On March 31, 2022, a federal jury in Kansas City cleared law firm Warden Grier LLP of liability to one of its clients, Hiscox Insurance, after Warden Grier suffered a data breach.  After discovering the breach, Warden Grier identified which of its files relating to Hiscox may have been impacted and provided Hiscox access to those files.  However, Warden Grier declined to do any further analysis of the data, such as analyzing any personally identifiable information (PII) in the Hiscox files to determine whether individuals needed to be notified of the breach, leaving that responsibility to Hiscox.

Hiscox sought over $1.3 million in compensatory damages, as well as punitive damages, to cover data analyses and legal bills it incurred resulting from the data breach, arguing that Warden Grier was negligent by failing to analyze the Hiscox PII.  In Hiscox’s view, Warden Grier was responsible for analyzing the breached data and for telling Hiscox which individuals had been impacted. 

Warden Grier’s counsel argued to the jury that Hiscox was confusing the roles of “service providers” and “data owners.”  Here, Warden Grier argued it was a “service provider” under applicable data breach laws and industry norms, and thus its role was to provide Hiscox with access to impacted data, which it had done.  Warden Grier further argued that as a “data owner”  Hiscox was responsible for analyzing the data, identifying individuals who had to be notified, and carrying out the notification.  Therefore, according to Warden Grier, Hiscox was not harmed because the analysis it performed was analysis it was required to do.  After less than two hours of deliberation, the jury returned a verdict in favor of Warden Grier.

The jury’s decision to clear Warden Grier of liability has implications that extend beyond the facts of this case and provide guidance to companies and practitioners alike:

• The trial reaffirms what many practitioners previously believed: service providers may have a responsibility to provide data owners with access to data impacted in a breach, but the responsibility to analyze the data and make notification decisions usually lies with data owners, absent contractual terms shifting that responsibility.
• While this case occurred in the context of an attorney-client relationship, the decision may be indicative of how juries would view the division of responsibility between service providers and data owners in other relationships. 
• The case underscores the importance of thinking ahead about the allocation of responsibility and costs between data owners and vendors and addressing that allocation—such as through specific, delineated contractual responsibilities and indemnification clauses. 
• Importantly, this case does not provide guidance on the standard of care related to data security measures before a breach.