Law firm Orrick hit with class action over data breach

Orrick, Herrington & Sutcliffe LLP is being sued in a putative class–action lawsuit in federal district court in which it is charged with inadequate cybersecurity and not informing 152,818 clients of a cyber breach that revealed their personally identifiable information until four months after its discovery.

The San Francisco-based law firm issued a statement in July in which it said it had experienced a cybersecurity event in March that involved some of its clients’ data, including that of Delta Dental of California, for which it served as legal counsel.

It said the breach may have revealed names, addresses, dates of birth, dental insurance policy, health care provider information and “limited” dental diagnosis and treatment-related data.

It said no plan participant records containing Social Security numbers or financial account or payment card information were involved, and that it was unaware of any misuse of plan participant information.

However, the lawsuit says the hackers obtained information including Social Security numbers, according to the complaint filed in U.S. District Court in Oakland, California, in Dennis R. Werley vs. Orrick, Herrington & Sutcliffe International LLP.

It says since the data breach, Mr. Werley and others have experienced “a flood of spam telephone calls.”

The lawsuit says the law firm had stored unencrypted PII in an “Internet-accessible environment” and did not follow the federal government’s recommended cybersecurity measures.

It charges the law firm with negligence, breach of fiduciary duties, breach of confidence, breach of implied contract and invasion of privacy and seeks injunctive and declaratory relief.

A law firm spokesman had no comment.