Recent Suit Highlights the Importance of Data Security for Law Firms

In what undoubtedly portends things to come, recently unsealed court files reveal that the first data security class action complaint against a domestic law firm was formally filed. Chicago-based Johnson & Bell, a firm of more than 100 attorneys that recently celebrated its 40th anniversary, was recently named in a lawsuit that alleged it failed to appropriately protect confidential client information. That lawsuit was filed by Johnson & Bell’s former clients, bitcoin-to-gold exchange Coinabul LLC, and its Chief Operating Officer, Jason Shore.

Coinabul and Mr. Shore set forth a four-count Complaint alleging breach of contract, negligence, unjust enrichment, and breach of fiduciary duty. Underpinning all of theses claims were the following core allegations: the defendant law firm’s time-tracking system (“Webtime”) was built on a “JBoss Application Server” which was out-of-date and suffered from a critical vulnerability, leaving it susceptible to hacking; its virtual private network (“VPN”) supported insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks; and, finally, the firm’s email system had broken security that left it susceptible to attack. In short, plaintiffs allege the firm failed to implement industry standard data security measures with respect to its Webtime, VPN, and email services, resulting in certain vulnerabilities that could expose confidential client information.

The hypothetical exposure of confidential client information makes this lawsuit all the more interesting – plaintiffs did not actually allege that Johnson & Bell’s Webtime, VPN, or email services were ever compromised, or that that confidential information was ever leaked. These points were all raised in Johnson & Bell’s subsequently-filed motion to dismiss. That motion was ultimately never ruled upon, as the parties are now engaged in a confidential arbitration.

While the outcome of this suit might never become public, the takeaway lesson is apparent – attorneys and law firms must remain diligent, and continue to take reasonable efforts to maintain client confidentiality and properly secure data.

Investigation Underway After Sharp Grossmont Hospital Shared Private Patient Videos With Third Party

On May 12, 2016, Sharp HealthCare issued a statement regarding its inadvertent dissemination of videos depicting fourteen female patients undergoing obstetric surgeries. Sharp provided the videos to a local attorney defending a physician who is accused of stealing sedative medication from Sharp Grossmont Hospital in San Diego, California.

The privacy breach may constitute a violation of California’s Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA), both of which prohibit the disclosure or use of medical information without patient authorization. The hospital argues that a clause in its Admission Agreement authorized the surveillance:

You consent to all hospital services rendered under the general and special instructions of your physician(s), and to the taking of photographs and videos of you for medical treatment, scientific, education, quality improvement, safety, identification or research purposes, at the discretion of the hospital and your caregivers and as permitted by law.

However, the patients are sure to assert that even if the surveillance was authorized, the provision cannot reasonably be interpreted as authorization for disclosing the so-called surveillance to a third party.

Sharp has notified the California Department of Public Health and the Department of Health and Human Services Office for Civil Rights, who will investigate the breach. If the California Department of Public Health determines that the breach constituted a violation of CMIA, the hospital could be fined up to $250,000. (Civ. Code, § 53.36.)  HIPAA imposes similar – but more costly – fines for violations.

We will continue to monitor this story as it develops.

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.