Risk Update

Risk Reading — Law Firm Data Breach Updates, Law Firm Securitizes Settlement For Sale

Posted Dan Bressler

Law firm Kirkland sued in class action over MOVEit data breach” —

  • “U.S. law firm Kirkland & Ellis, the world’s largest law firm by revenue, has been pulled into U.S. litigation over a wide-ranging data breach linked to a file transfer tool that compromised data at hundreds of organizations.”
  • “A proposed class action, opens new tab filed on Friday accused Kirkland and several other companies, including health insurer Humana, of not doing enough to safeguard personal information that was affected by a May 2023 hack of Massachusetts-based Progress Software’s MOVEit Transfer file management software.”
  • “Kirkland represented home healthcare agency Trilogy Home Healthcare in its acquisition last year by Humana subsidiary CenterWell Home Health, the lawsuit said. Trilogy allegedly transferred legal files that contained a ‘wide array’ of private information to Kirkland using MOVEit.”
  • “The lawsuit named Progress, CenterWell and Trilogy as defendants in addition to Kirkland and Humana. It was filed on behalf of a proposed class of at least 4,700 people.”
  • “Kirkland did not inform Trilogy that the software breach affected its files until October, and Trilogy did not notify affected customers until March 2024, according to the complaint.”

Mondelez, US law firm must face class action over data breach” —

  • “Snack food giant Mondelez and U.S. law firm Bryan Cave Leighton must face at least part of a proposed class action over a data breach at the firm that compromised personal information belonging to thousands of Mondelez employees, a Chicago federal judge has ruled.”
  • “U.S. District Judge Jorge Alonso on Monday dismissed some of the allegations in the case for now, but he refused to throw out the employees’ negligence claims against Mondelez and 1,200-lawyer BCLP.”
  • “As an outside law firm for Mondelez, BCLP possessed personal information on its employees including names, dates of birth, Social Security numbers and addresses, according to the plaintiffs. After hackers gained access to the files in a 2023 breach at the firm, the employees sued both Mondelez and BCLP for failing to safeguard their data.”
  • “The judge on Monday kept the plaintiffs’ negligence claims alive against both defendants, and he rejected Mondelez’s argument that it should not be held responsible for the breach of another company’s systems.”

Data Breaches, Hacking and Ransomware: What Every Lawyer Needs to Know About the Rise in Cybersecurity Incidents” —

  • “The rise in cybersecurity incidents should sound the alarm bells for law firms and legal professionals alike. State bar authorities across the country have reported that lawyers are being specifically targeted by those carrying out cybercrimes, including data breaches and ransomware attacks.”
  • “These incidents are becoming more prevalent and even harder to detect given the increased use of and reliance on technology by attorneys in connection with the practice of law. This article discusses the obligations that practitioners have when it comes to cybersecurity and practicing law, steps that can be taken to defend against and respond to cybersecurity incidents and potential consequences from the failure to act.”
  • “As an initial matter, a cybersecurity policy must be enforced at every level of a law practice, including for attorneys, paralegals, legal assistants, and other employees.”
  • “An incident response protocol (IRP) can go a long way in mitigating the harm from cybersecurity incidents and prevent further and unnecessary damage. IRPs should address what and how specific incidents are responded to by members of an organization. This includes, for example, the processes needed for data and information collection or preservation, reporting mechanisms and notice requirements, as well as backup and retention logs. IRPs can save valuable time and ensure that every incident is fully responded to and documented.”
  • “In the face of cybersecurity incidents, law firms and lawyers may face potential malpractice, negligence, and privacy-related claims. See In re Mondelez Data Breach Litigation, supra at *2-*3. Clients and affected third parties may also file ethics complaints or grievances with state bar authorities based on relevant RPCs. See, e.g., ABA Model Rules 1.1, 1.6(c), & 1.15(a). Further, there may even be grounds for statutory claims involving HIPAA and the like. Hackers can gain access to sensitive and confidential client information being held by law firms and lawyers, potentially resulting in reputational harm, extortion, demands for ransom in exchange for stolen data and other costs.”
  • “Given the pervasiveness of cybersecurity incidents in contemporary law practice, the question can no longer be framed in terms of if, but when an incident will occur.”

Opioids Lawyers Offer Investors Piece of $100 Million-Plus Win” —

  • “A law firm set to earn more than $100 million for its work on opioids cases is packaging its fees and selling it to investors as a security.”
  • “Napoli Shkolnik PLLC is pooling its portion of approximately $1.3 billion in settlements with major opioid manufacturers and pharmacies, including McKesson, Janssen, CVS and Walgreens, according to a Securities and Exchange Commission filing. The firm declined to comment.”
  • “The move is the latest sign of the growing intermingling of law firms and investors. Securitization is an increasingly common tool in litigation finance, a $15.2 billion industry in which outside funders back lawsuits or invest in yet to be paid settlements, and which has set its sights on large pools of money in mass tort cases.”
  • “Securities are often used to package auto, credit and other loans for investors. For law firms set to receive shares of large settlements over time, it gives them immediate access to cash while reducing risk.”
  • “Some states and counties in the late 90s securitized parts of settlement awards stemming from far-reaching lawsuits against tobacco companies. The details of similar moves by law firms and private companies are often not made public.”
  • “Napoli Shkolnik’s asset report filing with the SEC offers a rare glimpse of how one of the biggest mass tort law firms is being paid for its work and its plans to monetize future winnings now. The document details at least one of the settlements, when it will be paid out and the law firm’s cut.”

‘Lawyers Are Always Responsible’: 5th Circuit Discards AI Disclosure Rule After Pushback” —

  • “After pushback from attorneys, the U.S. Court of Appeals for the Fifth Circuit has discarded a proposed rule that would have required lawyers to disclose if they used generative artificial intelligence in crafting a brief.”
  • “If adopted, attorneys would have had to check a box confirming that no AI program was used in drafting a filing or, if one were used, certifying that it was reviewed for accuracy by a person. Attorneys who submitted comments said the proposal was unnecessary given existing federal rules.”
  • “The decision was met with understanding and approval from some court watchers.”
  • “‘Existing rules of practice and procedure and lawyer ethical rules already require that lawyers certify that the facts and law cited are ‘real’ and support the arguments made,’ said former U.S. District Judge Paul Grimm for the District of Maryland.”
  • “‘These rules provide ample sanctions if violated, so a special AI rule is not needed,’ added Grimm, now director of the Bolch Judicial Institute at Duke Law School. ‘I hope that other courts find this position persuasive.'”