NEW YORK – Millions of dollars are at stake in a data-breach lawsuit against Kelley Drye & Warren, the politically connected firm recently conceded in court documents.
The firm has removed a potential class action lawsuit to New York federal court, arguing the requirements for doing so under the Class Action Fairness Act are met. The case was first filed in August in New York state court and seeks compensation for potentially thousands.
For CAFA to apply, the amount in controversy must be at least $5 million.
“While KDW denies that Plaintiff or any putative class members are entitled to any relief, it acknowledges that the damage sought, including complying with Plaintiff’s proposed injunctive relief, exceeds $5 million,” a Jan. 12 notice of removal says.
Kelley Drye is active in litigation over chemicals known as PFAS, which are nicknamed “forever chemicals” because of their persistence in the human body. They are found in firefighting foam and many consumer products, and the firm and many others argue they have harmful effects like certain types of cancer.
Most cases are placed in a multidistrict litigation proceeding in South Carolina federal court. Kelley Drye represents several states and was lead counsel for New Jersey in its trial against DuPont, which led to a $2.5 billion settlement.
In May 2025, however, Kelley Drye reported to clients “unauthorized access to its network from an unknown third party” that had occurred in March. Some personal information was possibly stolen, a letter said, and the firm disclosed it was implementing additional security protocols.
Three months later, lawyers at Schroder, Joseph & Associates in Buffalo and Strauss Borrelli in Chicago sued in New York Supreme Court. They argued the firm had lax security systems and had failed to adequately train its employees on cybersecurity.
“Defendant’s breach notice obfuscated the nature of the breach and the threat it posed – refusing to tell its current and former clients, employees and others how many people were impact, how the breach happened, when it was discovered, or why Defendant delayed notifying victims that cybercriminals had gained access to their highly private information,” the lawsuit says.
“Defendant’s failure to timely report the data breach made the victims vulnerable to identify theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their (personally identifiable information).”
Kelley Drye offered complimentary credit-monitoring services, but the complaint says the risk of identity theft remains high and might not come to light for years.
