Suit Against Law Firm for Exposing Data in Absence of Breach


Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd., No. 16-4363 (N.D. Ill.) is a suit filed by a client against a law firm for its failure to keep client data secure on systems that allow for remote online access to its email and document management system

Johnson & Bell's motion to dismiss was denied as moot when the parties agreed to arbitration this past February. It is however very interesting to review the complaint and the innovative claims brought by the plaintiffs, which are made in the absence of any actual data breach.

The causes of action listed in the complaint are breach of contract for legal malpractice; a negligence claim also based on malpractice; unjust enrichment; and breach of fiduciary duty. In addition to damages, the plaintiffs sought motion to compel the defendants to secure client data; let a third party conduct a security audit, and notify other clients of the vulnerability of their data.

The system the complaint alleges is inadequate was developed by Rippe & Kingston and uses a 'webtime' server. See this screen grab from the compliant:

The system was more than 10 years old and security updates had not been installed. The version in use at J&B dated from 2005. This JBoss system is listed in a NIST national vulnerability database as allowing for unauthorized access to networks.There have been many documented attacks by hackers against unpatched JBoss servers.

The complaint also criticized J&B's virtual private network for failing to protect against man in the middle attacks. J&B's email system used SSL 2 [secure socket layer - a cyrtographic protocol for transferring data over a network] which was vulnerable to attacks aimed at overcoming RSA encryption. It further alleged that a time record system which did not use password protected accounts would lead to phishing attacks since hackers would be able to access up-to-date information about the nature of attorneys' representation of various clients. All of this was while Johnson & Bell marketed itself to clients as an expert in data security..