DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Law Firm Sued for Alleged Lax Data Security Avoids Class Action

Posted on March 9, 2017 by Dissent

Derek Borchardt and Michael F. Buchanan have an update on litigation previously noted on this site. At its heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had inadequate data security. There was no allegation of any actual breach – the suit was over inadequate data security.

Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit.  Last month, the firm obtained a significant victory in the case.

To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure.  (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)

The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.”  Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis.  The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis.  The court agreed.

Read more on Patterson Belknap Data Security Law Blog.

I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs, his perspective on the decision and its potential impact on other similar cases they had planned to file. He replied:

We filed suit (under seal) seeking, first, injunctive relief to fix the alleged security vulnerabilities. Once we were satisfied of the relevant fixes, we then moved to unseal the case and dismissed it. The dismissal did not mean that we aren’t pursuing it, but rather was in recognition of the fact that there is an arbitration clause. Johnson & Bell asked the Court to rule that we could arbitrate on an individual basis only (i.e. not on behalf of a class).

The Court agreed with them and we are going to appeal that decision. However, regardless of whether this can be brought as a class action, we will still pursue the suit. The question will be whether the class members are required to bring many individual arbitrations or can do it all at once.

In terms of other similar lawsuits, because this is a procedural issue (as opposed to one on the merits), it doesn’t have much impact unless a defendant has a similar arbitration clause as Johnson & Bell’s. Even if they do, our guess is that because individual arbitrations are so expensive, it is unlikely that other defendants will choose to potentially face hundreds if not thousands of arbitrations instead of fighting one single (albeit larger) case.

So stay tuned, I guess. I expect that there will still be issues raised of standing if there’s been no actual breach, but we’ll have to wait and see.

Category: Commentaries and AnalysesOf Note

Post navigation

← Dutch detectives unravel 3.6 million encrypted emails sent by criminals
NV: Personal info found in files dumped on sidewalk →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.