Risk Update

Law Firm Data Breach (A Different One) — Client (Insurance Provider Hiscox) Sues Its Firm

Company Sues Its Law Firm Over Data Breach” —

  • “Security Boulevard reported on April 20 that insurance company Hiscox has sued one of its law firms, Warden Grier, a four-person firm in Missouri. It had hired the firm to assist with “first party” non-marine insurance claims. The firm represented insureds who had purchased insurance from Hiscox – it therefore had both personal information about these clients and attorney-client privileged information.”
  • “In December 2016, hacker group Dark Overlord hacked the law firm’s computers and stole data concerning Hiscox, as well as the clients of the insurance company. The law firm hired its own law firm and contacted the FBI to investigate, ultimately paying ransomware to the hacker group to keep the stolen data private. It is unknown whether the firm hired an independent forensics firm to investigate the scope and extent of the breach.”
  • “Warden Grier did not tell Hiscox or clients of the insurance company about the breach.”
  • “On March 27, 2020, the insurance company sued Warden Grier in federal court in Kansas City. Hiscox Insurance Co., et. al., v. Warden Grier, Dkt. No. 4:20-cv-00237-NKL (E.D. Missouri). The company alleged that the law firm breached its legal obligations under the retainer agreement with the company, that it breached its ethical obligations to protect client confidences, and that it was negligent in failing to protect the client data. The company also asserted that the law firm itself failed to notify its customer (the insurance company) as required by Missouri law and that this caused the insurance company to fail to timely notify its own clients (the insureds) as required by the same statute.”

See additional commentary from Anderson Kill: “In Novel Case, Insurer Sues Own Law Firm After Data Breach

  • “Disputes between insurers and third parties following data breaches often happen behind closed doors, attorneys who handle cyberinsurance cases say. But it is rare for such a dispute to surface in federal court filings.”
  • “‘You just don’t see this kind of situation and these kinds of allegations made every day,’ said Joshua Gold, chair of Anderson Kill PC’s cyber insurance recovery practice group.”
  • “Insurers have sued law firms that represent their policyholders in the past, but such cases normally claim that the law firm jeopardized a payout with malpractice or professional misconduct, Gold said.”
  • “‘I’ve definitely seen an uptick in insurance companies suing law firms in this kind of setting, but this is certainly the first case I’ve seen address an alleged misstep in reporting a data breach in a prompt fashion,’ Gold added.”
  • “Data breach notification statutes differ by state in the U.S, but cyberinsurance attorneys say law firms should as a best practice tell their clients when they have reason to believe that their data has been exposed in a cyberattack. The American Bar Association has also urged attorneys to notify clients in the event of a data breach and to keep them updated on subsequent investigations.”
  • “‘This case shows some of the hazards that all companies face when they choose to not proactively notify their business partners about a breach… You really need to review closely your contractual obligations to third parties, and think about them expansively, rather than narrowly,’ said Farella Braun & Martel LLP partner Tyler Gerking.”