`WESTERN DISTRICT OF MISSOURI
`WESTERN DIVISION
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`
`Case No.
`
`Division No.
`
`HISCOX INSURANCE COMPANY INC.
`and HISCOX SYNDICATES LIMITED
`
`Plaintiffs,
`
`vs.
`
`WARDEN GRIER, LLP
`Serve at: James Michael Grier
`2702 W 66th Terrace
`Mission Hills, KS 66208
`
`Defendant.
`
`
`
`COMPLAINT
`
`Plaintiffs, Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (collectively,
`
`“Hiscox”), for their Complaint against Defendant, Warden Grier, LLP (“Warden Grier”), state
`
`and allege as follows.
`
`Plaintiffs
`
`PARTIES
`
`1.
`
`Hiscox Insurance Company Inc. is an Illinois corporation with its principal place
`
`of business in Chicago, Illinois.
`
`2.
`
`Hiscox Syndicates Limited is a private limited company formed under the laws of
`
`England and Wales and equivalent to a corporation for diversity purposes. Its principal place of
`
`business is in London, England.
`
`Defendant
`
`3.
`
`Upon information and belief, Warden Grier was, at all material times, a limited
`
`liability partnership existing under the laws of the State of Missouri at the time of the alleged
`
`wrongdoing herein, with its principal place of business in Jackson County, Missouri, and
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 1 of 10
`1
`
`
`
`maintains an office in Jackson County, Missouri. At the time of this Complaint, Warden Grier is
`
`a limited liability partnership existing under the laws of the State of Kansas with an office in
`
`Johnson County, Kansas. Each of its partners is domiciled in Missouri or Kansas.
`
`JURISDICTION AND VENUE
`
`4.
`
`This Court has jurisdiction over this matter pursuant to 28 U.S.C. § 1332 because
`
`there is diversity of citizenship between the parties and the matter in controversy exceeds the
`
`sum of $75,000.00, exclusive of interest and costs.
`
`5.
`
`Venue is proper in the United States District Court for the Western District of
`
`Missouri, pursuant to 28 U.S.C. § 1391 because a substantial part of the events or omissions
`
`giving rise to this action occurred in this judicial district.
`
`FACTUAL ALLEGATIONS
`
`Attorney-Client Relationship
`
`6.
`
`Hiscox is an insurance provider that insures risks throughout the United States,
`
`among other places. To that end, Hiscox retains service providers, such as law firms, as and
`
`when necessary to represent its interests and/or the interests of persons and entities insured under
`
`insurance policies Hiscox issues.
`
`7.
`
`As early as 2002, Hiscox entered into a working relationship with Warden Grier
`
`to render professional legal services on behalf of Hiscox, and on behalf of Hiscox’s insureds.
`
`This attorney-client relationship remains in effect.
`
`8.
`
`The relationship between Hiscox and Warden Grier was memorialized and
`
`governed, in part, by two separate contracts: (i) “Lawyers Terms of Engagement Non-Marine
`
`First Party Business, Effective 1st April 2011”; and (ii) “Lawyers Terms of Engagement Non-
`
`Marine Casualty Business, Effective 1 May 2011,” both of which were signed by Hiscox and
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 2 of 10
`2
`
`
`
`Warden Grier in 2011 (collectively, “Terms of Engagement”). Copies of the Terms of
`
`Engagement will be filed under seal and marked as Exhibit A and Exhibit B, respectively.
`
`9.
`
`During this attorney-client relationship, Warden Grier requested, received,
`
`created, and/or otherwise obtained highly sensitive, confidential, and proprietary information,
`
`including protected health and personally identifiable information belonging to Hiscox and/or
`
`Hiscox’s insureds (collectively, “PI”), all of whom were the clients of Warden Grier.
`
`10.
`
`As per its contractual, legal, ethical, and fiduciary duties, Warden Grier was
`
`obligated to take adequate measures to protect sensitive PI belonging to its clients, including
`
`Hiscox and Hiscox’s insureds, and to notify Hiscox of any failure to maintain the confidentiality
`
`of PI belonging to Hiscox and its insureds.
`
`2016 Data Breach at Warden Grier
`
`11.
`
`On or around December 2016, an international hacker organization known as
`
`“The Dark Overlord” (“Hackers”) gained unauthorized access to Warden Grier’s computer
`
`system containing all of the sensitive information, including PI, stored on Warden Grier’s servers
`
`(the “2016 Data Breach”).
`
`12.
`
`On information and belief, Hiscox understands that Warden Grier contacted
`
`outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to
`
`investigate the 2016 Data Breach or, if it did, has refused to provide Hiscox with the findings of
`
`any such investigation.
`
`13.
`
`Despite being aware of the 2016 Data Breach, Warden Grier actively concealed or
`
`otherwise did not notify Hiscox or Hiscox’s insureds—all of whom were Warden Grier’s
`
`clients—of the 2016 Data Breach.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 3 of 10
`3
`
`
`
`Warden Grier’s Payment of the Hackers’ Demand
`
`14.
