throbber
UNITED STATES DISTRICT COURT
`WESTERN DISTRICT OF MISSOURI
`WESTERN DIVISION
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`
`Case No.
`
`Division No.
`
`HISCOX INSURANCE COMPANY INC.
`and HISCOX SYNDICATES LIMITED
`
`Plaintiffs,
`
`vs.
`
`WARDEN GRIER, LLP
`Serve at: James Michael Grier
`2702 W 66th Terrace
`Mission Hills, KS 66208
`
`Defendant.
`
`
`
`COMPLAINT
`
`Plaintiffs, Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (collectively,
`
`“Hiscox”), for their Complaint against Defendant, Warden Grier, LLP (“Warden Grier”), state
`
`and allege as follows.
`
`Plaintiffs
`
`PARTIES
`
`1.
`
`Hiscox Insurance Company Inc. is an Illinois corporation with its principal place
`
`of business in Chicago, Illinois.
`
`2.
`
`Hiscox Syndicates Limited is a private limited company formed under the laws of
`
`England and Wales and equivalent to a corporation for diversity purposes. Its principal place of
`
`business is in London, England.
`
`Defendant
`
`3.
`
`Upon information and belief, Warden Grier was, at all material times, a limited
`
`liability partnership existing under the laws of the State of Missouri at the time of the alleged
`
`wrongdoing herein, with its principal place of business in Jackson County, Missouri, and
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 1 of 10
`1
`
`

`

`maintains an office in Jackson County, Missouri. At the time of this Complaint, Warden Grier is
`
`a limited liability partnership existing under the laws of the State of Kansas with an office in
`
`Johnson County, Kansas. Each of its partners is domiciled in Missouri or Kansas.
`
`JURISDICTION AND VENUE
`
`4.
`
`This Court has jurisdiction over this matter pursuant to 28 U.S.C. § 1332 because
`
`there is diversity of citizenship between the parties and the matter in controversy exceeds the
`
`sum of $75,000.00, exclusive of interest and costs.
`
`5.
`
`Venue is proper in the United States District Court for the Western District of
`
`Missouri, pursuant to 28 U.S.C. § 1391 because a substantial part of the events or omissions
`
`giving rise to this action occurred in this judicial district.
`
`FACTUAL ALLEGATIONS
`
`Attorney-Client Relationship
`
`6.
`
`Hiscox is an insurance provider that insures risks throughout the United States,
`
`among other places. To that end, Hiscox retains service providers, such as law firms, as and
`
`when necessary to represent its interests and/or the interests of persons and entities insured under
`
`insurance policies Hiscox issues.
`
`7.
`
`As early as 2002, Hiscox entered into a working relationship with Warden Grier
`
`to render professional legal services on behalf of Hiscox, and on behalf of Hiscox’s insureds.
`
`This attorney-client relationship remains in effect.
`
`8.
`
`The relationship between Hiscox and Warden Grier was memorialized and
`
`governed, in part, by two separate contracts: (i) “Lawyers Terms of Engagement Non-Marine
`
`First Party Business, Effective 1st April 2011”; and (ii) “Lawyers Terms of Engagement Non-
`
`Marine Casualty Business, Effective 1 May 2011,” both of which were signed by Hiscox and
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 2 of 10
`2
`
`

`

`Warden Grier in 2011 (collectively, “Terms of Engagement”). Copies of the Terms of
`
`Engagement will be filed under seal and marked as Exhibit A and Exhibit B, respectively.
`
`9.
`
`During this attorney-client relationship, Warden Grier requested, received,
`
`created, and/or otherwise obtained highly sensitive, confidential, and proprietary information,
`
`including protected health and personally identifiable information belonging to Hiscox and/or
`
`Hiscox’s insureds (collectively, “PI”), all of whom were the clients of Warden Grier.
`
`10.
`
`As per its contractual, legal, ethical, and fiduciary duties, Warden Grier was
`
`obligated to take adequate measures to protect sensitive PI belonging to its clients, including
`
`Hiscox and Hiscox’s insureds, and to notify Hiscox of any failure to maintain the confidentiality
`
`of PI belonging to Hiscox and its insureds.
`
`2016 Data Breach at Warden Grier
`
`11.
`
`On or around December 2016, an international hacker organization known as
`
`“The Dark Overlord” (“Hackers”) gained unauthorized access to Warden Grier’s computer
`
`system containing all of the sensitive information, including PI, stored on Warden Grier’s servers
`
`(the “2016 Data Breach”).
`
`12.
`
`On information and belief, Hiscox understands that Warden Grier contacted
`
`outside attorneys and the FBI to investigate the matter, but did not hire a forensic IT firm to
`
`investigate the 2016 Data Breach or, if it did, has refused to provide Hiscox with the findings of
`
`any such investigation.
`
`13.
`
`Despite being aware of the 2016 Data Breach, Warden Grier actively concealed or
`
`otherwise did not notify Hiscox or Hiscox’s insureds—all of whom were Warden Grier’s
`
`clients—of the 2016 Data Breach.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 3 of 10
`3
`
`

