In this day and age, it seems like you can sue or be sued for almost anything. Now, a company is being sued for cybersecurity negligence. That’s right; you can be sued for not having proper cybersecurity measures in place. Johnson & Bell, a Chicago-based law firm, is involved in a lawsuit for being negligent and engaging in malpractice by allowing information security vulnerabilities to develop that created risks to client information.
The lawsuit, which was filed in April of 2016 by Edelson PC, a leading plaintiffs’ firm in privacy and data security law, is based on three alleged vulnerabilities in Johnson & Bell’s information security infrastructure.
It’s extremely important to note that Johnson & Bell has not suffered a data breach or any other form of cyber attack. Basically, the lawsuit is based on the firm’s lack of cybersecurity measures that make them vulnerable to a cyber attack in the future.
In almost every lawsuit, there needs to be some kind of injury. Whether that’s physical injury, injury to your character (defamation of character), etc. So, what is the injury in this lawsuit? Plaintiffs are claiming they were injured for two reasons. First, the security vulnerabilities ‘created a diminished value of the services they received from the firm.’ Second, the security vulnerabilities ‘created a risk that their sensitive information may be compromised at some point in the future, which could result in damages from that theft.’
While it seems like this lawsuit wouldn’t hold up in court since there has been no real injury and a cyber attack hasn’t occurred, Edelson is known to be one of the most creative law firms as far as plaintiff privacy and data is concerned. The most notable lawsuits that the Edelson firm has been involved in are Resnick v. AVMED, INC., LinkedIn Privacy Litigation, and Spokeo, Inc. v. Robins where the plaintiffs were awarded over $4 million combined.
"Without any real damages the case has little merit. The issue identified is however very troubling for any law firm. A lawyer has an ethical duty to safeguard the secrets of their clients. Keeping vigilant with cybersecurity is important, as the failure to do so does risk harm to clients and liability to all lawyers. Even when there are no damages, the lawyer not properly protecting his client's interests faces disciplinary action from the Bar and the council from discipline of the jurisdictions in which they practice," said Matthew Dake, Attorney at Law.
While the lawsuit has yet to be heard in court, there are three groups that will be impacted by this case. Every law firm and their clients are two groups who will be impacted regardless of the result of the lawsuit. Firms will need to ensure that their cybersecurity measures are adequate to combat cyber attacks. This will be especially important if the Plaintiffs win this case. Second, the clients will need to make sure that their lawyers aren’t susceptible to a cyber attack. No one wants their personal information to be breached for hackers to do as they please or for the public to have access to.
The third and most important group from our standpoint are the service or cybersecurity providers for law firms. Most law firms outsource their information security to ensure they are protected from cyber attacks. Should these law firms incur a cyber attack or come under scrutiny for not having the proper cybersecurity measures in place, the companies providing the cybersecurity will be held accountable for either scenario.
CryptoStopper by WatchPoint
A ransomware attack against a law firm would cease operations for the firm until the files are recovered. Since lawyers usually bill by the hour, they are not only going to pay the ransom fee; they are going to lose money from the time spent away from a case. ‘But we have a good backup, couldn’t we just restore our files from that?’ Aside from the fact that a complete backup could take hours or days, more than 50% of companies hit by a ransomware attack in 2016 lost over half of their data when they attempted to restore from backup.
Why not stop a ransomware attack in its tracks, before it has the opportunity to encrypt all of your files? That’s where CryptoStopper, developed by WatchPoint, comes into play. CryptoStopper uses deception technology in the form of watcher files placed on your important network shares. By continuously monitoring the watcher files for the encryption process to start, CryptoStopper will immediately identify a ransomware attack and isolate the infected workstation immediately. The workstation will be shut down, and you will receive an email notification informing you that a ransomware attack has been discovered and contained.