A recent decision from the District of Columbia further supports the continuing trend towards imposing attorney liability for failing to protect client information.

In Wengui v. Clark Hill, PLC, et al., No. 19-cv-3195 (D.D.C. Feb. 20, 2020), the plaintiff, a Chinese businessman and prominent political dissident, retained the Clark Hill law firm to represent him in applying for political asylum in the United States. The client alleged that he had warned the firm that the Chinese government had organized a “malicious negative propaganda campaign” against the client that had included cyber attacks. The client further alleged that the firm assured the client that the firm was “qualified, capable, and competent” to represent the client and protect his interests.

During the representation, a third-party hacked into the law firm’s computer servers and published the plaintiff’s confidential information on the internet. The client filed an action against the firm, contending that the attorneys are liable for legal malpractice, breach of fiduciary duty and breach of contract as a result of the firm’s making the client’ information allegedly vulnerable to hacking. The firm moved to dismiss the client’s complaint, arguing that the client failed to state a plausible claim for relief against the firm.

In evaluating the client’s breach of fiduciary duty claim, the court noted that the fiduciary relationship between a lawyer and a client “is founded upon trust or confidence reposed by one person in the integrity and fidelity of another” (quoting Democracy Partners v. Project Veritas Action Fund, 285 F. Supp.3d 109, 121 (D.D.C. 2018). The court found that the client sufficiently pleaded that the firm breached its duties of loyalty and good faith by misrepresenting the manner in which it would protect the client’s confidential information in order to secure the client’s business.

The court also upheld the client’s legal malpractice claim, finding that the client sufficiently alleged that the firm breached its professional and ethical obligations to the client by failing to maintain reasonable security measures to secure its computer system from unauthorized access.

The Clark Hill case involved special circumstances because the client warned the attorneys that there would likely be a cyber attack. The court, however, used a general ‘reasonable care’ standard for protecting client information. In short, if an attorney gets hacked and the client gets injured as a result, then the client is going to have a potentially valid malpractice/breach of fiduciary duty claim that is not subject to an early dismissal.

To discuss legal malpractice or commercial litigation matters with this article’s author, please contact:

Jonathan P. Vuotto, Esq.

jpv@mcandrewvuotto.com