Law firm must face insurer's suit for data breach investigation costs
2021 INSDBREF 0715
•
By Dave Embree
WESTLAW Insurance Daily Briefing
•
December 13, 2021
(December 13, 2021) - A Missouri federal judge has refused to dismiss Hiscox Insurance Co.'s lawsuit seeking to recover nearly $1.5 million from a law firm for failing to notify it about a data breach that exposed the personal data of the insurer's clients.
U.S. District Judge Nanette K. Laughrey of the Western District of Missouri on Dec. 8 rejected Warden Grier LLP's arguments that it had no legal duty to notify Hiscox of the breach and that it was not the proximate cause of the insurer's injury.
However, Judge Laughrey agreed with the law firm that Hiscox's claim for breach of fiduciary duty fell short because it was duplicative of its professional negligence claim.
The Dark Overlord strikes
An international hacking organization known as the Dark Overlord breached Warden Grier's computer server in February 2017 and threatened to expose data from that server unless the law firm paid ransom, according to Judge Laughrey's opinion.
The stolen data included personally identifiable information from Hiscox's clients that the insurer had provided to Warden Grier to represent it in various litigation matters, the opinion said.
Warden Grier ultimately paid the ransom demand but did not notify Hiscox about the breach. Hiscox learned about the breach only after the Dark Overlord contacted it directly in March 2018, according to the opinion.
The insurer then spent nearly $1.5 million to investigate the incident and notify affected clients, the opinion said.
Hiscox and related company Hiscox Syndicates Ltd. sued Warden Grier in the District Court in March 2020 to recover those costs. The suit included claims for professional negligence and breach of fiduciary duty.
Professional negligence claim survives
Warden Grier moved for summary judgment in September, citing the Missouri Supreme Court's decision in Klemme v. Best, 941 S.W.2d 493 (Mo. 1997), which held that claims for breach of fiduciary duty cannot coexist with professional negligence claims.
The law firm also argued that the professional negligence claim failed because it had no duty to provide Hiscox with an analysis of the stolen PII and the insurer did not present sufficient evidence to establish causation.
Judge Laughrey granted Warden Grier's motion with respect to the fiduciary duty claim.
Citing Klemme, she said the claim fell short "because the alleged violation of the duty of loyalty is simply an extension of — or a gloss on — the alleged violation of the duty of care, and not a truly independent breach of a fiduciary duty."
However, the judge refused to dismiss Hiscox's claim for professional negligence.
Warden Grier owed the insurer a duty of care by virtue of the attorney-client relationship, the judge said, and any determination about what that duty required the law firm to do in response to the data breach belongs to the jury.
Judge Laughrey also said that Hiscox presented sufficient evidence about causation to survive summary judgment. She pointed to expert testimony the insurer submitted to bolster the argument that its investigation costs could have been avoided had Warden Grier properly analyzed the stolen data.
Michael W. Seitz and Daniel E. Blegan of Spencer Fane LLP represent Hiscox.
Related Articles from Westlaw Insurance Daily Briefing
Article: Law firm: Insurer clients not owed $1.5 million for ransomware investigation 2021 INSDBREF 0548
Date: September 17, 2021
A Missouri law firm being sued by two client insurers over a cyberattack says the lawsuit should be dismissed because it did not breach its fiduciary duty and was not negligent in its investigation and notification of the data breach.
Related articles