Ransomware Hit Case Management Provider TrialWorks. What Happens Next?
"They are screwed. At the end of the day, they are dependent on TrialWorks," said one cybersecurity expert. But lawyers say there were ways to prevent that dependence, and there still may be a few ways to remedy the attack's damages.
November 06, 2019 at 12:00 PM
4 minute read
Add case management platform TrialWorks to the laundry list of companies and public sector agencies that were struck and paralyzed by a cyberattack this year. And unless lawyers backed up their client files to a separate storage network, they could be frozen out of their data by TrialWorks' problems. Still, experts say there are ways to mitigate the damage.
In emails shown to Legaltech News, on Oct. 13 TrialWorks told clients it was experiencing a "hosting outage at our data center." On Oct. 14 the company disclosed it was affected by a ransomware incident. After numerous status updates, on Oct. 31 TrialWorks issued a statement further explaining while hackers were able to "significantly" diminish access to data, the data "appears to be safe and protected." Requests for comment from TrialWorks were not returned.
The incident left some lawyers and law firms without access to their data and unable to meet court deadlines.
Late last month, BleepingComputer.com reported that 14-lawyer California firm JML Law filed an extension deadline motion to the U.S. Supreme Court because of TrialWorks' server outage.
The Miami Herald also reported a similar extension motion filed by nine-lawyer Florida firm Whittel & Melton. The firm wrote in its motion to the court, "As of Oct. 24, 2019, plaintiff's counsel remains unable to access all the necessary documents required to respond," according to the article.
However, other law firms leveraging TrialWorks could face similar uncertainty about the availability of their client data, and unless they backed up their files, they will have to wait for TrialWorks to provide access to their data.
"They are screwed," said John Simek, vice president of IT service provider, digital forensics and cybersecurity firm Sensei Enterprises Inc. "At the end of the day, they are dependent on TrialWorks."
To mitigate that dependency, Simek advised lawyers to keep copies of their client files stored on local or external hard drives or on a network cloud storage.
Indeed, while Rothermel Law Firm managing member and TrialWorks user Charles Rothermel called the incident "very frustrating" he routinely updated his client files to the cloud and made PDF copies of TrialWorks' summaries. In turn, he said he wasn't severely impacted by the lockout, but he knew numerous lawyers that were.
Morgan & Morgan's class action department leader John Yanchunis noted that lawyers should request ongoing status updates from TrialWorks and contact courts with approaching deadlines beforehand about missing data.
"If you imagine a law firm where everything is electronic based, calendaring [and] getting to files could have tremendous consequences," he said.
The next step after being locked out of client data could include bringing a legal action, where lawyers could bring breach of contract and negligence claims. Yanchunis noted that "if we have a system involving ransomware, TrialWorks' information security system was not using best practice to prevent [it]."
Yanchunis suggested bringing any lawsuit as a contingent-based class action because "any type of data breach litigation comes at a tremendous cost."
However, TrialWorks' term of service agreement includes a binding arbitration clause. Additionally, the vendor limits its liability for any breach to no more than the fees paid to use TrialWorks that month.
Simek noted that such terms are common in most legal tech and general technology agreements.
Still, Bryan Cave Leighton Paisner's data response team leader Jena Valdetero noted most vendors will attempt to go beyond the requirements of their service agreement when an incident occurs.
"There is the legal response which is, 'Our contract says you can sue us for X amount of dollars,' and then there's what you do from a bigger picture perspective because you don't want to lose your clients," she said.
Valdetero noted being forthcoming with the status of the investigation and strategizing with clients to address the ransomware-induced challenges could also bolster client confidence. "It can strengthen relationships where clients say, 'It's not great I was hit with ransomware, but at the end of the day we felt informed,'" she said.
Indeed, Rothermel said TrialWorks recently announced it wouldn't charge users in December, but the company may need to do more to win over disgruntled customers.
"Ultimately what litigators want in a practice management service is something that is secure, reliable and useful. So the financial incentive may be a start but what needs to happen is a demonstration that security issues are fixed and we need confidence that this won't happen again, that's the most important thing."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250