[BreachExchange] Chicago's Johnson & Bell First US Firm Publicly Named in Data Security Class Action

[Audrey McNeil]

http://www.thelegalintelligencer.com/id=1202774421242/Chicagos-
Johnson--Bell-First-US-Firm-Publicly-Named-in-Data-
Security-Class-Action?mcode=0&curindex=0&curpage=ALL

In the first public data security class action complaint against a U.S. law
firm, Chicago-based Johnson & Bell was named in a lawsuit that says the
firm failed to protect confidential client information.

The suit against the 100-plus lawyer trial firm was filed in Chicago's
federal court in April but made public on Friday following courtroom
fighting over whether or not the firm had patched security holes a former
client claimed existed in the firm's time entry system, email system and
virtual private network.

Brought by well-known class-action lawyer Jay Edelson, the case has been
moved to arbitration, where Edelson says his firm is seeking class
confirmation and will seek damages for allegations that the lax security
put client information at risk. Edelson said it is the first class action
against a law firm alleging inadequate data security measures.

The complaint makes no claim that data was stolen or used against clients.
And the security holes identified in the complaint have been fixed, Edelson
said, which is why his firm argued to unseal the case.

In a statement, Johnson & Bell called the lawsuit "specious" and said it
would defend itself against the claims and would pursue action against the
plaintiff when the case concludes.

Law firms and their troves of confidential information are well-known
targets for hackers, and breaches have slowly trickled into the public view
this year. Cravath, Swaine & Moore and Weil, Gotshal & Manges were said to
be targets of successful hacking attempts in a March Wall Street Journal
article. Earlier this week, Fortune reported those attacks were directed by
hackers with ties to the Chinese government.

But the lawsuit unsealed Friday is a new reputation risk for an industry
where confidentiality is a bedrock of client service. Johnson & Bell is
unlikely to be the last firm named publicly. Even so, it's unclear what
damages could be awarded in cases where no data breach exists and when the
alleged security deficiencies have been fixed.

Edelson earlier said he would bring a wave of class-action claims against
law firms his firm identified as lacking basic security measures. In a
March 30 article, Edelson told Bloomberg Big Law Business that he
identified 15 such firms. The suit against Johnson & Bell was filed two
weeks later.

"This is the first that has become public," Edelson said Friday when asked
if he had filed other lawsuits. "We're not talking about (cases) that are
not in the public record."

Johnson & Bell president William Johnson said his firm's data systems are
secure and its clients' information is protected.

"We will fully defend our firm against this baseless lawsuit and will seek
appropriate action against plaintiffs after the lawsuit is concluded,"
Johnson said in a statement.

The lawsuit has an incestuous backstory.

The data security lawsuit was brought on behalf of Coinabul LLC, a firm
that once promised to trade gold for the digital currency bitcoin. Earlier,
Coinabul had been sued in July 2014 by a plaintiff represented by Edelson
PC, alleging the company defrauded its customers out of millions of
dollars' worth of bitcoin. Coinabul hired Johnson & Bell as defense counsel.

After Johnson & Bell withdrew from the case, Coinabul and co-defendant
Jason Shore were hit with a $1.5 million judgment last year. In July, Shore
was dismissed from that case with prejudice.

Shore and Coinabul are now represented by Edelson in the arbitration claim
against Johnson & Bell, Edelson said.

The complaint says Johnson & Bell used a time-entry system that was 10
years old, known to be prone to hacking and had not been updated with
security patches. The suit said the firm's virtual private network, or VPN,
was prone to what is known as a "man-in-the-middle attack," which the
complaint says is often used by hackers, spy agencies and foreign
governments to "eavesdrop on private communications and steal confidential
client information."

The complaint also says the firm's email system was susceptible to the same
type of hack believed to be used against Panama's Mossack Fonseca, known as
a "DROWN" attack.

The lawsuit seeks damages for the potential that the systems were exploited.

Clients "have suffered a diminished value of the services they received
from Johnson & Bell; and they are threatened with irreparable loss of the
integrity of their confidential client information and further injury and
damages from the theft of that information."

In a May filing, Johnson & Bell argued Edelson's complaint should be
dismissed for a lack of standing.

"Plaintiffs are unable to demonstrate a 'concrete and particularized
injury' because none exists," the filing says. "There is no allegation of
breach or that client confidences were ever disclosed and any claimed
deficiencies no longer exist."

Edelson's firm moved to dismiss the data security case in federal court in
May, and at the same time said they would continue to pursue an unsealing
of the case. Edelson said the dismissal was based on an arbitration clause
in Coinabul's retainer agreement with Johnson & Bell.

"We are going to vigorously defend this to the very end," said Joseph
Marconi, a Johnson & Bell partner.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161212/c7574b74/attachment.html>