Opinion
4:20-cv-00237-NKL
12-08-2021
HISCOX INSURANCE COMPANY INC. and HISCOX SYNDICATES LIMITED, Plaintiffs, v. WARDEN GRIER, LLP, Defendant.
ORDER
NANETTE K. LAUGHREY UNITED STATES DISTRICT JUDGE.
Before the Court is Defendant Warden Grier, LLP's Motion for Summary Judgment (Doc. 89) (the “Motion”). While the parties initially waived dispositive motions, the Court granted Warden Grier leave to file the Motion, given it potentially implicated dispositive questions of law raised by changes made by Plaintiffs Hiscox Insurance Company Inc. and Hiscox Syndicates Limited (together, “Hiscox”) to their theory of recovery. For the reasons explained below, the Motion is GRANTED in part. Hiscox's fiduciary duty claim is subsumed by its professional negligence claim. The remainder of Warden Grier's Motion is DENIED.
I. Undisputed Facts
Hiscox is an insurance provider that insures risks throughout the United States. As early as 2002, Hiscox, on its own behalf and on behalf of its insureds, retained Warden Grier to represent it in various coverage and subrogation matters; Warden Grier also monitored active litigation in the United States affecting Hiscox and its clients. The relationship between Hiscox 1 and Warden Grier was memorialized and governed, in part, by two separate contracts (collectively, “Terms of Engagement”). Through its representation of Hiscox, Warden Grier obtained Hiscox's client's data. This data included personally identifiable information (“PII”) pertaining to the individuals insured by Hiscox's clients. As corporate entities, neither Hiscox nor its commercial policyholders had their own PII.
For the purposes of the summary judgment motions, all facts are viewed in the light most favorable to the nonmoving party. Cottrell v. Am. Family Mut. Ins. Co., S.I., 930 F.3d 969, 971 (8th Cir. 2019).
Hiscox's clients were themselves corporate policyholders. These clients had customers who were individuals with PII.
Warden Grier's server was hacked by an international organization known as The Dark Overlord (“TDO”) (the “Data Breach” or the “Breach”). Warden Grier discovered the Data Breach on February 14, 2017, when TDO threatened to publicize data stolen from Warden Grier's server, unless Warden Grier paid a ransom. Warden Grier obtained advice from various law enforcement, legal, and computer professionals, and ultimately paid the ransom. Warden Grier did not notify Hiscox, or any client, of the Breach.
Approximately a year later, in the Spring of 2018, TDO returned to Warden Grier and again threatened to release data stolen during the Data Breach unless Warden Grier paid an additional ransom. Hiscox did not tell Warden Grier of the new threat. However, on March 29, 2018, TDO informed Warden Grier that TDO itself had notified Hiscox of the breach. Two days later, Hiscox contacted Warden Grier about the Breach, and Warden Grier confirmed that it had been hacked.
After learning of the Data Breach, Hiscox hired Cooley LLP, an international law firm, to advise Hiscox in its response to the Data Breach. In this role, Cooley supervised a third-party vendor, Charles River Associates (“CRA”)-who was charged with analyzing the breached data-and advised Hiscox on its notification obligations. While Warden Grier “knew the cases 2 [it] had, the clients [it] had and therefore knew in a general sense the type of information on the compromised server[, ]” Doc. 101-2 (Summary of Material Facts Admitted by Hiscox), at SOF 5, at Hiscox's request, it hired a vendor to “index the Compromised Server, analyze what portion of the data related to Hiscox and provide Hiscox with copies of its data on the Compromised Server.” Doc. 101-2, at 6, SOF 41. Working with this vendor, Warden Grier ultimately provided approximately 1, 773, 042 documents relating to Hiscox and its clients to Cooley and CRA. Doc. 101-2, at 4, SOF 60. While Hiscox and Warden Grier may have had different obligations in responding to the Data Breach, ultimately, the breached data had to be analyzed to determine what those obligations were. See Doc. 102 (Warden Grier's Response to Hiscox's Additional Material Facts), at 18, SOF 33 (Warden Grier admitting that compliance with relevant data breach statutes generally requires an understanding of the compromised data). Hiscox claims it was necessary to identify everyone whose PII was compromised, every individual's state of residence, and whether, under the law of that individual's home state, notification was required, in order to fully understand its response obligations.
