BEWARE: You Can be Sued for Cybersecurity Negligence

Jordan Kadlec

In this day and age, it seems like you can sue or be sued for almost anything. Now, a company is being sued for cybersecurity negligence. That’s right; you can be sued for not having proper cybersecurity measures in place. Johnson & Bell, a Chicago-based law firm, is involved in a lawsuit for being negligent and engaging in malpractice by allowing information security vulnerabilities to develop that created risks to client information.

Law Firm Sued.jpg

The Lawsuit

The lawsuit, which was filed in April of 2016 by Edelson PC, a leading plaintiffs’ firm in privacy and data security law, is based on three alleged vulnerabilities in Johnson & Bell’s information security infrastructure.

  1. Johnson & Bell uses Webtime Server which is an application that attorneys use to remotely log in and record their time. This application is based on the 2005 version of the Java application, JBoss. JBoss has been identified by the National Institute of Standards and Technology as having an exploitable vulnerability. This vulnerability has been used in the past to conduct ransomware attacks.
  2. The lawsuit alleges that Johnson & Bell are vulnerable to a ‘man-in-the-middle’ cyber attack. A man-in-the-middle cyber attack is one where the hacker gains access to a system to eavesdrop on communications and steal confidential information. Johnson & Bell uses a virtual private network (VPN) to allow their employees to remotely access company information in an encrypted, secure manner. While the VPN should allow companies to feel safe providing access to highly sensitive data, a temporary disconnection sometimes occurs while employees are using the VPN. The complaint alleges that when a disconnection occurs, cybercriminals are able to conduct a ‘man-in-the-middle’ cyber attack.
  3. The last alleged vulnerability relates to Johnson & Bell’s email system. Currently, the firm’s email system supports version 2.0 of Secure Sockets Layer (SSL). SSL is a form of technology that creates an encrypted tunnel between a web server and a browser to ensure that information passing through the tunnel is protected from hackers. Given that version 2.0 was replaced by version 3.0 in 1996 and has since been replaced entirely, version 2.0 is ancient. The complaint argues that version 2.0 is vulnerable to a DROWN (Decrypting RSA with Obsolete Weakened Encryption) attack which would allow cybercriminals complete access to Johnson & Bell’s email database. Note: the Panama Papers breach came as a result of a similar attack.

It’s extremely important to note that Johnson & Bell has not suffered a data breach or any other form of cyber attack. Basically, the lawsuit is based on the firm’s lack of cybersecurity measures that make them vulnerable to a cyber attack in the future.

The Injury

In almost every lawsuit, there needs to be some kind of injury. Whether that’s physical injury, injury to your character (defamation of character), etc. So, what is the injury in this lawsuit? Plaintiffs are claiming they were injured for two reasons. First, the security vulnerabilities ‘created a diminished value of the services they received from the firm.’ Second, the security vulnerabilities ‘created a risk that their sensitive information may be compromised at some point in the future, which could result in damages from that theft.’

While it seems like this lawsuit wouldn’t hold up in court since there has been no real injury and a cyber attack hasn’t occurred, Edelson is known to be one of the most creative law firms as far as plaintiff privacy and data is concerned. The most notable lawsuits that the Edelson firm has been involved in are Resnick v. AVMED, INC., LinkedIn Privacy Litigation, and Spokeo, Inc. v. Robins where the plaintiffs were awarded over $4 million combined.

"Without any real damages the case has little merit.  The issue identified is however very troubling for any law firm.  A lawyer has an ethical duty to safeguard the secrets of their clients.  Keeping vigilant with cybersecurity is important, as the failure to do so does risk harm to clients and liability to all lawyers.  Even when there are no damages, the lawyer not properly protecting his client's interests faces disciplinary action from the Bar and the council from discipline of the jurisdictions in which they practice," said Matthew Dake, Attorney at Law. 

The Impact

While the lawsuit has yet to be heard in court, there are three groups that will be impacted by this case. Every law firm and their clients are two groups who will be impacted regardless of the result of the lawsuit. Firms will need to ensure that their cybersecurity measures are adequate to combat cyber attacks. This will be especially important if the Plaintiffs win this case. Second, the clients will need to make sure that their lawyers aren’t susceptible to a cyber attack. No one wants their personal information to be breached for hackers to do as they please or for the public to have access to.

The third and most important group from our standpoint are the service or cybersecurity providers for law firms. Most law firms outsource their information security to ensure they are protected from cyber attacks. Should these law firms incur a cyber attack or come under scrutiny for not having the proper cybersecurity measures in place, the companies providing the cybersecurity will be held accountable for either scenario.

CryptoStopper by WatchPoint

A ransomware attack against a law firm would cease operations for the firm until the files are recovered. Since lawyers usually bill by the hour, they are not only going to pay the ransom fee; they are going to lose money from the time spent away from a case. ‘But we have a good backup, couldn’t we just restore our files from that?’ Aside from the fact that a complete backup could take hours or days, more than 50% of companies hit by a ransomware attack in 2016 lost over half of their data when they attempted to restore from backup.

Why not stop a ransomware attack in its tracks, before it has the opportunity to encrypt all of your files? That’s where CryptoStopper, developed by WatchPoint, comes into play. CryptoStopper uses deception technology in the form of watcher files placed on your important network shares. By continuously monitoring the watcher files for the encryption process to start, CryptoStopper will immediately identify a ransomware attack and isolate the infected workstation immediately. The workstation will be shut down, and you will receive an email notification informing you that a ransomware attack has been discovered and contained.

Share this: