Hiscox Insurance Company Inc. v. Warden Grier, LLP

CourtDistrict Court, W.D. Missouri
DecidedDecember 8, 2021
Docket4:20-cv-00237
StatusUnknown

This text of Hiscox Insurance Company Inc. v. Warden Grier, LLP (Hiscox Insurance Company Inc. v. Warden Grier, LLP) is published on Counsel Stack Legal Research, covering District Court, W.D. Missouri primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Hiscox Insurance Company Inc. v. Warden Grier, LLP, (W.D. Mo. 2021).

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION ) HISCOX INSURANCE COMPANY INC. ) and HISCOX SYNDICATES LIMITED, ) ) Plaintiffs, ) Case No. 4:20-cv-00237-NKL ) v. ) ) WARDEN GRIER, LLP, ) ) Defendant. ) )

ORDER Before the Court is Defendant Warden Grier, LLP’s Motion for Summary Judgment (Doc. 89) (the “Motion”). While the parties initially waived dispositive motions, the Court granted Warden Grier leave to file the Motion, given it potentially implicated dispositive questions of law raised by changes made by Plaintiffs Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (together, “Hiscox”) to their theory of recovery. For the reasons explained below, the Motion is GRANTED in part. Hiscox’s fiduciary duty claim is subsumed by its professional negligence claim. The remainder of Warden Grier’s Motion is DENIED. I. Undisputed Facts Hiscox is an insurance provider that insures risks throughout the United States.1 As early as 2002, Hiscox, on its own behalf and on behalf of its insureds, retained Warden Grier to represent it in various coverage and subrogation matters; Warden Grier also monitored active litigation in the United States affecting Hiscox and its clients. The relationship between Hiscox

1 For the purposes of the summary judgment motions, all facts are viewed in the light most favorable to the nonmoving party. Cottrell v. Am. Family Mut. Ins. Co., S.I., 930 F.3d 969, 971 (8th Cir. 2019). and Warden Grier was memorialized and governed, in part, by two separate contracts (collectively, “Terms of Engagement”). Through its representation of Hiscox, Warden Grier obtained Hiscox’s client’s data.2 This data included personally identifiable information (“PII”) pertaining to the individuals insured by Hiscox’s clients. As corporate entities, neither Hiscox nor its commercial policyholders had their own PII.

Warden Grier’s server was hacked by an international organization known as The Dark Overlord (“TDO”) (the “Data Breach” or the “Breach”). Warden Grier discovered the Data Breach on February 14, 2017, when TDO threatened to publicize data stolen from Warden Grier’s server, unless Warden Grier paid a ransom. Warden Grier obtained advice from various law enforcement, legal, and computer professionals, and ultimately paid the ransom. Warden Grier did not notify Hiscox, or any client, of the Breach. Approximately a year later, in the Spring of 2018, TDO returned to Warden Grier and again threatened to release data stolen during the Data Breach unless Warden Grier paid an additional ransom. Hiscox did not tell Warden Grier of the new threat. However, on March 29,

2018, TDO informed Warden Grier that TDO itself had notified Hiscox of the breach. Two days later, Hiscox contacted Warden Grier about the Breach, and Warden Grier confirmed that it had been hacked. After learning of the Data Breach, Hiscox hired Cooley LLP, an international law firm, to advise Hiscox in its response to the Data Breach. In this role, Cooley supervised a third-party vendor, Charles River Associates (“CRA”)—who was charged with analyzing the breached data—and advised Hiscox on its notification obligations. While Warden Grier “knew the cases

2 Hiscox’s clients were themselves corporate policyholders. These clients had customers who were individuals with PII. [it] had, the clients [it] had and therefore knew in a general sense the type of information on the compromised server[,]” Doc. 101-2 (Summary of Material Facts Admitted by Hiscox), at SOF 5, at Hiscox’s request, it hired a vendor to “index the Compromised Server, analyze what portion of the data related to Hiscox and provide Hiscox with copies of its data on the Compromised Server.” Doc. 101-2, at 6, SOF 41. Working with this vendor, Warden Grier ultimately

provided approximately 1,773,042 documents relating to Hiscox and its clients to Cooley and CRA. Doc. 101-2, at 4, SOF 60. While Hiscox and Warden Grier may have had different obligations in responding to the Data Breach, ultimately, the breached data had to be analyzed to determine what those obligations were. See Doc. 102 (Warden Grier’s Response to Hiscox’s Additional Material Facts), at 18, SOF 33 (Warden Grier admitting that compliance with relevant data breach statutes generally requires an understanding of the compromised data). Hiscox claims it was necessary to identify everyone whose PII was compromised, every individual’s state of residence, and whether, under the law of that individual’s home state, notification was required, in order to fully understand its response obligations.