After reviewing the data, Hiscox determined that it was obligated only to notify its policyholders-the commercial entities-that the breach had occurred. Doc. 101-2, at 10, SOF 57. Each policyholder was then responsible for deciding whether an individual customer-the individual whose PII was compromised-should be notified. Hiscox notified its policyholders, and did not determine whether any additional notifications were made by the policyholders. Doc. 101-2, at 10, SOF 71. Hiscox claims to have incurred “costs related to notice and a call center (Epiq - $6, 189.08), public relations (Brunswick - $107, 456), legal advice (Cooley -$276, 859.50), and data analysis (Charles River Associates - $1, 094, 414.46)” as a result of Warden Grier's alleged breach. Doc. 101-2, at SOF 59. 3
II. Legal Standard
“Summary judgment is proper if, after viewing the evidence and drawing all reasonable inferences in the light most favorable to the nonmovant, no genuine issue of material fact exists and the movant is entitled to judgment as a matter of law.” Higgins v. Union Pac. R.R., 931 F.3d 664, 669 (8th. Cir. 2019) (quotation marks and citation omitted); Fed.R.Civ.P. 56(a). While the moving party bears the burden of establishing a lack of any genuine issues of material fact, Brunsting v. Lutsen Mountains Corp., 601 F.3d 813, 820 (8th Cir. 2010), the party opposing summary judgment “must set forth specific facts showing that there is a genuine issue of material fact for trial.” Thomas v. Corwin, 483 F.3d 516, 527 (8th Cir. 2007). The Court must enter summary judgment “against a party who fails to make a showing sufficient to establish the existence of an element essential to that party's case, and on which that party will bear the burden of proof at trial.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986); see also Gibson v. Concrete Equip. Co., 960 F.3d 1057, 1062 (8th Cir. 2020) (holding that summary judgment should be granted only when there is no genuine issue of material fact and the movant is entitled to judgment as a matter of law).
III. Discussion
A. Hiscox's Legal Theories and Warden Grier's Response
At the Motion to Dismiss stage, Hiscox advanced four theories of recovery. Counts I and II were pled in the alternative and claimed Warden Grier violated two contracts between the parties by failing to protect Hiscox's data, by failing to appropriately respond to the Data Breach, and by failing to notify Hiscox and its insureds of the Data Breach. See Hiscox Ins. Co. Inc. v. Warden Grier, LLP, 474 F.Supp.3d 1004, 1007-08 (W.D. Mo. 2020). Count III alleged that Warden Grier, as Hiscox's attorney, owed fiduciary duties to Hiscox and its insureds; Hiscox 4 argued that by failing to protect its data, to adequately investigate the Data Breach, and to advise Hiscox that PII had been compromised, Warden Grier breached those duties. Id. at 1008. In Count IV, Hiscox argued that Warden Grier owed Hiscox a duty as its attorney to protect its data, investigate the Data Breach, and notify Hiscox and its clients of the data breach. See Doc. 1 (Complaint), ¶¶ 44-50. Hiscox's claim has shifted. Hiscox no longer argues that Warden Grier was negligent or breached a fiduciary duty by allowing the data breach to occur in the first place or for failing to adopt adequate data security measures. See Doc. 91, at 2, SOF 4 (Hiscox admitting Warden Greer's Statement of Material Fact 4, which states Hiscox's claims do not fault Warden Grier for failing to prevent the data breach or Warden Grier's data security practices). Hiscox has also dropped all contractual theories of recovery, and is not seeking any form of indemnification. Id.; see also Doc. 91, at 65 (Hiscox clarifying that it is not seeking indemnification). Nor does Hiscox argue that any damages resulted from the delay between the Data Breach and Hiscox learning of it on March 21, 2018. See Doc. 91, at 14-16, SOF 29-31.
