Typically this is not something I would write about but this particular case is interesting. On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016. The complaint alleges that Warden Grier chose not to disclose the data breach to Hiscox, thereby breaching a contract between the two parties. For a while I have been wondering when we would see a case such as this. I honestly thought it would be in the UK first.
In 2016, Warden Grier was subjected to an attack from a hacking collections known as "The Dark Overlord". The collective allegedly succeeded in gaining access to the firm’s servers and would have had access to sensitive and personal information belonging to Hiscox and their clients. Warden Grier allegedly paid a ransom to the hackers so they would not disseminate the information.
Warden Grier contacted the FBI and outside attorneys to investigate, but they did not inform Hiscox of the matter. In doing so, they clearly demonstrated a lack of judgement and by not informing the data owners, breached several Data Protection Laws.
Hiscox learned of this in March 28, 2018, when one of its employees “learned by happenstance, through social media,” that some of the personal information “had been leaked on the ‘dark web.’”
It is an interesting case, one that I will be watching closely. Warden Grier, in my opinion, showed wreck-less regard for the safety of sensitive information and knowingly breached Data Protection laws in the US and most probably in the EU. Could this be the opening of the flood gates for multiple law suits for third party data breaches?
I will keep you posted. But in the mean time, if you want more information read through this article.