Safeguarding Client Information
The U.S. District Court for the District of Columbia held that the plaintiff had sufficiently pleaded that the defendants breached their duties in misrepresenting the manner in which they would protect his confidential information as well as failing to safeguard his information which could amount to incompetent representation. While some courts have held that failure to prevent foreseeable cyber attacks constitutes a breach of fiduciary duties, this court recognized that it did not need to go so far as finding that any corporation’s failure to protect against any foreseeable cyber attack, standing on its own, constitutes a breach of fiduciary duty.
The court allowed the legal malpractice claim to proceed as the complaint successfully identified a breach of the duty of reasonable care owed by attorneys to their clients—specifically, misrepresentations made in order to secure a prospective client, and the failure to follow promised procedures to adequately secure confidential information.
However, the court agreed with the defendants that the plaintiff’s additional allegations, alleging that the defendant’s withdrawal constituted a legally remediable wrong, did not provide grounds for a viable claim. Even if the withdrawal was improper, the plaintiff had failed to plead how it had damaged or prejudiced him, which requires a showing of damage or loss, the court concluded.
Taking Security Seriously
Section of Litigation leaders warn of the increasing danger presented in this area of cyber security. “Cyber attacks are an area of increasing concern in which we can expect to see much more activity and heighten the need to protect client information. Attorneys need to be hyper vigilant about potential data breach and security threats,” advises Richard A. Simpson, Washington, DC, chair of the Section’s Standing Committee on Lawyers’ Professional Liability.
The focus is on what type of information is breached. “Where the information being breached relates to the law firm itself, it typically would not give rise to a claim. However, we are seeing a rise in legal malpractice and breach of fiduciary duty claims where breaches result in the loss of clients’ personal information and data,” observes Simpson.
Understanding the applicable duty of care is important for attorneys addressing data security. “In determining what the standard of care is, several factors including type of case, the sensitivity of the information, the representation of the client, size of law firm, and available resources should be considered,” counsels Michael S. LeBoff, New Port Beach, CA, cochair of the Section’s Professional Liability Litigation Committee.
Section leaders also note that it is important to not overpromise security protections to clients that the law firm cannot deliver on. “It is crucial to understand what the firm’s standard procedures are in protecting data and what you can do to take heighted protection and develop security protocols that are consistent with the potential threat and the needs of the client,” summarizes LeBoff.