DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Law Firm Sued for Alleged Lax Data Security Avoids Class Action

Posted on March 9, 2017 by Dissent

Derek Borchardt and Michael F. Buchanan have an update on litigation previously noted on this site. At its heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had inadequate data security. There was no allegation of any actual breach – the suit was over inadequate data security.

Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit.  Last month, the firm obtained a significant victory in the case.

To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure.  (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)

The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.”  Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis.  The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis.  The court agreed.

Read more on Patterson Belknap Data Security Law Blog.

I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs, his perspective on the decision and its potential impact on other similar cases they had planned to file. He replied:

We filed suit (under seal) seeking, first, injunctive relief to fix the alleged security vulnerabilities. Once we were satisfied of the relevant fixes, we then moved to unseal the case and dismissed it. The dismissal did not mean that we aren’t pursuing it, but rather was in recognition of the fact that there is an arbitration clause. Johnson & Bell asked the Court to rule that we could arbitrate on an individual basis only (i.e. not on behalf of a class).

The Court agreed with them and we are going to appeal that decision. However, regardless of whether this can be brought as a class action, we will still pursue the suit. The question will be whether the class members are required to bring many individual arbitrations or can do it all at once.

In terms of other similar lawsuits, because this is a procedural issue (as opposed to one on the merits), it doesn’t have much impact unless a defendant has a similar arbitration clause as Johnson & Bell’s. Even if they do, our guess is that because individual arbitrations are so expensive, it is unlikely that other defendants will choose to potentially face hundreds if not thousands of arbitrations instead of fighting one single (albeit larger) case.

So stay tuned, I guess. I expect that there will still be issues raised of standing if there’s been no actual breach, but we’ll have to wait and see.

Related posts:

  • Why Canada’s Privacy Commissioner and CRTC should heed PIAC/CAC’s recommendations about Bell’s “Relevant Ads Program”
  • NullCrew attack on Bell Canada was SQL injection and Bell knew weeks ago – NullCrew (update 2)
Category: Commentaries and AnalysesOf Note

Post navigation

← Dutch detectives unravel 3.6 million encrypted emails sent by criminals
NV: Personal info found in files dumped on sidewalk →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.