Instead, Hiscox now argues that Warden Grier violated both the fiduciary duties and the duty of care it owed as Hiscox's attorney by failing to notify Hiscox of the Data Breach and by failing to conduct a proper analysis of the compromised data. Specifically, Hiscox argues that Warden Grier was required to determine whose PII was compromised during the Data Breach and with which of Hiscox's clients the affected individual was associated. Then, Warden Grier should have determined whether the affected individuals were required to receive notice of the 5 Data Breach, based on the law in their respective home states. Warden Grier should have then provided this complete analysis to Hiscox (cumulatively, the “Hiscox Analysis”). See generally Doc. 91 (Hiscox's Opposition to Summary Judgment), at 51, 55-56, 59, 61.
Hiscox's briefing focuses almost exclusively on Warden Grier's failure to analyze the compromised data. However, at Oral Argument, Hiscox included in its theory that Warden Grier breached the standard of care by failing to notify Hiscox of the Data Breach. Hiscox further explained that the failure to notify theory was not a separate claim, but rather part of its theory that Warden Grier violated its standard of care by failing to conduct the Hiscox Analysis.
It seems Hiscox at times also argues that Warden Grier should have sent breach notifications to the individuals whose PII was compromised. Compare Doc. 91, at 51 (“[Hiscox] had to do what Warden Grier should have done in the first place: analyze the data for PII and send data breach notifications.”) with Doc. 91, at 55-56 (“If Warden Grier had done things correctly, it would have analyzed the data for PII, identified the affected individuals and their states of residency, and told Hiscox about the breach and PII disclosure.”). Hiscox also argued at Oral Argument that Warden Grier violated its duty of care by failing to notify Hiscox of the data breach in the first place (however claims no damages arising from the delay in notification). As discussed in more detail below, this lack of precision is a question of breach, not duty, and therefore a question for the jury. See e.g., LumbermensMut. Cas. Co. v. Thornton, 92 S.W.3d 259, 267 (Mo.Ct.App. 2002) (“Put another way, if there is a general duty to exercise some type of care to the plaintiff and the next question one asks is whether the defendant should or should not have acted in a particular way (or refrained from acting), the analysis is evaluative based on the facts of the case and this determination would almost invariably be an issue for the jury.”).
In response to Hiscox's updated theory of recovery, Warden Grier argues that Hiscox still must demonstrate that Warden Grier had a specific legal duty to perform the Hiscox Analysis. See Doc. 101 (Warden Grier's Reply), at 2 (“Whether or how well Warden Grier performed such an analysis would be the subject of a standard of care debate - but first and foremost there must be a legal duty to do the analysis for the benefit of Hiscox[.]”). Warden Grier also argues that Hiscox has failed to adequately demonstrate how any breach proximately caused Hiscox's damages. Id. Finally, Warden Grier argues that Hiscox's fiduciary claim must be subsumed into its professional negligence claim under Missouri law. Warden Grier relies on both arguments to move for summary judgment. 6
Hiscox argues that Warden Grier raises certain arguments for the first time in its Reply. While this may be true, Hiscox's theory-in its final form-was explained for the first time in Hiscox's Opposition to Warden Grier's Motion for Summary Judgment. Accordingly, the Court will exercise its discretion to permit Warden Grier to make any argument that could be considered “new” in response to Hiscox's “new” conceptualization of Hiscox's breach. For that reason, the Court also permitted Hiscox to file a sur-reply.
B. Whether Both the Professional Negligence and Fiduciary Duty Claims Can Survive
Before moving to the substance of Warden Grier's duty and causation arguments, the Court must address Warden Grier's assertion that, under Missouri law, Hiscox's professional negligence and fiduciary duty claims cannot coexist. “If the alleged breach can be characterized as both a breach of the standard of care (legal malpractice based on negligence) and a breach of a fiduciary obligation (constructive fraud), then the sole claim is legal malpractice.” Klemme v. Best, 941 S.W.2d 493, 496 (Mo. banc 1997). “[W]hen liability depends on an attorney's ‘negligent performance of professional services' to a client, the claim must be treated as one for attorney malpractice (i.e. professional negligence).” Rosemann v. Sigillito, 785 F.3d 1175, 1181 (8th Cir. 2015) (quoting Beare v. Yarbrough, 941 S.W.2d 552, 557 (Mo.Ct.App. 1997)). Here, Hiscox's professional negligence claim must subsume its breach of fiduciary duty claim.
Because jurisdiction in this case is based on diversity, the Court applies the law of the forum state, Missouri. See Rosemann, 785 F.3d at 1179.
