Prominent U.S. law firm Orrick, Herrington & Sutcliffe is embroiled in a new class action lawsuit stemming from a data breach in March 2023. The breach is alleged to have compromised the personal information of over 152,000 individuals, leading to substantial legal and privacy concerns.
The lawsuit was officially filed in the Oakland federal court on Friday, underscoring claims that Orrick failed to promptly notify the affected individuals about the data breach. It wasn’t until June, more than three months after the incident, that the alleged victims were informed. Although the firm eventually reported the breach to various state regulators last month, the delayed notification has raised questions about handling sensitive information.
The breach reportedly involved a vast array of Orrick‘s client data, impacting individuals who held dental plans with Delta Dental of California and those with vision plans via EyeMed Vision Care. The California attorney general’s office shared sample notification letters, shedding light on the scope of the compromised information.
See also: Largest US Law Firms Fall Victim to Devastating Cybersecurity Breach
Interestingly, Orrick had previously represented EyeMed in the aftermath of a significant data breach in 2020, which had compromised personal details of around 2.1 million individuals. In May, EyeMed settled for $2.5 million with several states, including Florida, New Jersey, and Oregon, to address the fallout of the breach.
One of the plaintiffs, Dennis Werley from Stockdale, Texas, detailed his experience in the lawsuit. He reported receiving unsolicited spam calls where the callers possessed sensitive personal information about him. Werley attributed these calls to the breach and raised serious concerns about the safety of his data.
The lawsuit brought forth by Werley highlights that the accessed personal information by the hackers included names, addresses, dates of birth, and Social Security numbers of approximately 152,818 individuals. The lawsuit underscores that the harm inflicted by this breach might not be fully realized yet, leaving room for potential future consequences.
See also: Orrick Law Firm Hires Startup Veterans as Partners for its Technology Practice
In response to the breach, Orrick has offered affected individuals up to two years of identity monitoring services. However, the lawsuit has deemed this offer as “woefully inadequate,” hinting at the perceived severity of the breach and its potential implications for the victims’ personal lives.
Orrick, through its spokesperson, declined to comment on the ongoing litigation. Likewise, Werley and his legal representatives at Green & Noblin and Federman & Sherwood have not provided immediate responses to requests for comments, indicating the complex legal landscape surrounding the issue.
The incident also highlights a growing trend of cybersecurity attacks targeting law firms and other legal service providers, who often hold highly sensitive and confidential client data. A series of law firms, including Cadwalader, Wickersham & Taft; Gibson, Dunn & Crutcher; Loeb & Loeb; and Quinn Emanuel Urquhart & Sullivan, have recently reported cybersecurity incidents to the California attorney general. These attacks have affected either their clients’ data or their own business information and occurred either in 2022 or 2023.
As the lawsuit against Orrick unfolds, the legal and cybersecurity communities closely watch how the case develops and its potential implications for data protection standards and legal responsibilities in the digital age. The incident serves as a stark reminder of the pressing need for robust cybersecurity measures in law firms and other organizations entrusted with safeguarding sensitive information.
Don’t be a silent ninja! Let us know your thoughts in the comment section below.