continuing evolution of cybersecurity risks and the duty to protect confidential information, as well as the creative efforts of plaintiffs to extend liability to those entrusted with such information. For example, plaintiffs in the Action base their claim of breach of contract on the “Document Retention” undertaking set forth in the engagement agreements J&B enters with its clients. Plaintiffs assert that, by these provisions, J&B impliedly undertakes the duty to keep all client documents and files confidential and secure, and that the firm would be exposed to liability by failing to implement cybersecurity systems that meet industry standards. Again, it would not be difficult to imagine that similar claims could be asserted against accounting firms, insurance companies and, for that matter, any other service provider who undertakes to use and to protect their clients’ confidential information.
The Action is also noteworthy with respect to plaintiffs’ creative (if not unavailing) efforts to assert a claim notwithstanding the fact that they have yet to suffer any damages as a result of any cyberattack. Consistent with fundamental pleading principles, one would expect that a plaintiff’s successful claim in this context would have to be based on allegations that (i) the defendant had a duty to protect its information, (ii) the defendant breached that duty by allowing the conversion of such information, and as a result of that breach, (iii) the plaintiff sustained actual damages.
In contrast, while the Complaint in the Action is replete with allegations concerning the potentially catastrophic consequences of cybersecurity breaches, conspicuously absent are any specific allegations that a breach of J&B’s computer systems occurred or that confidential client information had ever been compromised. In that limited context, plaintiffs allege that the firm’s breach of its alleged duty to provide industry standard cybersecurity protection entitles them to, at the very least, damages representing the difference between the cost of the services the client has paid the law firm to provide (including industry standard cybersecurity protections) and the cost of the services actually provided — i.e., the alleged sub-industry standard cybersecurity now in place.
Even if plaintiffs’ Complaint is ultimately dismissed because the Court determines that they have failed to allege legally cognizable claims, the plaintiffs’ creative theory may well hasten the establishment or widespread recognition of objective cybersecurity “industry standards.”
As the Action highlights, the tools nearly every business uses on a daily basis to communicate and to transact business have now become targets for cyberattack. Indeed, it seems that every day there is a report of yet another high-profile data breach, and each additional breach serves as notice to the business community that cybersecurity threats are real, ever-present and constantly evolving. Businesses should take affirmative action both to secure confidential information and to limit their exposure to the liabilities that may result from what may be an inevitable cyberattack.
Fundamentally, businesses should engage well-qualified cybersecurity experts to assess their business operations and computer systems, and to determine whether their existing cybersecurity protections are appropriate and/or meet any applicable industry standards. While each company may face unique challenges and standards of care may differ depending on the industry, there are several published guideposts for establishing adequate cybersecurity protections. For example, in 2014, NIST published a “Framework for Improving Critical Infrastructure Cybersecurity,” which provides a road map for the establishment and implementation of effective cybersecurity protocols. And a growing number of states have enacted laws that provide broad or industry specific standards that must be implemented. Businesses should closely consider these publications and laws with their IT and cybersecurity consultants, and tailor their cybersecurity systems to meet their particular needs.
Finally, in addition to the assessment and implementation of appropriate cybersecurity safeguards, businesses should consider the procurement of cyber insurance policy tailored to their needs and the particular risks of their operations.
Whether or not the plaintiffs’ claims in the Action ultimately will be sustained, the matter provides another compelling reminder to the business community of the need to assess and to ensure that their cybersecurity houses are in order.
For more information on the subject matter of this article, please contact Kenneth L. Moskowitz @ 973-376-0909; firstname.lastname@example.org.
©Copyright 2017, Brown Moskowitz & Kallen, P.C. All rights reserved. This article is for informational purposes only and is not intended to constitute, and does not constitute, legal advice.
 Shore et al. v. Johnson & Bell, Ltd., Docket No. 16-cv-04363 (N.D. Ill. Apr. 15, 2016). The Action is still pending.
 See e.g. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. § 1320d-6; Health Information Technology for Economic and Clinical Health (“HITECH”), 42 U.S.C. § 13410(3); and Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g.
 Interestingly, the Complaint excepts from the class of plaintiffs those J&B clients in the insurance and health care industries. Presumably, plaintiffs excluded those parties because they are heavily regulated and their inclusion might complicate the issue of class certification.
 In that regard, among other defenses, a compelling argument can be made that plaintiffs have failed to plead a “concrete and particularized injury that is either actual or imminent” and, therefore, that they have not established standing under Article III of the U.S. Constitution. See e.g. American Farm Bureau Federation v. U.S. E.P.A., 792 F.3d 281, 293 (3d Cir. 2015) (emphasis added).
 The NIST framework can be found at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.
 California’s information security statute, California Civil Code § 1798.81.5, requires all businesses that collect personal information on its residents to use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” See Message from the Attorney General, https://oag.ca.gov/breachreport2016#notes.
 For example, New York has recently enacted regulations governing the cybersecurity requirements for financial services companies. 23 NYCRR § 500.