Hiscox argues that Warden Grier breached its professional obligations by failing to inform Hiscox of the breach, conduct an adequate analysis of the hacked data and provide the results of that analysis to Hiscox. And because Warden Grier's breach was purportedly motivated by its own self-interest-its desire to avoid costs-Hiscox argues Warden Grier also 7 violated its duty of loyalty. See e.g., Doc. 91, at 52. As Hiscox itself recognized at Oral Argument, these claims arise out of the same misconduct, and therefore only one should be presented to the Jury. However, Hiscox argues that the Court should deny summary judgment and then instruct the jury on either the professional negligence or the fiduciary claim, whichever is more appropriate depending on the evidence adduced at trial. That is not appropriate under Missouri law nor the summary judgment standard. Hiscox provided no authority to support its position, and could not identify a single factual scenario in which trial would proceed such that the fiduciary duty claim would not be subsumed. Indeed, the only reason both theories made it past a motion to dismiss was because, without discovery, it was not clear that the alleged breach of fiduciary duty could be construed as a breach of the professional standard of care. Now, as Hiscox itself admits, it is. See Klemme, 941 S.W.2d at 496. To survive summary judgment, Hiscox had the burden to produce facts to substantiate its case, and on this issue, it has failed.
Neither Warden Grier nor Hiscox dispute that the alleged negligence here involves the negligent performance of professional services. While at the motion to dismiss stage Hiscox did argue that not all its claims necessarily arose out of Warden Grier's provision of legal services, See Doc. 16, that is no longer its position. Hiscox argues that, as its lawyer, Warden Grier negligently failed to analyze the breached data-in Warden Grier's possession to facilitate its legal services to Hiscox-to identify PII (a legal analysis) to identify affected clients and their state of residence. After which, Hiscox claims Warden Grier was obligated to do a state-by-state legal analysis to determine whether state law in the affected individual's home state required disclosure. This meets the Missouri definition of legal malpractice: “any professional misconduct or unreasonable lack of skill or fidelity in professional . . . duties by an attorney.” Cain v. Hershewe, 760 S.W.2d 146, 149 (Mo.Ct.App. 1988).
Because the alleged violation of the duty of loyalty is simply an extension of-or a gloss on-the alleged violation of the duty of care, and not a truly independent breach of a fiduciary duty, the fiduciary duty claim must fail under by Missouri law. See Beshears v. Wood, No. 3:17-05048-CV-RK, 2017 WL 6397496, at *3 (W.D. Mo. Dec. 14, 2017) (holding that fiduciary duty claim must be subsumed by professional negligence claim even when Plaintiff alleged that, through the same negligent conduct, the defendant knowingly violated the duty of loyalty); see also Klemme, 941 S.W.2d at 496; Donahue v. Shughart, Thomson & Kilroy, P.C., 900 S.W.2d 624, 629 (Mo. banc. 1995) (“The fiduciary relationship, if one existed, arose out of the attorneyclient relationship. The specific breach is dependent on the existence of attorney negligence, not on the breach of a trust.”). Here, Hiscox acknowledges that the same conduct supports both its professional negligence and its fiduciary duty claims: Warden Grier did not conduct the analysis 8 that Hiscox argues it was required to conduct. While, if it were true that Warden Grier was motivated by its own self-interest, its conduct could potentially be construed as a breach of the duty of loyalty, that is not enough. Klemme, 941 S.W.2d at 496. “If the alleged breach can be characterized as both a breach of the standard of care . . . and a breach of a fiduciary obligation . . . then the sole claim is legal malpractice.” Id. Simply framing the alleged breach of the standard of care as motivated by Warden Grier's desire to avoid the costs inherent in analyzing the data is not enough to allege a breach of a fiduciary duty “independent of any [claim of] legal malpractice[.]” Id. And as such, only Hiscox's professional negligence claim can survive, and any arguments related to the fiduciary duty claim are moot.
