Derek Borchardt and Michael F. Buchanan have an update on litigation previously noted on this site. At its heart, a lawsuit claimed a Chicago law firm, Johnson & Bell, had inadequate data security. There was no allegation of any actual breach – the suit was over inadequate data security.
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.
To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure. (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)
The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.” Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis. The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis. The court agreed.
Read more on Patterson Belknap Data Security Law Blog.
I asked Jay Edelson of Edelson, PC, lawyers for the plaintiffs, his perspective on the decision and its potential impact on other similar cases they had planned to file. He replied:
We filed suit (under seal) seeking, first, injunctive relief to fix the alleged security vulnerabilities. Once we were satisfied of the relevant fixes, we then moved to unseal the case and dismissed it. The dismissal did not mean that we aren’t pursuing it, but rather was in recognition of the fact that there is an arbitration clause. Johnson & Bell asked the Court to rule that we could arbitrate on an individual basis only (i.e. not on behalf of a class).
The Court agreed with them and we are going to appeal that decision. However, regardless of whether this can be brought as a class action, we will still pursue the suit. The question will be whether the class members are required to bring many individual arbitrations or can do it all at once.
In terms of other similar lawsuits, because this is a procedural issue (as opposed to one on the merits), it doesn’t have much impact unless a defendant has a similar arbitration clause as Johnson & Bell’s. Even if they do, our guess is that because individual arbitrations are so expensive, it is unlikely that other defendants will choose to potentially face hundreds if not thousands of arbitrations instead of fighting one single (albeit larger) case.
So stay tuned, I guess. I expect that there will still be issues raised of standing if there’s been no actual breach, but we’ll have to wait and see.