`

`Warden Grier’s Payment of the Hackers’ Demand
`
`14.
`
`At some point, Warden Grier learned that the Hackers stole PI during or as a
`
`result of the 2016 Data Breach.
`
`15. Warden Grier paid the Hackers a ransom or other demand to protect its and its
`
`clients’ personal information from dissemination.
`
`16. Warden Grier did not notify Hiscox or Hiscox’s insureds—all of whom were
`
`Warden Grier’s clients—of the payment of any ransom or other demand resulting from the 2016
`
`Data Breach.
`
`Hiscox’s Accidental Discovery of the 2016 Data Breach
`
`17.
`
`On March 28, 2018, an employee at Hiscox learned by happenstance, through
`
`social media, that some of Hiscox’s PI had been leaked on the “dark web.”
`
`18.
`
`After a preliminary investigation, Hiscox learned that the PI made its way to the
`
`“dark web” as a result of the 2016 Data Breach.
`
`19.
`
`On March 31, 2018, Hiscox requested a call with Warden Grier about the
`
`situation. On the subsequent call, Hiscox for the first time learned the details of the 2016 Data
`
`Breach.
`
`20.
`
`Given that Warden Grier either had conducted no forensic investigation or
`
`otherwise refused to share such findings with Hiscox, Hiscox promptly commenced its own
`
`investigation to evaluate whether it may have any notification obligations given the sensitive
`
`nature of the information in Warden Grier’s possession and Warden Grier’s failure to: (i) protect
`
`that information; (ii) properly investigate the 2016 Data Breach; and (iii) notify Hiscox and its
`
`insureds of the 2016 Data Breach.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 4 of 10
`4
`
`

`

`21.
`
`Hiscox decided to notify its insureds—also clients of Warden Grier—of the 2016
`
`Data Breach, and to engage in efforts to protect against further exposure or dissemination of PI.
`
`22.
`
`As a direct result of Warden Grier’s conduct as described herein, Hiscox has
`
`suffered significant internal operational losses and costs and has incurred damages in excess of
`
`$1,500,000.00, including, but not limited to: (1) costs and fees Hiscox incurred to conduct a
`
`thorough investigation of the 2016 Data Breach; and (2) costs and fees Hiscox incurred to make
`
`the necessary notifications and accommodations and to protect affected persons (i.e., Warden
`
`Grier’s clients) against harm from future PI dissemination. Hiscox continues to incur such
`
`damages as additional necessary protective steps are taken.
`
`Warden Grier Refuses to Accept Liability
`
`23.
`
`To date, Warden Grier has refused to accept any responsibility for the 2016 Data
`
`Breach and its failure to notify Hiscox and Hiscox’s insureds of the 2016 Data Breach.
`
`CAUSES OF ACTION
`
`COUNT I
`BREACH OF CONTRACT
`
`Hiscox realleges and reincorporates paragraphs 1-23 as if fully stated herein, and
`
`24.
`
`further allege as follows:
`
`25.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier as established in the Terms of Engagement.
`
`26.
`
`Under the Terms of Engagement, Warden Grier had a contractual duty to protect
`
`Hiscox’s PI.
`
`27.
`
`The Terms of Engagement require, among other things, that Warden Grier “retain
`
`either the originals or copies of all file documents relating to the claim,” and Warden Grier
`
`further agreed in those contracts to “have in place an appropriate disaster recovery plan with
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 5 of 10
`5
`
`

`

`appropriate back-up to ensure the continuity of services in the event of a disaster.” See Exhibits
`
`A and B at p. 10.
`
`28.
`
`Implicit in the Terms of Engagement, and explicit in Warden Grier’s ethical
`
`obligations per the MISSOURI RULES OF PROFESSIONAL CONDUCT and the AMERICAN BAR
`
`ASSOCIATION MODEL RULES, is a duty on the part of Warden Grier to keep secure client PI. See,
`
`e.g, MO. RULE 4-1.6, stating that “[a] lawyer shall make reasonable efforts to prevent the
`
`inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the
`
`representation of the client,” and Paragraph 8 of the Comment to ABA MODEL RULE 1.1, which
`
`states that “a lawyer should keep abreast of changes in the law and its practice, including the
`
`benefits and risks of technology ….”
`
`29.
`
`The Terms of Engagement contemplate that Warden Grier will “retain” client
`
`information and, further, will have measures in place to respond to catastrophic events, such as
`
`the 2016 Data Breach.
`
`30. Warden Grier materially breached the Terms of Engagement by failing to protect
`
`Hiscox’s PI.
`
`31. Warden Grier materially breached the Terms of Engagement by failing to have
`
`appropriate measures in place to respond to the 2016 Data Breach, including conducting a
`
`prompt and adequate investigation into the 2016 Data Breach and notifying Hiscox of the 2016
`
`Data Breach, and by failing to notify Hiscox and its insureds of the 2016 Data Breach.
`
`32. Warden Grier’s breach of its obligations under the Terms of Engagement caused
`
`damages as described in Paragraph 22 above, and in an additional amount to be proven at trial.
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 6 of 10
`6
`
`

