Wengui v. Clark Hill Plc ( 2020 )


Menu:
  •                            UNITED STATES DISTRICT COURT
    FOR THE DISTRICT OF COLUMBIA
    GUO WENGUI,
    Plaintiff,
    v.                                     Civil Action No. 19-3195 (JEB)
    CLARK HILL, PLC, et al.,
    Defendants.
    MEMORANDUM OPINION
    This case features an asylum-application process gone awry, accompanied by alleged
    professional misconduct, foreign-government cyber hacking, and social-media propaganda
    campaigns. After Plaintiff Guo Wengui, a Chinese businessman and prominent political
    dissident, retained the services of the law firm Clark Hill, PLC to assist him with an asylum
    petition, someone –– whom the parties presume to be associated with the Chinese government ––
    hacked into the firm’s computer servers. The hacker thereby gained access to Plaintiff’s
    confidential information and then published that information on the Internet. Compounding
    Wengui’s problems, the firm withdrew its representation in response to the attack. Plaintiff
    asserts that in making his information vulnerable to a targeted hacking and subsequently
    withdrawing from the matter, Defendants Clark Hill and its attorney Thomas Ragland are liable
    for legal malpractice, breach of fiduciary duty, and breach of contract. Defendants now move to
    dismiss all claims.
    To succeed on his tort claims, Wengui must “point to an act (or omission)” that “resulted
    in a loss” to him. See Seed Co., Ltd. v. Westerman, 
    840 F. Supp. 2d 116
    , 127 (D.D.C. 2012).
    1
    Plaintiff has successfully pleaded that the alleged mishandling of his information and subsequent
    cyber attack resulted in damages. The withdrawal, however, may have added insult, but it did
    not add injury. In addition, he cannot establish that the withdrawal breached Defendants’
    contractual obligations to him. The Court therefore will dismiss all of Plaintiff’s claims to the
    extent they rely on the theory that Defendants’ withdrawal constituted a legally remediable
    wrong, but it will permit those claims to go forward that allege misrepresentations surrounding
    and mishandling of his confidential information. Finally, it dismisses the demand for punitive
    damages, as Plaintiff has not satisfied the high bar necessary for seeking such relief.
    I.     Background
    A. Factual Background
    As it must at this juncture, the Court draws the facts from the Complaint. See Sparrow v.
    United Air Lines, Inc., 
    216 F.3d 1111
    , 1113 (D.C. Cir. 2000). Plaintiff is a “highly successful
    businessman” and “well-known Chinese dissident.” ECF No. 1 (Complaint), ¶ 10. While living
    in China, he exposed “systemic corruption” and “widespread abuse of human rights” being
    perpetrated by the Communist Party of China (CCP), China’s ruling political party. 
    Id., ¶ 15.
    These activities naturally caught the attention of the CCP, which allegedly threatened his
    livelihood and that of his family in order to put an end to his subversive activities. 
    Id., ¶¶ 18–19.
    Fearing further persecution, Plaintiff fled his native country in 2015, and he now
    resides in New York. 
    Id., ¶ 10.
    Wengui’s escape from China has not prevented further
    harassment. The Chinese government has, for example, sent emissaries to demonstrate against
    him outside of his home as part of a larger “malicious negative propaganda campaign” organized
    against him. 
    Id., ¶¶ 23–
    24. In response to this cross-continental maltreatment, Plaintiff set
    about applying for political asylum in the United States.
    2
    The source of this dispute dates back to Plaintiff’s negotiations with Defendant Thomas
    Ragland, an attorney and partner at Defendant Clark Hill, PLC –– a firm comprising about 650
    lawyers ––– regarding potential assistance with his asylum petition. 
    Id., ¶¶ 11–12.
    Hoping to
    secure Plaintiff as a client, Ragland assured him that both he and the firm more broadly “were
    qualified, capable, and competent to represent plaintiff and to protect his interests fully and
    professionally.” 
    Id., ¶ 28.
    At a subsequent meeting in August 2016, Wengui conveyed to
    Ragland and other Clark Hill attorneys “his standing and visibility as a prominent Chinese
    political dissident” and “the risks associated with and attendant to plaintiff’s position as a
    prominent visible critic of the Chinese regime.” 
    Id., ¶ 31.
    Plaintiff also “warned of the
    persistent and relentless cyber attacks that he and his associates had endured.” 
    Id. In further
    meetings with the firm, Wengui continued to warn Defendants that they should
    “expect to be subjected to sophisticated cyber attacks.” 
    Id., ¶ 32.
    In taking on Plaintiff’s case,
    Defendants accordingly agreed to “take special precautions to prevent improper disclosure of
    plaintiff’s sensitive confidential information.” 
    Id., ¶ 33.
    These precautions would include
    distinct measures to impede or evade cyber attacks, by, for example, “not placing any of
    plaintiff’s information on the firm’s computer server,” as doing so would make the information
    more vulnerable to hackings. 
    Id. Relying on
    the firm’s commitments regarding the protection of
    his confidential information, Plaintiff hired Defendants, executing a letter of retention and paying
    the firm a retainer fee of $10,000. 
    Id., ¶ 36.
    Unfortunately for all parties involved, Plaintiff’s warnings of a cyber attack, apparently
    as unheeded as Cassandra’s, proved prescient. On September 12, 2017, the firm’s computer
    system was “hacked” –– again, both parties assume that the hacking was orchestrated by the
    Chinese government –– “apparently without great difficulty.” 
    Id., ¶ 41.
    The hacker obtained a
    3
    substantial amount of Plaintiff’s and his spouse’s personal information, such as their passport
    identification numbers, as well as Plaintiff’s application for political asylum. 
    Id., ¶ 43.
    This
    information, including the contents of Wengui’s asylum petition, was then published and
    disseminated on social media. 
    Id., ¶ 44.
    Following the attack, the parties’ relationship quickly dissolved. On September 19, Clark
    Hill’s General Counsel, Edward Hood, informed Plaintiff that the firm was terminating its
    involvement with his case. 
    Id., ¶ 49.
    Hood explained that the attack might require Ragland,
    along with other members of the firm, to serve as witnesses at Plaintiff’s asylum proceeding, as
    the hacking provided evidence of the political persecution from which Plaintiff sought asylum in
    the United States. 
    Id. Hood posited
    that because the Rules of Professional Conduct bar
    attorneys from playing the dual role of witness and advocate, Defendants were required to
    withdraw from the matter. 
    Id., ¶¶ 49–50.
    At the time of that withdrawal, Plaintiff had filed an
    asylum application and was awaiting a hearing. 
    Id., ¶ 51.
    B. Procedural History
    On September 19, 2019, Wengui filed this action against Defendants in the Superior
    Court of the District of Columbia. Defendants then removed the case to this Court on diversity-
    jurisdiction grounds. See ECF No. 1 (Notice of Removal) at 1–2. Plaintiff’s Complaint asserts
    four counts: (1) breach of fiduciary duty; (2) breach of contract; (3) legal malpractice; and (4)
    punitive damages. See Compl., ¶¶ 66–93. Defendants now move to dismiss all counts,
    maintaining that they fail to state plausible claims for relief.
    II.     Legal Standard
    Federal Rule of Civil Procedure 12(b)(6) provides for the dismissal of an action where a
    complaint fails to “state a claim upon which relief can be granted.” Although “detailed factual
    4
    allegations” are not necessary to withstand a Rule 12(b)(6) motion, Bell Atl. Corp. v. Twombly,
    
    550 U.S. 544
    , 555 (2007), “a complaint must contain sufficient factual matter, accepted as true,
    to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 
    556 U.S. 662
    , 678 (2009)
    (internal quotation omitted).
    In evaluating Defendants’ Motion to Dismiss, the Court must “treat the complaint’s
    factual allegations as true and must grant plaintiff ‘the benefit of all inferences that can be
    derived from the facts alleged.’” 
