Florida law firm Gunster settles 2022 data breach case for $8.5 million

Florida-based business law firm Gunster has agreed to an $8.5 million settlement to resolve a class action lawsuit stemming from a 2022 data breach that exposed the personal and health information of nearly 10,000 individuals. The proposed settlement, filed Thursday in a Florida federal court, is one of two cases against the firm concerning the breach, which allegedly compromised sensitive information from former and current clients and employees.

The settlement is subject to approval by U.S. District Judge Aileen Cannon. Gunster, founded in West Palm Beach, has denied wrongdoing and has not admitted liability. A Gunster representative declined to comment on the case while it remains unresolved, and neither the firm’s external counsel nor the plaintiffs’ attorneys provided statements.

The lawsuit, led by plaintiffs Mary Jane Whalen, a former Gunster client, and Christine Rona, a former employee providing healthcare services to Gunster’s high-net-worth clients, alleges that the firm failed to implement adequate safeguards to protect sensitive data. The breach reportedly resulted in the unauthorized access and “exfiltration” of personal information such as names, dates of birth, Social Security numbers, and banking details. In April, Gunster notified individuals of a security breach involving its document management system.

This incident underscores the increasing threat of cyberattacks targeting the legal industry, as law firms often manage highly confidential and valuable client information. Similar incidents have occurred at other prominent firms, including Orrick, Herrington & Sutcliffe, which recently settled a data breach case for $8 million involving the personal data of over 600,000 individuals. Additionally, Bryan Cave Leighton Paisner and snack giant Mondelez reached a tentative $750,000 settlement last month in a separate data breach case.

In response to growing cyber threats, the U.S. federal judiciary recently issued alerts about fraudulent emails impersonating electronic court filing notifications to lure attorneys into malicious websites. Judge Cannon has paused a second case against Gunster related to the data breach, which is pending approval of the settlement.