`
`At some point, Warden Grier learned that the Hackers stole PI during or as a
`
`result of the 2016 Data Breach.
`
`15. Warden Grier paid the Hackers a ransom or other demand to protect its and its
`
`clients’ personal information from dissemination.
`
`16. Warden Grier did not notify Hiscox or Hiscox’s insureds—all of whom were
`
`Warden Grier’s clients—of the payment of any ransom or other demand resulting from the 2016
`
`Data Breach.
`
`Hiscox’s Accidental Discovery of the 2016 Data Breach
`
`17.
`
`On March 28, 2018, an employee at Hiscox learned by happenstance, through
`
`social media, that some of Hiscox’s PI had been leaked on the “dark web.”
`
`18.
`
`After a preliminary investigation, Hiscox learned that the PI made its way to the
`
`“dark web” as a result of the 2016 Data Breach.
`
`19.
`
`On March 31, 2018, Hiscox requested a call with Warden Grier about the
`
`situation. On the subsequent call, Hiscox for the first time learned the details of the 2016 Data
`
`Breach.
`
`20.
`
`Given that Warden Grier either had conducted no forensic investigation or
`
`otherwise refused to share such findings with Hiscox, Hiscox promptly commenced its own
`
`investigation to evaluate whether it may have any notification obligations given the sensitive
`
`nature of the information in Warden Grier’s possession and Warden Grier’s failure to: (i) protect
`
`that information; (ii) properly investigate the 2016 Data Breach; and (iii) notify Hiscox and its
`
`insureds of the 2016 Data Breach.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 4 of 10
`4
`
`
`
`21.
`
`Hiscox decided to notify its insureds—also clients of Warden Grier—of the 2016
`
`Data Breach, and to engage in efforts to protect against further exposure or dissemination of PI.
`
`22.
`
`As a direct result of Warden Grier’s conduct as described herein, Hiscox has
`
`suffered significant internal operational losses and costs and has incurred damages in excess of
`
`$1,500,000.00, including, but not limited to: (1) costs and fees Hiscox incurred to conduct a
`
`thorough investigation of the 2016 Data Breach; and (2) costs and fees Hiscox incurred to make
`
`the necessary notifications and accommodations and to protect affected persons (i.e., Warden
`
`Grier’s clients) against harm from future PI dissemination. Hiscox continues to incur such
`
`damages as additional necessary protective steps are taken.
`
`Warden Grier Refuses to Accept Liability
`
`23.
`
`To date, Warden Grier has refused to accept any responsibility for the 2016 Data
`
`Breach and its failure to notify Hiscox and Hiscox’s insureds of the 2016 Data Breach.
`
`CAUSES OF ACTION
`
`COUNT I
`BREACH OF CONTRACT
`
`Hiscox realleges and reincorporates paragraphs 1-23 as if fully stated herein, and
`
`24.
`
`further allege as follows:
`
`25.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier as established in the Terms of Engagement.
`
`26.
`
`Under the Terms of Engagement, Warden Grier had a contractual duty to protect
`
`Hiscox’s PI.
`
`27.
`
`The Terms of Engagement require, among other things, that Warden Grier “retain
`
`either the originals or copies of all file documents relating to the claim,” and Warden Grier
`
`further agreed in those contracts to “have in place an appropriate disaster recovery plan with
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 5 of 10
`5
`
`
`
`appropriate back-up to ensure the continuity of services in the event of a disaster.” See Exhibits
`
`A and B at p. 10.
`
`28.
`
`Implicit in the Terms of Engagement, and explicit in Warden Grier’s ethical
`
`obligations per the MISSOURI RULES OF PROFESSIONAL CONDUCT and the AMERICAN BAR
`
`ASSOCIATION MODEL RULES, is a duty on the part of Warden Grier to keep secure client PI. See,
`
`e.g, MO. RULE 4-1.6, stating that “[a] lawyer shall make reasonable efforts to prevent the
`
`inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the
`
`representation of the client,” and Paragraph 8 of the Comment to ABA MODEL RULE 1.1, which
`
`states that “a lawyer should keep abreast of changes in the law and its practice, including the
`
`benefits and risks of technology ….”
`
`29.
`
`The Terms of Engagement contemplate that Warden Grier will “retain” client
`
`information and, further, will have measures in place to respond to catastrophic events, such as
`
`the 2016 Data Breach.
`
`30. Warden Grier materially breached the Terms of Engagement by failing to protect
`
`Hiscox’s PI.
`
`31. Warden Grier materially breached the Terms of Engagement by failing to have
`
`appropriate measures in place to respond to the 2016 Data Breach, including conducting a
`
`prompt and adequate investigation into the 2016 Data Breach and notifying Hiscox of the 2016
`
`Data Breach, and by failing to notify Hiscox and its insureds of the 2016 Data Breach.