`

`COUNT II
`BREACH OF IMPLIED CONTRACT
`(IN THE ALTERNATIVE)
`
`33.
`
`Hiscox realleges and reincorporates paragraphs 1-32 as if fully stated herein, and
`
`further alleges as follows:
`
`34.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier.
`
`35.
`
`This attorney-client relationship was governed by the Terms of Engagement and
`
`by implied contract. Hiscox paid Warden Grier for services rendered on its behalf and on behalf
`
`of Hiscox insureds.
`
`36. Warden Grier materially breached the Terms of Engagement and all implied
`
`contracts by failing to protect Hiscox’s PI.
`
`37. Warden Grier materially breached the Terms of Engagement and all implied
`
`contracts by failing to have appropriate measures in place to respond to the 2016 Data Breach,
`
`including conducting a prompt and adequate investigation into the 2016 Data Breach and
`
`notifying Hiscox of the 2016 Data Breach, and by failing to notify Hiscox and its insureds of the
`
`2016 Data Breach.
`
`38. Warden Grier’s breach of its obligations under the Terms of Engagement and all
`
`implied contracts caused damages as described in Paragraph 22 above, and in an additional
`
`amount to be proven at trial.
`
`COUNT III
`BREACH OF FIDUCIARY DUTY
`
`39.
`
`Hiscox realleges and reincorporates paragraphs 1-38 as if fully stated herein, and
`
`further alleges as follows:
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 7 of 10
`7
`
`

`

`40.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier.
`
`41.
`
`As Hiscox’s legal representation, Warden Grier was a fiduciary of Hiscox and, as
`
`such, Warden Grier owed fiduciary duties to preserve and protect Hiscox’s and its insureds’
`
`interests.
`
`42. Warden Grier’s conduct as described herein, namely, its failure to protect the PI,
`
`to adequately investigate the 2016 Data Breach and to advise Hiscox that its PI had been
`
`compromised, constituted a breach of Warden Grier’s fiduciary duties.
`
`43. Warden Grier’s breach of fiduciary duties caused damages to Hiscox as described
`
`in Paragraph 22, and in an additional amount to be proven at trial.
`
`COUNT IV
`NEGLIGENCE
`
`44.
`
`Hiscox realleges and reincorporates paragraphs 1-43 as if fully stated herein, and
`
`further alleges as follows:
`
`45.
`
`At all relevant times, an attorney-client relationship existed between Hiscox and
`
`Warden Grier and, as its legal representation, Warden Grier owed a duty of reasonable care to
`
`protect client PI, including PI belonging to Hiscox and its insureds.
`
`46.
`
`Hiscox understood and expected that Warden Grier would, in accordance with its
`
`obligations under the Terms of Engagement, statutory requirements related to privacy protection,
`
`common law fiduciary duties, and ethical duties as Hiscox’s legal representation, promptly and
`
`adequately investigate and notify Hiscox and other firm clients (including Hiscox-insured
`
`clients) of any such data breach.
`
`47.
`
`Hiscox further understood and expected that Warden Grier would respond to any
`
`such event in accordance with RSMo. §407.1500, et. seq., which require “notice to the affected
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 8 of 10
`8
`
`

`

`consumer that there has been a breach of security following discovery or notification of the
`
`breach.”
`
`48. Warden Grier breached these separately owed duties when it failed to promptly
`
`and adequately investigate and notify Hiscox or any of its Hiscox-insured clients of the 2016
`
`Data Breach.
`
`49. Warden Grier’s conduct as described herein, namely, its failure to protect the PI,
`
`to adequately investigate the 2016 Data Breach, and to advise Hiscox that PI was compromised,
`
`constituted a breach of that duty of reasonable care.
`
`50. Warden Grier’s conduct as described herein was the proximate cause of damages
`
`to Hiscox as described in Paragraph 22, and in an additional amount to be proven at trial.
`
`JURY DEMAND
`
`51.
`
`Hiscox requests a trial by jury on all issues so triable.
`
`PRAYER FOR RELIEF
`
`WHEREFORE, Hiscox requests that, after a jury trial, this Court enter a judgment
`
`against Warden Grier, awarding Hiscox its past and future actual damages, consequential
`
`damages, attorneys’ fees, punitive damages, interest, and court costs and awarding any such
`
`further relief as the Court may deem to be appropriate.
`
`
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 9 of 10
`9
`
`

`

`Dated: March 27, 2020
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Respectfully submitted,
`
`GERMAN MAY PC
`
`
`
`
`
`
`By /s/ Daniel E. Blegen
`MO # 47276
`
`
`Daniel E. Blegen
`
`Benjamin D. Mooneyham MO # 65341
`
`1201 Walnut Street, Suite 2000
`
`Kansas City, MO 64106
`
`(816) 471-7700
`
`(816) 471-2221 fax
`
`Email: DanB@germanmay.com
`
`Email: BenM@germanmay.com
`
`
`
`ATTORNEYS FOR PLAINTIFFS
`
`
`
`
`
`Case 4:20-cv-00237-NKL Document 1 Filed 03/27/20 Page 10 of 10
`10
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket