Insurance Client Sues Small Law Firm $1.5M for Dark Overlord Payment

Warden Grier is a small, four-person law firm located in a one-story mixed-use commercial building housing a Kendra Scott and Panache chocolatier south of Kansas City, Missouri. The firm’s website indicates that “Whether in business, construction, or personal life we can experience losses that are not fair or just. Such losses, coupled with the financial strain, can be frustrating and destabilizing to us personally and in our businesses. We help our clients resolve such disputes to meet their goals.” Among Warden Grier’s clients was Chicago based insurance company Hiscox Insurance, which retained the firm to help them in “first party” non-marine insurance claims. The law firm represented those who had purchased insurance from the Chicago insurance company, and as a result, had both personal information about these clients and attorney-client privileged information.

In a bit of irony, in December 2016, the hacker group Dark Overlord hacked the law firm’s computers and stole data concerning the Chicago insurance company, as well as the clients of the insurance company. The law firm hired its own law firm and contacted the FBI to investigate, ultimately paying money to the hacker group to ensure their silence and to keep the purloined data private. They may or may not have hired an independent forensics firm to collect data about the scope and extent of the breach.

In November, 2017, Nathan Wyatt was indicted by a federal grand jury in Kansas City as part of the Dark Overlord investigation and charged with hacking into various healthcare providers, a medical records company and an accounting firm in Missouri and Illinois, but not specifically with hacking the law firm. Wyatt, also known as “Crafty Cockney,” was the same person arrested for hacking Pippa Middleton’s iCloud account and was ultimately sentenced by a UK court on charges that included blackmailing a UK solicitor’s office in the north of England, demanding an extortion payment of €10,000 in bitcoin, noting, “We are ready to now use or sell all of your data on the dark net markets … we make a single offer to you to prevent this data being used or sold to Russian and Chinese buyers,” and signed, “Regards, The Dark Overlords.” It’s not clear whether Wyatt is the same person who hacked and extorted the Kansas City law firm.

What the Kansas City law firm did not do, however, was to tell its insurance company client or the clients of the insurance company about the breach.

About two years later, at the end of March 2018, an employee of the insurance company was surfing social media and learned “by happenstance” that the Hiscox data was subject to the breach and the data from the law firm had been on the Dark Web. The insurance company confirmed that the breach had occurred and the data leaked. It then began the process of conducting its own forensic investigation and notifying all of its customers who had been impacted by the breach—at a cost they estimated to be in excess of $1.5 million.

On March 27, 2020, the insurance company sued the law firm in federal court in Kansas City. Hiscox Insurance Co., et. al., v. Warden Grier, Dkt. No. 4:20-cv-00237-NKL (E.D. Missouri). The company alleged that the law firm breached its legal obligations under the retainer agreement with the company, that it breached its ethical obligations to protect client confidences, and that it was negligent in failing to protect the client data. The company also asserted that the law firm itself failed to notify its customer (the insurance company) as required by Missouri law and that this caused the insurance company to fail to timely notify its own clients (the insured) as required by the same statute.

Now all of the “facts” recited here come from the complaint filed by the insurance company, and as such should be taken with a grain of salt. Maybe there was no actual data breach; maybe it didn’t involve personal or privileged information; and maybe the FBI told the law firm not to notify. That’s why we have trials.

But the case demonstrates a few things often overlooked in data sharing and data breach investigations. First, law firms are fiduciaries of client information and their clients’ information. As such, they have an ethical duty not only to protect any PI, PHI or other sensitive information they obtain but also have an additional duty to preserve client confidences. Just as you would have your cloud provider, service provider and business associate agree to protect your data (and disclose data breaches to you), you should not forget these “hidden” business associates—law firms, accountants, service providers and insurers—that may have access to your data and your customer’s data. Even if you don’t have a strict “business associate” agreement (a HIPAA requirement) or a data security agreement, you need to agree on what is expected from a data security and data breach notification standpoint from your outside counsel.

Second, the law firm needs to determine what insurance it may have to cover claims of negligent or reckless failure to protect or notify claims. In general, a law firm may have GCL insurance (General Casualty and Liability) to protect it from things such as “slip and fall” (again, ironic) claims of negligence by people who come into the office, or Director and Officer (D&O) insurance to cover claims against firm leadership (depending on how the firm is organized). The firm and the individual lawyers similarly may have legal malpractice insurance to cover against claims of failure to adhere to legal requirements. And the firm may have a “cyber” policy to cover it against certain cyber-related claims—insurance which may or may not cover data breaches. The firm similarly may have KRE (Kidnap, Ransom and Extortion) insurance. Finally, the firm may have had an Advertising Injury or publicity insurance policy.

