In December 2016, it came to light that the Chicago-based law firm of Johnson & Bell had been sued in a purported class action lawsuit brought in the United States District Court for the Northern District of Illinois.1 Although the complaint, entitled Jason Shore and Coinabul, LLC et al. v. Johnson & Bell (Case No. 16-cv-04363), had been filed in April 2016, it was filed under seal. That seal was not lifted until approximately eight months after the lawsuit was filed. The basis of the lawsuit focused on Johnson & Bell's alleged failure to keep its clients' private information confidential. Surely that means Johnson & Bell suffered a data breach that resulted in clients' private information being breached, right? Actually, it did not. Rather, the basis of the lawsuit was that Johnson & Bell's technology systems were allegedly not up to "industry standards," which left open the possibility that its clients' private information could be breached as a result of a hack.
Specifically, plaintiffs alleged that they entered into a retainer agreement with Johnson & Bell in which the firm set out its document retention policy. That policy, as quoted in plaintiffs' complaint, provided:
Implicit in this document retention policy, according to the complaint, was that Johnson & Bell would keep all documents and files confidential "using reasonable methods." However, Johnson & Bell allegedly breached the retainer agreement because it programmed and implemented certain technology systems with inadequate safeguards. Plaintiffs were allegedly injured because the firm exposed confidential client information, plaintiffs received a diminished value of services from Johnson & Bell, and the firm's clients were threatened with irreparable loss of integrity of their confidential client information and the theft of that information. With respect to the plaintiffs' allegation that they received a diminished value of services, plaintiffs asserted specifically that part of the fees they paid to Johnson & Bell were to be used to keep their private information confidential, but were not.
The complaint contained four causes of action: (1) Breach of Contract (Legal Malpractice); (2) Negligence (Legal Malpractice); (3) Unjust Enrichment (in the alternative of the first and second causes of action); and (4) Breach of Fiduciary Duty (in the alternative of the first through third causes of action). In addition to class certification, the plaintiffs sought injunctive relief, the requirement that the firm inform its clients that its computer systems are not secure and undergo a security audit, the forfeit of fees and profits the firm allegedly diverted from having been spent on cybersecurity, attorneys' fees and expenses in bringing the action, pre- and post-judgment interest and any further relief the court deemed just.
The complaint was unsealed on December 8, 2016. At that time, it was also revealed that the plaintiffs had voluntarily dismissed their action without prejudice. The dismissal was the result of Johnson & Bell's motion to enforce the dispute resolution provision contained in the retainer agreement, which provided for arbitration in the case of a dispute between the plaintiffs and the law firm. Agreeing with Johnson & Bell, the court granted the firm's motion, finding that the plaintiffs must arbitrate their claims. The plaintiffs then attempted to pursue a class arbitration, which Johnson & Bell opposed. As such, the court's more recent order addressed whether the plaintiffs could proceed with the arbitration on a class basis. On February 22, 2017, the court once again found in favor of Johnson & Bell, finding that the dispute resolution provision in the retainer agreement provided for a single plaintiff arbitration only, noting that there was nothing within the agreement that expressly or even impliedly could be interpreted as Johnson & Bell consenting to class arbitration. Thus, it appears that this case will be decided by an arbitrator on a non-class wide basis.
Obviously, this type of action is troubling and raises several questions, including whether plaintiffs have standing to sue given the fact that there was no breach of any client's private information, and plaintiffs sustained no substantive injury. That said, the plaintiffs' firm that filed this action, Edelson PC, has made comments indicating that it has filed similar suits against other law firms under seal. Obviously, law firms are not the only professional services firms susceptible to such lawsuits. Other firms, such as accountants or consultants, could also be targets of plaintiffs' firms looking to exploit vulnerabilities in a company's technology systems. Such lawsuits raise the question of what coverage, if any, is provided to a firm once a malpractice lawsuit is filed against it, despite the lack of any data breach.
A professional liability policy usually provides coverage, subject to the terms, conditions and exclusions of the policy, for claims arising from professional services provided by the firm for a fee. Depending on the definition of "Professional Services" in the policy at issue, an argument could be made that the claims asserted against Johnson & Bell do not arise out of the professional services provided to the plaintiffs. Rather, they arise out of the means employed by the firm to store private client information, which merely "sets the stage" for the performance of professional services. (See e.g., Terramatrix , Inc. v. United States Fire Ins. Co., 939 P.2d 483 (Col. Ct. App. 1997) (applying New York law, holding office activities that set the stage for the performance of professional services are not within the coverage of a professional services liability policy). As such, under some professional liability policies, the allegations made against Johnson & Bell may not be sufficient to trigger coverage. However, this of course, depends on the particular wording in a given policy.
Even if the insuring agreement in a given professional liability policy is sufficiently broad to include coverage for the allegations asserted against Johnson & Bell, there may be a separate coverage defense to such a lawsuit. Specifically, the complaint seeks injunctive relief, as well as the return of fees or profits earned by Johnson & Bell. Frequently, professional liability policies contain an exclusion for claims seeking the return, reduction or withdrawal of fees. These policies may also exclude coverage for injunctive relief, if not in the exclusion section of the policy, then possibly in the policy's definition of "Damages" or "Loss." Thus, even if the insured firm is capable of meeting its burden establishing that the lawsuit triggers coverage under the policy, it will likely face additional hurdles to coverage, given the type of relief plaintiffs seek and the exclusions contained in most professional liability policies.
Coverage issues may also exist for a lawsuit similar to the one brought against Johnson & Bell even where a firm may have a separate cyber liability policy that provides coverage for third-party liability. Generally, such policies will cover third-party lawsuits alleging negligence and breach of contract. However, these claims must be the result of a security or privacy breach before the coverage is triggered. In the allegations made against Johnson & Bell, it was alleged that because of the firm's lax technology system, the plaintiffs' confidential information was exposed, and that they were threatened with irreparable loss of integrity of their confidential information. However, there were no allegations that a security or privacy breach actually occurred or that there was a breach of the plaintiffs' confidential information. Additionally, cyber liability policies, similar to professional liability policies, often times contain exclusions for the return of fees and injunctive relief. Thus, even if a professional services firm has both professional liability and cyber liability insurance, such may prove insufficient for purposes of responding to a lawsuit similar to the one brought against Johnson & Bell.
1 Interestingly, according to a status report Johnson & Bell filed with the court, the named plaintiffs in this case, Jason Shore (Shore) and Coinabul, LLC (Coinabul), were previously sued by a client represented by Edelson PC, the same plaintiffs' firm that filed this complaint against Johnson & Bell. That case was entitled Hussein v. Coinabul , LC et al., and was also filed in the Northern District of Illinois. Johnson & Bell was retained by Shore and Coinabul to defend the Hussein case. However, after Shore and Coinabul failed to pay Johnson & Bell's invoices, it terminated the relationship. Edelson PC then obtained a default judgment against Shore and Coinabul in an amount in excess of $1 million. Shortly thereafter, it filed this lawsuit on behalf of Shore and Coinabul against Johnson & Bell.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.