First data security class action against law firm is sent to individual arbitration

The first filed privacy class law against a law firm was sent to arbitration.

On April 15, 2016, Plaintiffs filed the first class action complaint against a law firm for “systematically exposing confidential client information and storing client data without adequate security”.

The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of failing to keep its clients’ information secure. Allegedly, the firm’s computer systems suffered from critical vulnerabilities in its internet-accessible web services and, as a result, the clients’ entrusted confidential information “has been exposed and is at great risk of further unauthorized disclosure (if it hasn’t already been disclosed).” The lawsuit makes no claim that client information had actually been stolen or misused.

Plaintiff requested a preliminary injunction enjoying defendant from exposing its clients’ confidential information and communication through it portals and networks. In addition, Plaintiffs sought an order declaring that Defendant’s conduct constituted “legal malpractice, breach of contract, negligence, unjust enrichment, and/or breach of fiduciary duty”, and awarding, among other items, attorneys’ fees and expenses as well as further equity reliefs.

On February 22, 2017, the Illinois District Court ruled that the claim must be heard individually in arbitration, and there is no basis for class arbitration.

Jay Edelson, who filed the class-action, said he identified several other firms with data security gaps. See here. So far no other complaints against law firms have become public.

Shore v. Johnson & Bell, 2017 U.S. Dist. LEXIS 25612 (N.D. Ill. Feb. 22, 2017) is available (with subscription) at


For more information on how security breaches could lead to malpractice actions, contact Francesca Giannoni-Crystal


Follow us on& Like us on