The problem is that these insurance policies are often overlapping in terms of their coverages, exclusions and duties. Is failing to protect the customer data a “negligence” claim? Is it a “data breach” claim? Is it a “cyber” claim? Is it a professional liability claim? Is the hush money payment the law firm allegedly paid to the Dark Overlord covered under an extortion policy? Is it covered by a “negative publicity” policy? Is it excluded from both as a “cyber” risk? Is the extortion payment a mitigation of possible data breach harm? Is the law firm’s failure to notify its client about the breach “negligent” or is it an uninsured criminal act by the law firm, as it may have violated the Missouri data breach law? And did the law firm notify its insurance carrier in a timely fashion sufficient to trigger a duty to defend and a duty to insure? In fact, is the lawsuit itself (and the costs of defending it) covered by insurance—and if so, which policy?

Law Firm’s Duties

One thing that makes this lawsuit unique is the fact that the impacted party was a law firm. Law firms are uniquely vulnerable to attacks by hackers. As one law review author recently noted:

Law firms are attractive targets for attacks for several reasons. First, law firms, especially large law firms, are repositories for large amounts of highly valuable corporate data, including intellectual property, investment plans, trade secrets, and clients’ business and litigation strategies. According to the FBI, “[l]aw firms have a tremendous concentration of really critical, private information,” which both state and non-state actors may desire to steal in order to gain advantages in the marketplace or in court. Moreover, law firms represent more efficient targets than the clients they serve. Law firms “are usually involved in only their client’s most important business matters, meaning hackers may not need to sift through extraneous data to find the more valuable information.” Law firms are also seen as easy targets. Law firms are perceived as being more vulnerable to cyber incursions than their clients, and indeed generally have “significantly less cybersecurity protection in place than their clients . . . .” The FBI has called some law firms “clueless” when it comes to securing corporate data. Others have labeled law firms “weak links” and “the soft underbelly of corporate cybersecurity.” Due to these perceived deficiencies, some clients themselves have taken on the responsibility of ensuring that their legal counsel’s cybersecurity protocols are up to standard.

See, CURRENT DEVELOPMENT 2015-2016: Electronic Ethics: Lawyers’ Ethical Obligations in a Cyber Practice, 29 Geo. J. Legal Ethics 1237, 1238.

Law firms also have unique legal and ethical requirements not only for protecting client data but potentially also for reporting breaches. The American Bar Association has issued a formal opinion relating to a law firm’s duties with respect to its use of outside data processing firms and data security of client information, noting that “should a significant breach of confidentiality occur within a computer maintenance company, accounting firm, or the like, a lawyer may be obligated to disclose such breach to the client or clients whose information has been revealed.” The same would likely be true if the firm itself suffered the breach.

The lawyer also has a duty not only to preserve client confidences but also to keep a client adequately informed of developments that are important, and the ABA opinion also noted that “[w]here the unauthorized release of confidential information could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal matter, disclosure of the breach would be required under Model Rule 1.4(b).” Similarly, a New York state ethics opinion that permitted law firms to use cloud-based data storage for client records noted that “if the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.” Alaska provides that “[a] lawyer who learns that any person employed by the lawyer has revealed a confidence … protected by these rules shall notify the person whose confidence or secret was revealed.” Similarly, Pennsylvania Ethics Opinion 2011-46 provides that a lawyer who neglects to remove client data upon disposing of a hard drive “may have a duty to notify clients.” So the duty to notify arises not only out of the statute, but also from a professional liability, and therefore may result in coverage by a malpractice carrier unless cyber-related malpractice claims are specifically excluded from coverage.

Whether the law firm will be liable is up to the eventual litigation. Paying a hacker an extortion fee (and it’s not clear yet that this is what actually happened) is never a great strategy. Not telling your customer about a breach (see above caveat) is similarly not a great strategy. But one thing remains certain: Law firms will continue to be targets for hacking because they have lots of sensitive client information and are reluctant to disclose the fact that they have been compromised. And insurance companies will want to point the finger. Oh, and by the way, water is wet.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark