chevron-down Created with Sketch Beta.

Litigation News

Litigation News | 2020

Cyberbreach Leads to Legal Malpractice Claim

Jared Lorenz


  • Misrepresentation and mishandling of information allows claim to survive.
  • The client alleged that the firm breached the duty of reasonable care to fulfill its professional and ethical obligations when the firm allowed a hacker to breach the firm’s systems.
Cyberbreach Leads to Legal Malpractice Claim
SweetBunFactory via Getty Images

Jump to:

A federal district court has concluded that a plaintiff had sufficiently stated claims based on a law firm’s alleged mishandling of a client’s confidential information. The client alleged that the firm breached the duty of reasonable care to fulfill its professional and ethical obligations when the firm allowed a hacker to breach the firm’s systems and obtain a copy of the client’s asylum application. The decision emphasizes the need to be cautious in protecting clients information against cyber attacks, ABA Section of Litigation leaders say.

Vulnerable Target

The litigation in Guo Wengui v. Clark Hill, PLC, et al. arose after a well-known Chinese businessman and prominent political dissident retained a law firm to assist him with an asylum petition. According to the complaint, he allegedly warned the firm of his prominent position as a critic of the Chinese regime, the risks associated with his position as a critic, and numerous cyber attacks directed toward him and his associates.

The defendants agreed to take special precautions in protecting the plaintiff’s sensitive confidential information. They assured him that “they were qualified, capable, and competent to represent plaintiff and to protect his interests fully and professionally.” Relying on these commitments regarding the protection of his confidential information, the plaintiff hired the firm to represent him.

However, according to the complaint, in September 2017, a hacker—presumably the Chinese government—attacked and accessed the firm’s computer system. As a result, the hackers obtained and published a significant amount of personal and confidential information belonging to the client and his wife.

The firm terminated its representation a few days later, explaining that because of the cyber attack, the firm’s members might be required to serve as witnesses for the plaintiff’s asylum proceedings because the hacking provided evidence of the political persecution from which their now-former client sought asylum in the United States.

The plaintiff asserted that the defendants were liable for legal malpractice, breach of fiduciary duty, and breach of contract for making his confidential information a target for attack and subsequently withdrawing from the matter. Maintaining that plaintiff’s allegations failed to state plausible claims for relief, the defendants moved to dismiss all counts.

Safeguarding Client Information

The U.S. District Court for the District of Columbia held that the plaintiff had sufficiently pleaded that the defendants breached their duties in misrepresenting the manner in which they would protect his confidential information as well as failing to safeguard his information which could amount to incompetent representation. While some courts have held that failure to prevent foreseeable cyber attacks constitutes a breach of fiduciary duties, this court recognized that it did not need to go so far as finding that any corporation’s failure to protect against any foreseeable cyber attack, standing on its own, constitutes a breach of fiduciary duty.

The court allowed the legal malpractice claim to proceed as the complaint successfully identified a breach of the duty of reasonable care owed by attorneys to their clients—specifically, misrepresentations made in order to secure a prospective client, and the failure to follow promised procedures to adequately secure confidential information.

However, the court agreed with the defendants that the plaintiff’s additional allegations, alleging that the defendant’s withdrawal constituted a legally remediable wrong, did not provide grounds for a viable claim. Even if the withdrawal was improper, the plaintiff had failed to plead how it had damaged or prejudiced him, which requires a showing of damage or loss, the court concluded.

Taking Security Seriously

Section of Litigation leaders warn of the increasing danger presented in this area of cyber security. “Cyber attacks are an area of increasing concern in which we can expect to see much more activity and heighten the need to protect client information. Attorneys need to be hyper vigilant about potential data breach and security threats,” advises Richard A. Simpson, Washington, DC, chair of the Section’s Standing Committee on Lawyers’ Professional Liability.

The focus is on what type of information is breached. “Where the information being breached relates to the law firm itself, it typically would not give rise to a claim. However, we are seeing a rise in legal malpractice and breach of fiduciary duty claims where breaches result in the loss of clients’ personal information and data,” observes Simpson.

Understanding the applicable duty of care is important for attorneys addressing data security. “In determining what the standard of care is, several factors including type of case, the sensitivity of the information, the representation of the client, size of law firm, and available resources should be considered,” counsels Michael S. LeBoff, New Port Beach, CA, cochair of the Section’s Professional Liability Litigation Committee.

Section leaders also note that it is important to not overpromise security protections to clients that the law firm cannot deliver on. “It is crucial to understand what the firm’s standard procedures are in protecting data and what you can do to take heighted protection and develop security protocols that are consistent with the potential threat and the needs of the client,” summarizes LeBoff.