| Haley Altman

Could Your Firm be Sued Over a Cyberattack?

If your firm is the victim of a cyberattack or isn’t doing enough to protect highly sensitive client information, it could find itself defending against a lawsuit.


In December 2016, the Northern District of Illinois unsealed a complaint against Chicago-based Johnson & Bell, a firm with more than 100 attorneys and practice groups ranging from administrative law to professional liability.


Class-Action Brought for Lack of Cybersecurity


The class-action lawsuit, the first brought against a firm for lack of cybersecurity, claims the law firm fails to keep its clients’ information secure. Its computer systems suffer from critical vulnerabilities in its internet-accessible web services, the suit alleges, which has resulted in confidential information being exposed and being at a greater risk of further unauthorized disclosure.


The lawsuit claims:

  • The firm’s WebTime server leaves sensitive billing records exposed
  • Its VPN server fails to protect client data
  • Its email server is vulnerable to cyberattacks and uses Secure Sockets Layer 2, which is obsolete and insecure


Remember: There hasn’t been a data breach by Johnson & Bell, but clients are concerned enough to file suit. The court sent the case to arbitration for each plaintiff, per the client engagement letter’s arbitration clause. This means the outcome of the suit will likely never be public, so other firms won’t be able to gain insight as to how courts or arbitrators may rule on this issue.


Are you starting to get nervous about your firm’s email system or servers? What if this was your law firm being sued? The plaintiffs want damages, attorneys’ fees, and an independent, third-party security audit, and that Johnson & Bell must inform its clients that their confidential information has been exposed.


Imagine having to tell your clients that your firm didn’t do enough to keep their private, highly sensitive information safe. That’s enough to send most managing partners into a tailspin.


There are steps lawyers can take to protect client information. Learn more in our guide, “Technology Solutions Mitigate Risk of Data Disclosure.”