Lawsuit Alleges Firm's Failed Security Measures Enabled Data Breach
Law firm Kelley Drye failed to properly train employees on cybersecurity or maintain reasonable security safeguards, which allowed a data breach impacting thousands of customers' personal information to be leaked, a class-action lawsuit filed Tuesday in New York state court alleged. Additionally, plaintiff Ratna Kanhai claims Kelley Drye didn't report the breach promptly, and the eventual notification was intentionally confusing.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The law firm understood its obligation to protect collected data, the complaint said. Despite this, Kelley Drye "has not implemented [reasonable] cybersecurity safeguards or policies to protect the PII in its care or trained its IT or data security employees to prevent, detect, and stop breaches of its systems," resulting in "significant vulnerabilities in its systems for cybercriminals to exploit and gain access to its clients,’ employees’ and others’ PII."
Kelley Drye is also a well-known player in the privacy and information security arena, advising clients, hosting podcasts and creating blog posts on related issues. The firm did not respond to a request for comment.
In March, the law firm discovered an unauthorized third party had accessed its network and obtained data from internal systems. According to a sample notification letter from the firm, attached to a breach report by the Vermont attorney general's office on May 27, upon discovering the incident, Kelley Drye "immediately initiated [its] incident response plan and engaged Norton Rose Fulbright to lead an investigation and engage leading third-party forensic experts to investigate and contain the incident."
The firm "employs intentionally confusing language in its Breach Notice, claiming that an 'unknown third party' 'obtained' a 'subset' of data from its systems and that it 'recovered the data,'" the complaint said. "This 'disclosure' amounts to no real disclosure at all, as it fails to inform, with any degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts."
The class-action complaint alleges claims of negligence, invasion of privacy, breach of implied contract and fiduciary duty and unjust enrichment.
Kelley Drye is offering victims free credit monitoring for two years. The sample notification letter didn't indicate how many individuals were impacted, or what information was exposed.
The firm has "recovered the data and [has] a high degree of confidence that the data will never be posted, disclosed, or used," but "in an abundance of caution, [they will] continue to monitor the dark web for the data," the letter added. In her complaint, Kanhai alleges that "recovering the data" means Kelley Drye paid a ransom.