With attacks on law firms and their clients on the rise, attorneys say lawsuits over cybersecurity are the next big litigation trend.

Two midsized companies have approached Shipman & Goodwin about the ever-looming problem in the past three weeks, according to Connecticut partner Mark Ostrowski. Both had been attacked. And dozens more have sought consultations in the last year after falling victim to data breaches.

“It’s only a matter of time before we are really litigating those issues,” Ostrowski said.

That’s why Shipman & Goodwin is attempting to get ahead of the issue, creating a data privacy and protection practice group to keep up with the growing demand from local governments, businesses and individuals seeking legal advice, input and solutions. The firm hired two attorneys to work full-time in the practice group, three others who devote about 75% of the time to data breaches and other cybersecurity issues, and two additional lawyers who spend about half their time focused on cyberthreats to municipalities and schools.

“You must get out in front of the issue,” Ostrowski said.

Not doing so could be detrimental—both in terms of client trust and financial exposure.

Consumer credit reporting agency Equifax Inc. learned this the hard way in July, when it reached a $1.4 billion settlement in multidistrict litigation involving 147 million consumers exposed to a massive data breach in 2017. New Jersey-based laboratory testing company Quest Diagnostics also found itself subject to a putative class action by Florida plaintiffs law firm Morgan & Morgan, and at the center of two probes by the attorneys general of Connecticut and Illinois, after a breach that might have exposed nearly 20 million clients to hackers.

Law firms aren’t immune either.

In February, The American Lawyer disclosed a report detailing how a U.S. firm had fallen victim to an alleged Chinese hacking. Earlier, Philadelphia firm O’Neill, Bragg & Staffin had lost a fight to claw back more than $500,000 transferred from its account after one of the firm’s principals was hacked. Meanwhile, the American Bar Association’s ABA Journal has reported, “Law firms have been victims of some of the most damaging hacks in recent history,” listing five major firms from around the world targeted between 2012 and 2017. The Wall Street Journal also illustrated the problem, with a report showing hackers had accessed the files of some of the country’s largest law firms, including Cravath, Swaine & Moore and Weil, Gotshal & Manges.

Having a plan in place could help lessen litigation exposure, advises Pullman & Comley partner Tim Ronan.

Ronan recommends that law firms and their clients purchase cybersecurity insurance, hire experts to create plans to lock down their technology systems in case of attacks, and implement a protocol for suspected or actual breaches.

Another key consideration: Ensure suppliers and vendors have similar safeguards in place, because these companies could shoulder the blame if their negligence allows a security breach.

“It’s pretty complex,” Shipman & Goodwin’s Ostrowski said. ”It’s complex from a technical standpoint with emerging technologies, dealing with a criminal element not just across state borders but also across international borders, and it’s complex because there is a myriad of regulatory reporting requirements.”

|

‘Behind the Curve’

Adding to the complexity: the scope of the crime that has spread across multiple sectors, including retail, finance and health care.

In 2018, for instance, the health care sector saw 15 million patient records compromised in 503 breaches, three times the amount seen in 2017, according to the Protenus Breach Barometer, which represents a quarterly snapshot of disclosed breaches impacting the health care industry. As of July 2019, the numbers had skyrocketed with potentially more than 25 million patient records breached, according to Protenus. 

“Because of the times we live in and the internet and the advances in technology, there is a new concern about privacy that just did not exist before,” said Jamie Sullivan, a partner with Howard, Kohn, Sprague & Fitzgerald in Hartford. “I think we are behind the curve in addressing the issue.”

Sullivan, who recently gave a seminar on the topic of cybersecurity and what law firms themselves need to do to prevent a hack, said some law firms still have not purchased cybersecurity insurance, instituted plans to safeguard their data and client information, or taken other precautions.

Another key step: Devising a plan for immediately notifying clients, as the American Bar Association recommends, in the event of a breach.

“That’s … where the expense could kick in,” Sullivan said. “Some firms might have thousands of clients.”

Related stories: