No Data Breach? You Still Might Be Liable
Professional service firms are expected to maintain high standards to keep client information confidential. How you protect your clients’ confidential information can result in significant losses and insurance claims after a breach. But what if there was no breach? Are you still on the hook for how you protect the data?
This question is currently being tested in a class-action lawsuit filed against a law firm related to its alleged failure to protect client data. The data security class-action lawsuit — which was filed in May 2016 and under seal until December 2016 — is the first public case against a US law firm for its alleged failure to protect confidential client information, without an actual data breach.
The complaint alleges that “critical vulnerabilities” in the law firm’s internet-facing platforms constitute an exposure of the confidential data within those systems, despite no allegations that a specific attacker had exploited those vulnerabilities. This differs from typical complaints related to exposure of confidential information in that it does not allege a specific known breach of data security.
The first data security class-action complaint against a Chicago-based law firm for alleged failure to protect confidential data absent a data breach focuses on the firm’s overall technology security measures, including alleged vulnerabilities in its time-entry, virtual private network (VPN), and email systems. The complaint draws on other more publicized breaches that plaintiffs suggest stem from the same types of susceptibilities.
The law firm responded that the complaint lacked standing because there was no actual injury. However, the plaintiffs contend that they have incurred damages in the form of legal fees paid to the law firm for its services, which they would not have agreed to had the law firm disclosed that it does not conform to industry standards for data security. The plaintiffs also assert that the law firm’s alleged inadequate security measures threaten the class's confidential information with the risk of theft, unauthorized disclosure, loss of trade secrets, and financial loss.
The lawsuit seeks several elements of money damages arising from legal malpractice, negligence, and breach of contract, and a host of nonmonetary damages, including:
- Requiring the law firm to inform its clients that its computer systems are not secure and confidential information is potentially vulnerable.
- Compelling the firm to allow an independent third-party firm to conduct a security audit of its systems.
- Requiring the firm to forfeit attorney fees earned during its alleged breach with plaintiffs and the class, as well as any profits diverted from spending on cybersecurity measures.
How Insurance Would Respond
The prospect of being sued for potential harm resulting from alleged system shortcomings rather than actual financial loss is of significant concern for organizations. Many professional service firms and companies are asking how their insurance programs would likely respond to such losses. Coverages that could be potentially affected include:
- Lawyer’s Professional Liability (LPL): Many LPL policies for midsize law firms contain a duty to defend provision, which obligates the insurer to defend all of the counts of a lawsuit even if only one of them triggers the policy. The aforementioned lawsuit alleges breach of contract and negligence — both of which trigger the duty to defend provision of the firm's LPL policy.
However, if the policy was written on an indemnity basis — where the policy only reimburses the insured for the costs incurred in defending covered counts — other counts in the lawsuit such as unjust enrichment and breach of fiduciary duty would likely not be covered. This is due to the "return of fees" exclusion found in most LPL policies. The other counts, however, would still be afforded defense costs coverage, as they all emanate from an alleged breach of the firm's fundamental obligation to its clients and may result in covered elements of loss.
- Cyber Liability: A standard cyber liability insurance policy may be triggered by allegations claiming a company failed to implement industry standard data security measures resulting in vulnerabilities of confidential data. Coverage under a cyber policy could fall into a "failure to prevent unauthorized disclosure" type of trigger, which would activate the insurer’s duty to defend. However, it is unlikely that any of the damages alleged would be indemnified because they stem from the return of fees, breach of contract, and unjust enrichment, which are generally excluded under cyber policies.
- Management Liability: Generally, there is no data breach or "cyber" exclusion in most law firm management liability policies. A "wrongful act" is essentially any act, error, or omission committed by the firm, or any insured person acting in an official capacity. Therefore, the management liability policy is an "all risk" policy subject to the exclusions.
In a similar case alleging data vulnerability despite no data breach, the relevant exclusion would likely be professional liability. Depending on how that exclusion is written — for example, based upon or arising from professional liability — the coverage determination is based on whether the allegation/claim can stand by itself and therefore be allocated to the management liability policy. An allegation that the organization failed to institute proper cyber practices is more akin to a management liability claim for negligence than an LPL claim for malpractice.
Address Potential Coverage Gaps
No matter which policy responds to such a lawsuit, a review of the other insurance clauses in each contract should be performed to determine how, and to what extent, coverage will be allocated.
Despite the outcome of the aforementioned case, many observers believe this is the first of many suits to be filed against professional service firms alleging system vulnerabilities and data insecurity. Organizations should carefully review their insurance programs — including LPL, cyber, management liability, and other policy wordings — to identify and seek to eliminate any potential coverage gaps that my exist in the event of such allegations and claims. Work with your insurance advisors to ensure LPL, cyber, and management liability policies coincide and pick up coverage where the others leave off.