Law360 (April 13, 2020, 8:55 PM EDT) -- An insurer that offers coverage for cyberattacks has accused a law firm it hired of concealing a data breach, in a Missouri federal lawsuit that industry insiders say thrusts into the spotlight a type of conflict that normally plays out behind the scenes.
The lawsuit filed March 27 by Hiscox Insurance claims that Kansas City personal injury law firm Warden Grier LLP — which Hiscox has hired to represent policyholders for more than 15 years — quietly paid a ransom to a notorious hacking gang that had infiltrated its systems, without alerting Hiscox or any of the affected clients.
Warden Grier believed that acquiescing to the hackers' demands would protect the data stolen in the 2016 incident from ever being disseminated, Hiscox's complaint says. But in March 2018, a Hiscox employee discovered by chance that some of the information had been leaked on the so-called dark web, which then caused the company to launch an investigation that cost it more than $1.5 million, the suit says.
Hiscox now claims that Warden Grier breached its "contractual, legal, ethical, and fiduciary duties" by failing to protect its clients' sensitive data, and by not telling Hiscox or its policyholders about the episode.
The case is likely to strike a nerve with companies of all types that are increasingly being hit with cyberattacks, forcing them to decide whether to pay hackers' strategically calculated ransoms and whether they should alert business partners that may be affected.
Disputes between insurers and third parties following data breaches often happen behind closed doors, attorneys who handle cyberinsurance cases say. But it is rare for such a dispute to surface in federal court filings.
"You just don’t see this kind of situation and these kinds of allegations made every day," said Joshua Gold, chair of Anderson Kill PC’s cyber insurance recovery practice group.
Insurers have sued law firms that represent their policyholders in the past, but such cases normally claim that the law firm jeopardized a payout with malpractice or professional misconduct, Gold said.
"I've definitely seen an uptick in insurance companies suing law firms in this kind of setting, but this is certainly the first case I've seen address an alleged misstep in reporting a data breach in a prompt fashion," Gold added.
Adding to the intrigue surrounding the case is that Hiscox itself has been among the louder voices sounding the alarm on the sharp increase in cyberattacks in recent years — and offering companies cyberinsurance to protect themselves.
“The cyberthreat has become the unavoidable cost of doing business today," said Gareth Wharton, chief executive at Hiscox Cyber, as part of a report the company released in April 2019. The report said that a "significant majority" of the more than 5,400 businesses Hiscox surveyed in Europe reported responding to one or more cyberattacks in the past year.
"It's ironic that Hiscox would sue its own law firm and say, 'You have an absolute duty to protect our information,' given that they are in the business of offering cyber insurance and know that there can never be complete protection," said Bob Horn, an attorney representing Warden Grier, in a Monday interview with Law360.
"It's not an issue of who will be hacked, it's a matter of when," added Horn, of the Kansas City-based firm Horn Aylward & Bandy LLC. "At some point, what exactly is a law firm or any business supposed to do?"
Data breach notification statutes differ by state in the U.S, but cyberinsurance attorneys say law firms should as a best practice tell their clients when they have reason to believe that their data has been exposed in a cyberattack. The American Bar Association has also urged attorneys to notify clients in the event of a data breach and to keep them updated on subsequent investigations.
"This case shows some of the hazards that all companies face when they choose to not proactively notify their business partners about a breach," said Farella Braun & Martel LLP partner Tyler Gerking.
Law firms in particular need to be careful in how they deal with cybersecurity incidents because of the sensitive and often privileged nature of the information that they are storing for their clients, Gerking said.
"You really need to review closely your contractual obligations to third parties, and think about them expansively, rather than narrowly," Gerking added.
Hiscox's suit says that Warden Grier consulted with outside attorneys and the FBI after the hack, which was carried out by a criminal collective known as The Dark Overlord, which is known for demanding ransoms to prevent it from releasing the information it obtains.
The Dark Overlord gained widespread notoriety in 2017 for leaking the fifth season of the Netflix series “Orange Is the New Black.” In January 2019, the group also released a cache of confidential files it claimed to have stolen from a law firm involved in litigation related to the 9/11 attacks, and threatened that subsequent releases would embarrass Hiscox, among other companies.
Warden Grier, then Warden Triplett Grier, was one of several firms that brokered a $1.2 billion settlement in 2010 in litigation stemming from 9/11. But it is unclear if the firm was the source of that information.
In December, the Justice Department indicted and extradited U.K. national Nathan Wyatt, an alleged member of the hacking crew. Court papers accused Wyatt and others of targeting and trying to extort health care providers and accounting firms in the St. Louis, Missouri area starting in 2016, but the indictment did not charge Wyatt in connection to the alleged Warden Grier incident.
It will be worth watching whether Warden Grier provides an explanation in court papers for why it did not notify Hiscox of the incident when it was allegedly dealing with the ransom demand. Horn, the firm's attorney, did not directly address that question Monday. But he questioned whether Hiscox had adequately shown in the complaint that it suffered legally valid "damages" from not knowing about the incident back in 2016.
Hiscox provided no details in the complaint about the clients who may have been targeted or the information the hackers were after. But the company did allege that the attackers obtained confidential, personally identifiable information.
Hiscox's lawsuit comes as cyberinsurers in general are taking more aggressive legal stances in going after third parties that they believe are to blame for data beaches suffered by their policyholders, said Barnes & Thornburg LLP partner Scott Godes.
"I've noticed more carriers putting resources behind pursuing the parties who they believe are responsible for the policyholder having the event in the first place," Godes said.
Since Warden Grier's alleged hack in 2016, a wave of data breaches at third party service providers have exposed the vast ripple effects that any breach at one entity can have, while the amount of cyberattacks in which criminals demand ransoms has exploded.
"This is one of those scenarios where one alleged hacking event can exponentially grow into a huge array of problems," said Gold, of Anderson Kill. "Once the cyber genie is out of the bag, you are going to have lots of potential claimants knocking on the door if they believe that you are responsible for the loss of that data."
Communications officials for Hiscox did not respond Monday to a request for comment.
Hiscox is represented by Daniel E. Blegen and Benjamin D. Mooneyham of German May PC.
Warden Grier is represented by Robert A. Horn of Horn Aylward & Bandy LLC.
The case is Hiscox Insurance Co. Inc. et al. v. Warden Grier LLP, case number 4:20-cv-00237, in the U.S. District Court for the Western District of Missouri.