Law Firm That Defends Data Breach Suits Faces Its Own Class Action

Between Feb. 28 and March 13, criminal hackers “infiltrated and freely accessed [Orrick’s] inadequately protected computer systems” and stole the personally identifiable information (PII) of more than 461,100 individuals, said the complaint. Cybercriminals gained unauthorized access to Orrick’s systems, including a file sharing network it used to store client files, it said.

Plaintiff Kimberly McCauley, a Phoenix resident, entrusted her PII to Orrick or one of its clients, said the complaint. She received a letter dated Oct. 31 from Orrick informing her that her name and Social Security number were disclosed to an unknown actor as a result of the breach, it said. Knowing that McCauley and many class members were "in danger," Orrick “did nothing to warn Plaintiff and Class Members until seven months later,” it said. “During this time, the cyber criminals had free reign to surveil and defraud their unsuspecting victims,” including McCauley and class members, it said.

Since the data breach, McCauley has seen a “significant increase” in the volume of spam calls and text messages she receives, “including calls from auto dealers and power washing companies as well as text messages for Ohio voting,” though she has never lived in Ohio, the complaint said. She spent “well over 80 hours” responding to the breach, including reviewing financial accounts and credit reports, it said.

On Oct. 20, McCauley received a letter in the mail from American Express confirming approval of a credit card application she didn’t apply for, the complaint said. She discovered from a credit report that Bank of America conducted a “hard inquiry” on her credit Aug.11 and allowed an unknown person to open a credit card in her name, the complaint said. McCauley has spent hours responding to the breach, including researching and enrolling in credit monitoring and identity theft protection services, reviewing credit reports and “mitigating fraud and identity theft,” it said.

McCauley has never knowingly transmitted unencrypted sensitive PII over the internet or any other unsecured source, the complaint said. She stores documents containing her PII in “safe and secure locations or destroys such documents,” and she “diligently chooses unique usernames and passwords for her various online accounts,” it said. McCauley has a continuing interest in ensuring that her PII, which remains backed up in Orrick’s possession, is “protected and safeguarded from future breaches,” it said.

In the years preceding the breach, Orrick knew or should have known that its computer systems were a target for cybersecurity attacks “because warnings were readily available and accessible via the internet.” Moreover, the law firm “defends clients against data breach lawsuits,” the complaint said.

Orrick’s offer of two years of identity monitoring to McCauley and class members “is woefully inadequate,” said the complaint. “While some harm has begun already, the worst may be yet to come,” it said. The complaint noted there may be a time lag between when harm occurs after it is discovered and when PII is used after it has been stolen, it said. Also, identity monitoring “only alerts someone to the fact that they have already been the victim of identity theft,” but doesn’t prevent it, the complaint said.

Causes of action are negligence and negligence per se; breach of fiduciary duties, confidence and implied contract; and invasion of privacy, the complaint said. Plaintiff seeks for herself and the class orders requiring Orrick to implement and maintain reasonable security measures; enjoining it from engaging in the wrongful conduct described; and requiring it to pay for lifetime credit monitoring services. She seeks awards of actual, statutory, nominal and consequential damages; attorneys’ fees and costs; and pre- and post-judgment interest.