Chicago Law Firm Accused of Lax Data Security in Lawsuit

Photographer: Chris Ratcliffe/Bloomberg

A federal judge on Friday unveiled a long sealed proposed class-action complaint that accused the law firm, Johnson & Bell, of failing to take adequate steps to protect the data on its servers.

The case is currently proceeding in confidential arbitration and the complaint was filed in April by the plaintiff’s firm Edelson P.C. on behalf of two of Johnson & Bell’s onetime clients, Jason Shore, a California resident, and Coinabul, a Wyoming limited liability company.

Johnson & Bell is a Chicago-based firm with about 100 attorneys and was ranked as the 385th largest law firm in the country, according to The American Lawyer.

The complaint refers to Johnson & Bell “as a data breach waiting to happen” and claims the firm marketed itself as using top data security to protect its clients’ information but in fact had numerous lapses, including — according to the complaint — an online time-keeping system that had not been updated in 10 years. Jay Edelson, the founder of Edelson P.C., said his firm has been conducting a wide-ranging investigation of law firms, and that he anticipates other judges may soon unseal lawsuits his firm filed against other law firms.

“You will learn about other lawsuits,” said Edelson.

The unsealed suit accused Johnson & Bell of using several internet-accessible computer networks, such as time-keeping system and its email system, which had not been updated with security patches.

“It is only a matter of time until hackers learn of these vulnerabilities (if they have not already),” the complaint alleged. “As a result, Johnson & Bell’s clients not only face the current harm of having their information exposed but the risk that hackers will gain access to confidential billing records, be able to intercept and decrypt attorney-client communications, and obtain additional documents stored by Johnson & Bell.”

The lawsuit makes other accusations including that the firm is using an obsolete security system to protect and encrypt its own internal e-mail.

William Johnson, a co-founder and president of Johnson & Bell, called the lawsuit “specious” in a statement and said the firm intends to defend itself.

His statement said, “Our data systems are secure and our clients’ information is protected. We will fully defend our firm against this baseless lawsuit and will seek appropriate action against plaintiffs after the lawsuit is concluded.”

The plaintiffs, Shore and Coinabul, had retained lawyers at Johnson & Bell for about six months between 2014 and 2015 and paid a $30,000 retainer, according to the complaint, which does not specify what legal services were provided. The client agreement is attached and specifies the lead lawyer, Joseph Marconi, charged $400 per hour.

Coinabul, which exchanges the online currency bitcoin for precious metals, such as gold and silver, was accused in a 2014 class-action of defrauding its customers although it appeared to continue to operate afterwards.

Johnson in his statement also noted Edelson had previously been adversarial to its current clients in the suit, Shore and Coinabul. “Mr. Edelson previously accused Coinabul and Shore of engaging in a wide raging fraudulent scheme,” Johnson said in a statement.

Ben Richman, a partner at Edelson, said the pleadings speak for themselves and declined to comment.

The suit against Johnson & Bell makes legal malpractice claims for breach of contract and negligence. It claims the law firm said it had adequate data security when it did not and failed to take reasonable steps to maintain data security.

It also accuses Johnson & Bell of unjust enrichment and breach of fiduciary duty and seeks to have the firm forfeit any legal fees it earned from clients, and “any profits diverted from spending on cybersecurity.” The case has not yet been certified as a class, according to the docket.

The suit also asks for a third-party security audit of Johnson & Bell, a declaration that its conduct, as outlined in the complaint, constitutes malpractice. And, it asks the firm to inform its clients that its computer systems are not secure.

Edelson declined to discuss which other law firms his firm has targeted.

“Our view has always been that law firms are prime targets for hackers,” he said. “Law firm data security has been abysmal. We’ve been encouraged that we’ve heard reports that since the news of our suit, even before it was unsealed, law firms are now having mandatory discussions where they are trying to educate employees.”

He said they also received calls from “whistleblowers” at law firms reporting how bad security is.

“A lot of the stories we’re hearing are about older partners who just thought the rules didn’t apply to them and were using public wifi to do vetting” on M&A transactions and work on other sensitive data, said Edelson.

The case is Shore et al v. Johnson & Bell, filed in N.D. of Illinois, 16-4363. Read the complaint, via Bloomberg Law here.