C. Whether the Professional Negligence Claim Can Survive Summary Judgment
1. Whether Hiscox Showed Warden Greer Had a Duty
Next, the Court turns to Warden Grier's duty to perform the Hiscox Analysis. Warden Grier argues that Hiscox has failed to identify any statutory, common law, or contractual source of any duty to analyze the breached data for PII and provide the results, along with a statespecific analysis of disclosure obligations, to Hiscox. But Warden Grier construes the duty analysis too broadly. Hiscox has made clear that its claims arise from the attorney-client relationship. Doc. 91, at 53 (“But there is no question about whether legal duties exist here. They do exist because Warden Grier was Hiscox's attorney.”). Under Missouri law, all attorneys owe their clients a “duty to exercise due care.” Klemme, 941 S.W.2d at 495. Indeed, to prove legal malpractice, a plaintiff need not prove “duty” at all; instead, all a plaintiff must prove is an 9 attorney-client relationship. Id. at 945-46.This is because, in cases involving professional misconduct, the profession itself provides the specific duty. See e.g., Meyer v. Carson & Coil, 614 S.W.3d 618, 625 (Mo.Ct.App. 2020); see also Roseman, 785 F.3d at 1179-80.
The elements of a legal malpractice action are: (1) an attorney-client relationship; (2) negligence or breach of contract by the attorney; (3) proximate causation of client's damages; and (4) damages to the client. Klemme, 941 S.W.2d at 495.
Warden Grier asks the Court to grant summary judgment because Hiscox failed to show it had a duty to conduct the Hiscox Analysis. By doing so, it collapses the duty and breach analysis into one. See e.g., Lumbermens Mut. Cas. Co., 92 S.W.3d at 267. Missouri courts have described the difference as between a “general standard” (legal duty) and a specific conclusion about whether the defendant's particular act or omission should be actionable (breach):
“The ‘general standard' is another way of stating the issue of whether a legal duty exists-a question for the court. Conclusions about the particular facts of a case are, in the presence of sufficient evidence, an issue for the jury. Dobbs suggests considering whether the issue involves a “rule of law capable of legitimate generalization.” [3 FOWLER V. HARPER, FLEMING JAMES, JR., & OSCAR S. GRAY, THE LAW OF TORTS, 2nd ed. § 18.8, at 743 (2d ed. 1986)]. For example, is the question of whether a surgeon has a duty to suture an incision a rule of law capable of generalization to all cases of surgery? Could it be, or should it be, a rule of law that in all surgical cases the surgeon should (as a duty) suture the incision? Of course not. Whether the surgeon should so act is a question of fact for the jury, usually with the aid of expert testimony.”Id.
Here, the only legal question for the Court is whether Warden Grier had a general obligation-a legal duty-to act. Because Warden Grier was Hiscox's attorney, it did. Accordingly, the question becomes one of breach; whether Warden Grier “failed to exercise that degree of skill and diligence ordinarily used under the same or similar circumstances by members of the legal profession.” Roseman, 785 F.3d at 1179-80 (citing Roberts v. Sokol, 330 S.W.3d 576, 581 (Mo.Ct.App. 2011)). This is a fact question for the jury, which, with the 10 assistance of expert evidence, must decide whether, given the specific facts of this case, the standard of care imposed by Warden Grier's duty included a specific obligation to conduct the Hiscox Analysis. See id. (“[A]n expert witness is generally necessary to tell the jury what the defendant should or should not have done under the particular circumstances of the case and whether the doing of that act or the failure to do that act violated the standards of care of the profession (and, thus, constituted negligence.”)) (citing Ostrander v. O'Banion, 152 S.W.3d 333, 338 (Mo.Ct.App. 2004)). Like a surgeon's obligation to suture an incision, Missouri law makes clear that whether Warden Grier was obligated to conduct the Hiscox Analysis is a question of breach, to be decided by the jury with reference to the relevant standard of care informed by expert evidence and the facts of this case. Roseman, 785 F.3d at 1179-80; Lumbermens Mut. Cas. Co., 92 S.W.3d at 267.
Hiscox has established Warden Grier had a general duty to act arising from the attorneyclient relationship, and accordingly, Warden Grier's Motion is DENIED on this point.
