Brokers Beware: Data Breach Lawsuit Without the Breach
In December 2016, it came to light that the Chicago-based law firm of Johnson & Bell had been sued in a purported class action lawsuit brought in the U.S. District Court for the Northern District of Illinois.
The complaint, Jason Shore and Coinabul, LLC et al. v. Johnson & Bell (Case No. 16-cv-04363), had been filed in April 2016 under seal.
The lawsuit focused on Johnson & Bell’s alleged failure to keep its clients’ private information confidential because Johnson & Bell’s technology systems were allegedly not up to “industry standards.” This left open the possibility that its clients’ private information could be breached.
Although the firm did not suffer a data breach, plaintiffs asserted causes of action for, among other things, breach of contract and negligence. As damages, they sought injunctive relief, the requirement that the firm inform its clients that its computer systems are not secure and undergo a security audit, the forfeit of fees and profits the firm allegedly diverted from having been spent on cybersecurity, attorney fees and expenses, and pre- and post-judgment interest.
The plaintiffs’ firm that filed this action, Edelson PC, commented that it has filed similar suits against other law firms under seal.
Obviously, law firms are not the only professional services firms susceptible to such lawsuits. Accountants and consultants, for example, could also be targets of plaintiffs’ firms looking to exploit vulnerabilities in a company’s technology systems. These lawsuits raise the question of whether coverage exists for such a lawsuit under either a professional liability or cyber liability policy where negligence is alleged, but no data breach occurred.
A professional liability policy usually provides coverage for claims arising from professional services provided by a firm for a fee. Depending on a policy’s definition of “professional services,” an argument could be made that the claims asserted against Johnson & Bell do not arise out of the professional services provided to the plaintiffs. Rather, they arose out of the means employed by the firm to store private client information, which merely “sets the stage” for the performance of professional services. As such, under some professional liability policies, the allegations made against Johnson & Bell may not be sufficient to trigger coverage.
There may be another defense to cover. The complaint seeks injunctive relief, as well as the return of fees or profits earned by Johnson & Bell. Frequently, professional liability policies contain an exclusion for claims seeking the return, reduction or withdrawal of fees. These policies may also exclude coverage for injunctive relief. Thus, even if an insured meets its burden establishing that the lawsuit triggers coverage under the policy, it will likely face additional hurdles to coverage, given the type of relief plaintiffs seek and the exclusions contained in most professional liability policies.
Coverage issues may also exist under a cyber liability policy that provides coverage for third-party liability. Generally, such policies will cover third-party lawsuits alleging negligence and breach of contract. However, these claims must be the result of a security or privacy breach before the coverage is triggered. The allegations against Johnson & Bell asserted that the firm’s lax technology system exposed confidential information. However, there were no allegations that a security or privacy breach actually occurred, or that there was a breach of the plaintiffs’ confidential information.
Additionally, cyber liability policies, like professional liability policies, often exclude the return of fees and injunctive relief. Thus, even if a professional services firm has both professional liability and cyber liability insurance, coverage may not exist under either for a lawsuit similar to that filed against Johnson & Bell.
Broda is a partner with Segwick LLP. Phone: (312) 849-1953. Email: jennifer.broda@segwicklaw.com.