Class Actions Against Law Firms

Class Actions Against Law Firms for Data Breaches Are Shifting: Cybersecurity Trends

Class actions against law firms for data breaches are shifting. And not in a good way for the law firms involved, as the Blank Rome case illustrates.

As discussed by Angela Delvecchio on Project Counsel Media (Class actions against law firms for data breaches takes a new turn, available here), an attorney with Blank Rome LLP was tricked into uploading sensitive files to an external Google Drive account, allegedly exposing private information belonging to more than 57,000 individuals, according to a proposed class action accusing the law firm of inadequate cybersecurity safeguards and delayed breach notification.

Named plaintiff Laura Delapaz of California, a former client of Blank Rome who said her information was exposed in the breach, said in a Monday complaint that the firm “failed to adequately train its employees on cybersecurity and failed to maintain reasonable security safeguards.”

Advertisement
Casepoint

The complaint alleges that the private information of 57,554 current, former and prospective clients of Blank Rome was exposed.

According to Delvecchio, the breach occurred on May 21st when an unauthorized third party called an attorney with Blank Rome, posed as a member of the firm’s information technology department and convinced the attorney to upload the files to the external account.

The breach exposed information included:

  • names
  • full home addresses
  • Social Security numbers
  • contact information including emails and mobile phone numbers
  • financial account information
  • medical information

Blank Rome said it identified the incident within two hours, took the attorney’s device offline and deleted the files in the Google Drive account. The firm said it launched an investigation and notified law enforcement, determining the extent of the breach around May 28th. But Delapaz alleges in the complaint that affected parties were notified around June 26th, more than a month after the firm first discovered the data breach. The complaint alleges the firm “enriched itself” by using cheaper, ineffective security measures that would have prevented the attack.

Advertisement
Nextpoint

As you might expect, in the wake of the incident, Blank Rome said it arranged for affected parties to get complimentary access to credit monitoring. But Delapaz said in the complaint that the credit monitoring service does not adequately address the “lifelong harm that victims will face”. She claims to have already experienced an influx of spam communications, and other unwanted communications, as have others in the proposed class action.

What do plaintiffs like Delapaz want? They want:

  • Lifetime identity restoration services. Moving away from basic scanning toward dedicated professionals who can actively assist victims whenever their compromised data surfaces.
  • Longer monitoring windows. Extending monitoring periods well beyond the standard one-year window to compensate for the lifelong risks associated with compromised Social Security and identity numbers.
  • Stricter firm compliance. Increasing regulatory pressure, such as rules enforced by the state bar to ensure firms have take proactive, protective cyber protection measures, rather than only reacting to breaches after the fact. And for those that have been breached, proof that they have upped their game and put true cybersecurity measures in action.

Will plaintiffs get what they want? We’ll see. Regardless, class actions against law firms for data breaches are shifting. It’s more challenging than ever for law firms to avoid becoming victims of data breaches – the question is: are they doing enough to protect their clients’ data? Many of those clients might say “no”.  

So, what do you think? Are you surprised that we’re seeing more class actions against law firms for data breaches? Please share any comments you might have or if you’d like to know more about a particular topic.

Image created using DALL-E 3, using the term “robot lawyer dressed in a suit looking shocked when seeing a data breach on their workstation”.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


Discover more from eDiscovery Today by Doug Austin

Subscribe to get the latest posts sent to your email.

Leave a Reply