Cyber incidents and cyber practices are testing the boundaries of the law in numerous unique ways. The length of most litigation and the relative newness of cyber technology means that many of the claims and legal principles governing those claims are still working their way through the court system. The high cost of litigation sends many of those claims to settlement talks without a firm decision to guide future cases.
Expensive claims mean that businesses and insurers need to stay aware of the potential of novel lawsuits seeking to expand what might constitute a litigable claim, something the law firm of Johnson & Bell found out in 2016. Traditionally, lawsuits in the cyber arena occur after a breach. In this case, however, clients of the law firm sued proactively over lax security practices.
Specifically, clients alleged a number of data security failures that potentially exposed confidential information. One such allegation centered on the failure by the firm to update time billing software with security patches. These updates would have been meant to prevent unauthorized access. Since they were using a legacy system, which includes software that had been discontinued, it means it support was no longer available by the publisher and was also not being updated to protect against discovered vulnerabilities. The risk in this case was well documented. The Department of Homeland Security had identified specific vulnerabilities regarding the software and had cataloged systemic attacks on computers running it.
Another allegation alleged that the VPN service used by the law firm failed to protect client data. The lawsuit claimed that the VPN service used by Johnson & Bell allowed for Man In The Middle Attacks. These attacks allow those without permitted access to eavesdrop on the communication between a computer and the server it is trying to access. With this Man In The Middle Access, communications and information in files could be exposed.
The plaintiffs in the lawsuit argued that even without a disclosed data breach, Johnson & Bell’s negligent security practices gave rise to a cause of action because Johnson & Bell marketed themselves as cybersecurity experts so it was expected that the law firm owed special duties of confidentiality to their clients. Typically, however, plaintiffs in such a case must show actual damages to recover from the lawsuit. These plaintiffs argued that they suffered damages as a result of over-paying for Johnson & Bell’s services, given the lax security.
The lawsuit poses particular problems for businesses, however, because it is unclear whether such a claim would be covered by either professional liability or cyber liability insurance policies. While the lawsuit arises out of the law firm’s professional obligations to its clients, it was not the result of malpractice or negligence in the provision of legal services. As such, a professional liability policy would not cover the claim in most situations. At the same time, most cyber liability policies are specifically written to respond to breaches or intrusions into a company’s systems. So they would not cover a proactive/prospective lawsuit such as this one.
Ultimately, this specific case was referred to arbitration and the results of that arbitration have not been made public yet. The case does serve as notice to other businesses that poor cybersecurity practices can lead to types of litigation and uninsured exposures that they have not yet considered.