An insurance company had hired a law firm to provide legal services on its and its insureds’ behalves. The law firm experienced a data breach and did not notify the insurance company which was in breach of their contract. The insurance firm also alleges that the law firm did not have appropriate security measures in place to protect personal information and did not conduct prompt investigations.
Over the course of the contract the law firm received, created and obtained highly confidential information including protected health and personally identifiable information about the insurance company and their patrons. The contract between the two companies stated that the law firm were obligated to take adequate measures to protect sensitive information and notify the insurance company of any failure to maintain the confidentiality of personal information.
The Breach
An international hacker organization gained unauthorized access to the law firm’s computer system containing highly sensitive information. Following this incident the insurance company allege that not only did the law firm actively conceal the breach but they failed to hire a forensic IT team to investigate the breach. The insurance company eventually found out about the breach through social media.
Breach of Contract
The insurance company allege that the law firm broke their contract by failing to do a number of things. They should have had appropriate security measures in place. They had a responsibility to notify the company and its insureds about the data breach once they had discovered the situation. Lastly, they should have conducted and thorough investigation after the data breach occurred.
The attorney-client relationship that existed between the two parties was governed by the terms of engagement and implied contract. The insurance company paid the law firm for services rendered on its behalf and on behalf of its customers. They allege that the law firm breached the terms of engagement all implied contracts by failing to protect their personal information.
They further claim that the Defendant breached its fiduciary duty by failing to preserve and protect the personal information of the company and its patrons. They also argue the Defendant had a duty of reasonable care to protect the information. They breached this duty by failing to protect the data, promptly investigate the breach and failing to notify the insurance company and its insureds.
Prayer for Relief
The insurance company have asked that the Court award them:
- Past and future actual damages
- Consequential damages
- Punitive damages
Here at Value Privacy we can assess your security systems and determine where you might be at risk. Once the risks have been discovered we can then create and execute an action plan to fix those weak spots and make sure your security is as robust as it can be. Contact us today to find out how we can help your company.