`
`32. Warden Grier’s breach of its obligations under the Terms of Engagement caused
`
`damages as described in Paragraph 22 above, and in an additional amount to be proven at trial.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 6 of 10
`6
`
`
`
`COUNT II
`BREACH OF IMPLIED CONTRACT
`(IN THE ALTERNATIVE)
`
`33.
`
`Hiscox realleges and reincorporates paragraphs 1-32 as if fully stated herein, and
`
`further alleges as follows:
`
`34.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier.
`
`35.
`
`This attorney-client relationship was governed by the Terms of Engagement and
`
`by implied contract. Hiscox paid Warden Grier for services rendered on its behalf and on behalf
`
`of Hiscox insureds.
`
`36. Warden Grier materially breached the Terms of Engagement and all implied
`
`contracts by failing to protect Hiscox’s PI.
`
`37. Warden Grier materially breached the Terms of Engagement and all implied
`
`contracts by failing to have appropriate measures in place to respond to the 2016 Data Breach,
`
`including conducting a prompt and adequate investigation into the 2016 Data Breach and
`
`notifying Hiscox of the 2016 Data Breach, and by failing to notify Hiscox and its insureds of the
`
`2016 Data Breach.
`
`38. Warden Grier’s breach of its obligations under the Terms of Engagement and all
`
`implied contracts caused damages as described in Paragraph 22 above, and in an additional
`
`amount to be proven at trial.
`
`COUNT III
`BREACH OF FIDUCIARY DUTY
`
`39.
`
`Hiscox realleges and reincorporates paragraphs 1-38 as if fully stated herein, and
`
`further alleges as follows:
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 7 of 10
`7
`
`
`
`40.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier.
`
`41.
`
`As Hiscox’s legal representation, Warden Grier was a fiduciary of Hiscox and, as
`
`such, Warden Grier owed fiduciary duties to preserve and protect Hiscox’s and its insureds’
`
`interests.
`
`42. Warden Grier’s conduct as described herein, namely, its failure to protect the PI,
`
`to adequately investigate the 2016 Data Breach and to advise Hiscox that its PI had been
`
`compromised, constituted a breach of Warden Grier’s fiduciary duties.
`
`43. Warden Grier’s breach of fiduciary duties caused damages to Hiscox as described
`
`in Paragraph 22, and in an additional amount to be proven at trial.
`
`COUNT IV
`NEGLIGENCE
`
`44.
`
`Hiscox realleges and reincorporates paragraphs 1-43 as if fully stated herein, and
`
`further alleges as follows:
`
`45.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier and, as its legal representation, Warden Grier owed a duty of reasonable care to
`
`protect client PI, including PI belonging to Hiscox and its insureds.
`
`46.
`
`Hiscox understood and expected that Warden Grier would, in accordance with its
`
`obligations under the Terms of Engagement, statutory requirements related to privacy protection,
`
`common law fiduciary duties, and ethical duties as Hiscox’s legal representation, promptly and
`
`adequately investigate and notify Hiscox and other firm clients (including Hiscox-insured
`
`clients) of any such data breach.
`
`47.
`
`Hiscox further understood and expected that Warden Grier would respond to any
`
`such event in accordance with RSMo. §407.1500, et. seq., which require “notice to the affected
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 8 of 10
`8
`
`
`
`consumer that there has been a breach of security following discovery or notification of the
`
`breach.”
`
`48. Warden Grier breached these separately owed duties when it failed to promptly
`
`and adequately investigate and notify Hiscox or any of its Hiscox-insured clients of the 2016
`
`Data Breach.
`
`49. Warden Grier’s conduct as described herein, namely, its failure to protect the PI,
`
`to adequately investigate the 2016 Data Breach, and to advise Hiscox that PI was compromised,
`
`constituted a breach of that duty of reasonable care.
`
`50. Warden Grier’s conduct as described herein was the proximate cause of damages
`
`to Hiscox as described in Paragraph 22, and in an additional amount to be proven at trial.
`
`JURY DEMAND
`
`51.
`
`Hiscox requests a trial by jury on all issues so triable.
`
`PRAYER FOR RELIEF
`
`WHEREFORE, Hiscox requests that, after a jury trial, this Court enter a judgment
`
`against Warden Grier, awarding Hiscox its past and future actual damages, consequential
`
`damages, attorneys’ fees, punitive damages, interest, and court costs and awarding any such
`
`further relief as the Court may deem to be appropriate.
`
`
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 9 of 10
`9
`
`
`
`Dated: March 27, 2020
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Respectfully submitted,
`
`GERMAN MAY PC
`
`
`
`
`
`
`By /s/ Daniel E. Blegen
`MO # 47276
`
`
`Daniel E. Blegen
`
`Benjamin D. Mooneyham MO # 65341
`
`1201 Walnut Street, Suite 2000
`
`Kansas City, MO 64106
`
`(816) 471-7700
`
`(816) 471-2221 fax
`
`Email: DanB@germanmay.com
`
`Email: BenM@germanmay.com
`
`
`
`ATTORNEYS FOR PLAINTIFFS
`
`
`
`
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 10 of 10
`10
`
`