After reviewing the data, Hiscox determined that it was obligated only to notify its policyholders—the commercial entities—that the breach had occurred. Doc. 101-2, at 10, SOF 57. Each policyholder was then responsible for deciding whether an individual customer—the individual whose PII was compromised—should be notified. Hiscox notified its policyholders, and did not determine whether any additional notifications were made by the policyholders. Doc. 101-2, at 10, SOF 71. Hiscox claims to have incurred “costs related to notice and a call center (Epiq - $6,189.08), public relations (Brunswick - $107,456), legal advice (Cooley - $276,859.50), and data analysis (Charles River Associates - $1,094,414.46)” as a result of Warden Grier’s alleged breach. Doc. 101-2, at SOF 59. II. Legal Standard “Summary judgment is proper if, after viewing the evidence and drawing all reasonable inferences in the light most favorable to the nonmovant, no genuine issue of material fact exists and the movant is entitled to judgment as a matter of law.” Higgins v. Union Pac. R.R., 931 F.3d 664, 669 (8th. Cir. 2019) (quotation marks and citation omitted); Fed. R. Civ. P. 56(a). While

the moving party bears the burden of establishing a lack of any genuine issues of material fact, Brunsting v. Lutsen Mountains Corp., 601 F.3d 813, 820 (8th Cir. 2010), the party opposing summary judgment “must set forth specific facts showing that there is a genuine issue of material fact for trial.” Thomas v. Corwin, 483 F.3d 516, 527 (8th Cir. 2007). The Court must enter summary judgment “against a party who fails to make a showing sufficient to establish the existence of an element essential to that party’s case, and on which that party will bear the burden of proof at trial.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986); see also Gibson v. Concrete Equip. Co., 960 F.3d 1057, 1062 (8th Cir. 2020) (holding that summary judgment should be granted only when there is no genuine issue of material fact and the movant is entitled

to judgment as a matter of law). III. Discussion A. Hiscox’s Legal Theories and Warden Grier’s Response

At the Motion to Dismiss stage, Hiscox advanced four theories of recovery. Counts I and II were pled in the alternative and claimed Warden Grier violated two contracts between the parties by failing to protect Hiscox’s data, by failing to appropriately respond to the Data Breach, and by failing to notify Hiscox and its insureds of the Data Breach. See Hiscox Ins. Co. Inc. v. Warden Grier, LLP, 474 F. Supp. 3d 1004, 1007–08 (W.D. Mo. 2020).

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Brunsting v. Lutsen Mountains Corp.
601 F.3d 813 (Eighth Circuit, 2010)
Thomas v. Corwin
483 F.3d 516 (Eighth Circuit, 2007)
Collins v. Missouri Bar Plan
157 S.W.3d 726 (Missouri Court of Appeals, 2005)
Ostrander v. O'BANION
152 S.W.3d 333 (Missouri Court of Appeals, 2004)
Tompkins v. Cervantes
917 S.W.2d 186 (Missouri Court of Appeals, 1996)
Donahue v. Shughart, Thomson & Kilroy, PC
900 S.W.2d 624 (Supreme Court of Missouri, 1995)
Lumbermens Mutual Casualty Co. v. Thornton
92 S.W.3d 259 (Missouri Court of Appeals, 2002)
Klemme v. Best
941 S.W.2d 493 (Supreme Court of Missouri, 1997)
Roberts v. Sokol
330 S.W.3d 576 (Missouri Court of Appeals, 2011)
Cain v. Hershewe
760 S.W.2d 146 (Missouri Court of Appeals, 1988)
Phil Rosemann v. Martin Sigillito
785 F.3d 1175 (Eighth Circuit, 2015)
SKMDV Holdings, Inc. v. Green Jacobson, P.C.
494 S.W.3d 537 (Missouri Court of Appeals, 2016)
Roger Cottrell v. American Family Mutual Ins.
930 F.3d 969 (Eighth Circuit, 2019)
Jon Higgins v. Union Pacific Railroad Co.
931 F.3d 664 (Eighth Circuit, 2019)
Amanda Gibson v. Concrete Equipment Co., Inc.
960 F.3d 1057 (Eighth Circuit, 2020)
Beare v. Yarbrough
941 S.W.2d 552 (Missouri Court of Appeals, 1997)
Meyer v. Purcell
405 S.W.3d 572 (Missouri Court of Appeals, 2013)

Cite This Page — Counsel Stack

Bluebook (online)
Hiscox Insurance Company Inc. v. Warden Grier, LLP, Counsel Stack Legal Research, https://law.counselstack.com/opinion/hiscox-insurance-company-inc-v-warden-grier-llp-mowd-2021.