2. Whether Hiscox Established a Submissible Case for Causation
Warden Grier next argues that Hiscox has failed to produce sufficient evidence from which a jury could find Warden Grier was the proximate cause of Hiscox's injury. “The most basic formulation of Missouri's proximate cause test is that conduct can constitute the proximate cause of any harm that is its ‘natural and probable result.'” SKMDV Holdings, Inc. v. Green Jacobson, P.C., 494 S.W.3d 537, 545 (Mo.Ct.App. 2016) (quoting Tompkins v. Cervantes, 917 S.W.2d 186, 190 (Mo.Ct.App. 1996)). Said differently, a defendant's conduct is the proximate cause of a plaintiff's injury when the injury is the natural and probable consequence of the conduct. Collins v. Mo. Bar Plan, 157 S.W.3d 726, 732 (Mo.Ct.App. 2005). Hiscox argues that Warden Grier proximately caused it's $1.5 million in damages-the cost to investigate and 11 respond to the Data Breach-because, by failing to conduct the Hiscox Analysis itself, Warden Grier forced Hiscox to conduct its own analysis of the compromised data. Hiscox claims that the Hiscox Analysis was required “so the entity from whom the breached party obtained the PII [Hiscox] has enough information to make notifications ‘downstream' either to the affected individuals or to the data owner or service provider from whom the data originated.” Doc. 106 (Hiscox's Sur-Reply in Opp'n to Mot. Summary Judgment), at 6 (citing Doc. 91, at 24, 27). Because Warden Grier failed to conduct the Hiscox Analysis, Hiscox was forced to do it itself, causing its damages.
In response, Warden Grier argues that, by failing to offer expert evidence to establish its theory of proximate cause, Hiscox has failed to present a submissible case. Expert evidence is generally required to establish proximate causation in legal malpractice claims, “except in a ‘clear and palpable' case.” Myers v. Purcell, 405 S.W.3d 572, 578 (Mo.Ct.App. 2013). Warden Grier contends that the report of Hiscox's expert, Amy Reeder Worley, is silent on both the issue of damages and whether Warden Grier's alleged breach-about which she does opine-caused Hiscox's damages. While this may be correct, it is not determinative because Missouri law does not require a formal expert opinion establishing proximate cause so long as there is expert evidence from which the jury can infer proximate causation. Id.
Hiscox has provided sufficient expert evidence to establish a submissible case. Myers, the same case cited by Warden Grier to establish the obligation to provide expert evidence, held that so long as the expert evidence “carrie[s] sufficient probative force to allow a jury to reasonably infer causation[, ] an expert need not “expressly state” that a negligent act was the proximate cause of an injury. Id. at 579 (“Although [Plaintiff's expert] did not expressly state [Defendant's] negligence caused [Plaintiff] to incur attorneys [sic] fees, her testimony carried 12 sufficient probative force to allow a jury to reasonably infer causation.”). There, the expert extensively testified about the defendant's various breaches of the standard of care, and testified that the defendant's actions did generally cause harm to the plaintiff's interests. Id. at 579-80. That, paired with additional non-expert evidence showing that the damages claimed (the expenditure of attorneys' fees) was the “reasonable, natural, and probable consequence of [defendant's] negligence[]” was enough to establish proximate causation. Id. at 580-81. Here, Hiscox identified two experts who address proximate causation. First, while Ms. Worley did not explicitly opine that Warden Grier's negligence was the proximate cause of Hiscox's damages, she did provide testimony from which the jury could reasonably make that inference. When responding to questions regarding Warden Grier's response to the Data Breach and the decision not to inform Hiscox, Ms. Worley testified “[h]ow did it cause harm? It caused harm because Warden Grier did not analyze the data and provide its service provider [Hiscox] with information sufficient to allow it to meet its statutory obligations under the various applicable laws.” Worley Dep 187:11-20. Hiscox further designated David Navetta as a nonretained expert to, among other things, “testify that to comply with [Hiscox's] notice obligations Hiscox needed to know what data was compromised so it could, among other things, provide, upon request, the names and addresses of affected individuals and the categories of affected PII for each individual.” Doc. 106-1 (Hiscox's Expert Designations), at 1. Mr. Navetta testified that, if Warden Grier had performed the Hiscox Analysis, Hiscox could have relied upon that analysis to provide downstream notice without performing its own analysis. Navetta Dep. 106:20-107:2, 129:18-130:10 (explaining that the Hiscox analysis was necessary to obtain “a bunch of information that is necessary to allow the downstream notification to the individuals, should it be necessary, ” and that Hiscox could have relied on Warden Grier's analysis, had it 13 done it, instead of paying to conduct its own). At bottom, both experts explain that Hiscox needed the Hiscox Analysis to determine its notification obligations and that Hiscox could have relied on Warden Grier's analysis of the compromised data (had Warden Grier properly analyzed the data) instead of paying to conduct its own analysis. Doc. 91, at 25, SOF 40 (citing Worley Dep 57:8-24) (“So the first step is you look at the data, you find the PII. Then you have to determine where do those people reside because the law typically follows the residence of the individual whose data was impacted. That's when you look at the statute and say, okay, what are my notice obligations for anyone who lives in Raleigh, North Carolina? . . . You look at it by the breached entity examining the information that was beached. They in most states have a duty of reasonable investigation, and they have to cooperate in order to be able to inform the data owner sufficiently so that the data owner can fulfil their responsibilities under the statutes.”); 29, SOF 52 (citing Doc. 89-43 (Worley Dep.) 210:17-211:21) (“I did not pull the statutes related to every individual in the data set. To answer your question, I would have had to have looked at all 50 data breach statutes and done the analysis of who's the owner, who's the service provider, is this a first-party case or a third-party case.”); Navetta Dep. 23:11-13 (“You have to review the files to figure out what data is in there to be able to understand whether there is an obligation to notify.”).
Just like in Myers, the expert testimony establishing the necessity of the Hiscox Analysis and that Hiscox could have relied upon Warden Grier's analysis of the compromised data, had it done one, paired with other non-expert evidence in the record, is enough. For example, former Hiscox CEO Benjamin Walter also stated that “[i]f Warden Grier had adequately analyzed the compromised data for PII in 2017 and notified Hiscox about the unauthorized disclosure of PII in Hiscox's clients['] files, Hiscox would not have had to perform the same analysis later in 2018 14 and therefore would have avoided substantially all of the vendor costs[, ]” Doc. 91-16 (Walter Decl.), at ¶ 7; see also Doc. 91, at 20- 21, SOF 33 (citing Doc. 89-25 (Kam Dep.) 41:20-42:3) (“[I]f this didn't occur at the time, the questions we would ask is: what type of data; which litigation cases [were] involved; to what extent was it lost, so that we can understand the extent and nature of the information that is at risk, and what investigation has the law firm planned to undergo to at least let us know what is potentially being lost or at risk.”). Because there is both expert and non-expert evidence from which the jury can reasonably infer Warden Grier's decision not to conduct the Hiscox Analysis was the proximate cause of Hiscox's damages, proximate causation remains a fact question. See Myers, 405 S.W.3d at 578-81. Warden Grier's Motion on this point is DENIED.
Warden Grier takes issue, in passing, with Mr. Walter's use of “substantially all” because it still implies Hiscox would have incurred some expense, even had Warden Grier completed the Hiscox Analysis. See Doc. 101, at 10. This is a fact issue for the jury. Hiscox may not be able to ultimately prove that Warden Grier caused each dollar of its damages, but Warden Grier has not pointed to a specific piece of Hiscox's damages calculation that should fail as a matter of law. The Court will not attempt to do so on its own. To the extent Warden Grier moved for summary judgment on this issue, it is denied.
IV. CONCLUSION
Because Warden Grier's alleged breach “can be characterized as both a breach of the standard of care . . . and a breach of a fiduciary obligation . . . the sole claim is legal malpractice.” Klemme, 941 S.W.2d at 496. Hiscox's fiduciary duty claim is subsumed by its professional negligence claim, and Warden Grier's Motion on this point is GRANTED. However, Hiscox has shown that Warden Grier owed it a general duty of care arising out of the attorney client relationship. Whether that duty includes an obligation to conduct the Hiscox Analysis is a question of breach, about which there are material disputes of fact, and therefore the question is left to the jury. Warden Grier's Motion is DENIED on this point. Finally, Hiscox 15 introduced expert evidence from which the jury can infer proximate causation, which is all Missouri law requires. Myers, 405 S.W.3d at 578. Warden Grier's Motion on this point is also DENIED. 16