When you think about data breaches and cyber security lapses, what’s the first thing that comes to your mind? WikiLeaks? Yahoo? Target or some other big retailer? Obviously, retail, financial and social media-related entities possess a treasure trove of sensitive customer information that data pirates would love to access. But what about law, accounting and engineering firms and other professional service providers? Are they potential targets?
The Panama Papers answer that question.
Earlier this year, the obscure Panamanian law firm of Mossack Fonseca was the victim of a nightmare-scenario data breach. During the course of several decades, the firm had provided complex tax advice involving the creation of offshore entities to a number of high-net-worth celebrities, politicians and athletes.
While the source and methodology behind the breach are not clear (Fonseca believes it may have been an inside job originating from its Switzerland office), it is known that Fonseca was using outdated versions of open source, web server software. Suddenly, tax avoidance strategies recommended by the firm to its powerful clientele were posted across the web. While most, if not all, of the advice may have been perfectly legal, at a minimum the breach was a huge source of embarrassment to the firm’s clients.
While most professional service providers don’t have soccer star Lionel Messi’s tax returns, they may have sensitive information related to their clients or third parties. For example, there may be Social security numbers, medical records and sensitive financial information stored electronically on any given firm’s information technology system. What if the system is compromised and that information ends up in the hands of hackers? Would the party whose information is wrongfully accessed have a cause of action against the firm based on an increased risk of identity theft?
It would depend on the facts. For example, in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the 9th U.S. Circuit Court of Appeals held that the possibility of future injury may be sufficient to confer standing on a plaintiff if she has alleged “a credible threat of real and immediate harm …” Id. at 1142–43. The “real and immediate harm” in Krottner consisted of an allegation that someone had tried to open a bank account using the personal details of one of the plaintiffs. However, where there is no concrete allegation that the information has been or will be used, the increased risk of identity theft may be too speculative to confer standing on the plaintiff. See Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).
There are multiple issues that have to be addressed when defending a professional who has been the victim of a data breach. Items such as a forensic examination of the compromised IT system, notice to clients and others impacted by the breach, statutory obligations, regulatory requirements and public relations concerns will need to be analyzed. With the ever-evolving legal landscape and the increasing threat to data from nefarious actors, the professional liability practitioner must be up to speed on defending a cyber liability case.
Ashley Parrish is the partner in charge of the Dallas office of Cantey Hanger and devotes his practice to professional liability, commercial litigation and products liability matters. He can be reached at aparrish@canteyhanger.com.