Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

SIGN UP FOR FREE
March 2020
SHOULD A LAW FIRM PROMISE THAT A CLIENT’S DATA WON’T BE HACKED?
One firm apparently did, and it probably regrets that now.

By David Hechler
Chinese billionaire and dissident Guo Wengui
IN THE BEGINNING, CYBERSECURITY WAS ALL ABOUT PREVENTION. Then everyone agreed that it wasn’t possible to prevent hacking. The experts acknowledged that it happens to the best of them.
     “It’s not if  but when” was the new reality. There was also another way of putting it. “There are two kinds of companies: those that have been hacked, and those that don’t know it yet.”
     The demonstration of strength was how a company reacted after the inevitable breach—which showed how resilient it was. That’s where we seem to be now. But does this rule of thumb apply to everyone—including  law firms?
     Should it? Should a law firm let clients know that it’s impossible for any company to promise that there won’t be intrusions?
     One law firm went the other way. Not only did it skip a disclaimer, it told a client it would protect his data from hackers. And now it finds itself facing a lawsuit that cleared a motion to dismiss.
     The suit was unusual in several important respects. It was a high-profile case with international repercussions. The client had anticipated that his information would be targeted by hackers. He specifically asked that his data be stored where it would not be vulnerable to hacking. And he apparently received assurances that it would be.
     The client was Guo Wengui, and he had good reason to fear he would be the target of hackers. A Chinese real estate developer, investor and billionaire, Guo had fled China as a self-described whistleblower and dissident in 2015. Now 50, he has been living in the United States and Europe ever since.   
     In an opinion filed in late February, District Court Judge James Boasberg of the District of Columbia found that after Guo (whom he mistakenly referred to whom he mistakenly referred to using his given name—Wengui—rather than his surname) had been threatened by the Chinese government after he exposed systemic corruption in his homeland. And the Chinese government orchestrated further harassment against him in the United States, the judge wrote. That led Guo to seek political asylum.
     In 2016 he hired Thomas Ragland, a partner at Clark Hill, PLC, to represent him in his application for asylum. And he warned his attorney that, as a prominent Chinese dissident, he had been subjected to persistent cyberattacks, and that more should be expected. Ragland and his firm agreed to take “special precautions” to prevent disclosure of his sensitive information, Boasberg wrote, and the information would not be placed on the firm’s computer server, “as doing so would make the information more vulnerable to hackings.”
     The following year, the law firm’s network was indeed hacked. Both sides agree that China was responsible, and the hackers obtained “a substantial amount” of personal information about Guo and his wife. They also obtained his asylum petition, and they published all of it on social media.
     Clark Hill and its lawyers withdrew from the case. They explained to Guo that they had to, since they might be called as witnesses in his asylum proceeding and that would create a conflict if they continued to serve as his advocate.
    Guo sued, alleging that the firm and Ragland had breached their fiduciary duty, breached their contract with him and had committed legal malpractice. He also asked for punitive damages. The defendants moved to dismiss all counts, arguing that Guo had failed to state a claim. Neither the withdrawal nor the attack was a ground for legal malpractice, breach of fiduciary duty or breach of contract, they argued. And even if the allegations were true, the cyberattack did no harm.

The Judge's Reasoning
Boasberg found that Guo had sufficiently pleaded that the defendants breached their duties of loyalty and good faith “by misrepresenting the manner in which they would protect his confidential information in order to secure his business.” They put the information on their server “and conveyed it via a firm email account—in direct contravention of his instructions,” the judge wrote. And Guo’s complaint also included details about the damage he had suffered, leading Boasberg to reject “defendants’ invitation to find that the cyber attack did not actually harm plaintiff as a matter of law.”
     The judge added: “Discovery may reveal that defendants never made any such misrepresentations to plaintiff and were not negligent in their handling of his confidential information, but the well-pleaded allegations in the complaint preclude granting defendants’ motion to dismiss.”
     Boasberg also allowed the malpractice claim to stand. The law firm failed “to use the required degree of professional care and skill in representing plaintiff” and failed to maintain “reasonable security measures to secure their computer system from unauthorized access, as required and promised to plaintiff.” For similar reasons, he refused to dismiss the breach of contract claim.
     The judge dismissed the remaining claims. The law firm explained it was obliged to withdraw from the representation, citing rules of professional conduct. Boasberg didn’t need to consider that argument, he said, because Guo failed to show how the withdrawal harmed him. And the judge quickly dismissed punitive damages, which “are a form of relief, not a stand-alone cause of action,” he wrote. Moreover, they require the violation of plaintiff’s rights in an “intentional, deliberate, [and] outrageous” manner, which Guo did not actually allege, the judge concluded.
     The case, previously reported by Bloomberg, still has a ways to go before it’s resolved. But it’s not too soon to draw lessons.
     Don’t make promises that you can’t keep. If you guarantee that documents will be secure, that’s tantamount to promising that they won’t be shared on the internet—as Clark Hill apparently did. But it’s hard to function off the grid. It’s possible to mail and fax documents, but that’s not expected or necessarily appreciated by lawyers and judges. In fact, some courts require electronic filing. 
     Even in courts that don’t, this may not be possible to control. If one lawyer makes a promise, he may find it difficult to be sure that everyone involved will follow suit, including partners, associates, paralegals, secretaries—and lawyers on the other side.
     As a group, lawyers have not been known as leaders in the world of technology. In fact, they’ve been known as laggards. The best policy for most is probably to under-promise and aim to over-deliver. Otherwise, they may end up practicing their litigation skills on the wrong end of a lawsuit.
Share