    Sparrow, 216 F.3d at 1113
    (citation omitted) (quoting Schuler
    v. United States, 
    617 F.2d 605
    , 608 (D.C. Cir. 1979) (citing Leatherman v. Tarrant Cty.
    Narcotics Intelligence & Coordination Unit, 
    507 U.S. 163
    , 164 (1993)). The Court need not
    accept as true, however, “a legal conclusion couched as a factual allegation” nor an inference
    unsupported by the facts set forth in the Complaint. See Trudeau v. FTC, 
    456 F.3d 178
    , 193
    (D.C. Cir. 2006) (quoting Papasan v. Allain, 
    478 U.S. 265
    , 286 (1986)). Finally, even at the
    Rule 12(b)(6) stage, a court can review “documents attached as exhibits or incorporated by
    reference in the complaint” or “documents upon which the plaintiff’s complaint necessarily
    relies.” Ward v. D.C. Dep’t of Youth Rehab. Servs., 
    768 F. Supp. 2d 117
    , 119 (D.D.C. 2011)
    (internal quotation marks and citations omitted).
    III.   Analysis
    In seeking dismissal here, Defendants argue that neither the cyber attack nor the
    withdrawal constitutes a ground for a viable claim of legal malpractice, breach of fiduciary duty,
    or breach of contract. In particular, they assert that their conduct surrounding these two events
    did not breach any duty owed to Plaintiff. They also argue that their actions, even if improper,
    did not cause him to suffer any actual damages. The Court will consider the two relevant events
    5
    in turn, examining the separate counts in that context, albeit slightly out of sequence.
    A. The Cyber Attack
    As recounted above, the Complaint alleges that: Plaintiff warned Defendants of the risk
    of an impending cyber attack; Defendants misrepresented the manner in which they would
    protect Plaintiff’s confidential information from such an attack; and Defendants then failed to
    protect this information, allowing it to be retrieved and then publicly disseminated by a third-
    party hacker. Defendants dispute that they made such representations and argue that, in any
    event, the cyber attack did not actually harm Plaintiff. The Court, however, rejects Defendants’
    premature attempt to litigate disputed facts at the pleading stage and will deny their Motion to
    Dismiss as it pertains to the cyber attack.
    Breach of Fiduciary Duty
    Count I asserts that Defendants breached various fiduciary duties owed to Plaintiff,
    including the duty of good faith, the duty of loyalty, and the duty to protect Plaintiff’s
    confidential records. See Compl., ¶ 68. To succeed on a claim of breach of fiduciary duty in the
    District of Columbia –– the relevant jurisdiction here ––– Plaintiff must establish “(1) the
    existence of a fiduciary duty and (2) a violation of that duty that (3) proximately causes injury.”
    Council on Am.-Islamic Relations Action Network, Inc. v. Gaubatz, 
    82 F. Supp. 3d 344
    , 353
    (D.D.C. 2015) (citing Shapiro, Lifschitz & Schram, P.C. v. Hazard, 
    24 F. Supp. 2d 66
    , 75
    (D.D.C. 1998)). It is axiomatic that the attorney-client relationship is fiduciary in nature. See
    Thomas v. Nat’l Legal Prof’l Assocs., 
    594 F. Supp. 2d 31
    , 34 (D.D.C. 2009) (“[T]here is an ever
    present fiduciary responsibility that arches over every aspect of the lawyer-client relationship.”)
    (quoting Connelly v. Swick & Shapiro, P.C., 
    749 A.2d 1264
    , 1268 (D.C. 2000)). Defendants
    6
    argue, however, that they did not breach any recognized fiduciary duties owed to Plaintiff and, in
    any event, did not cause any actual injury to him.
    First, as to breach of duty, Wengui does not allege, contrary to Defendants’ assertion,
    simply that “because there was a cyber incident, Defendants must have put up . . . ‘unreasonable’
    security measures.” ECF No. 12 (Def. MTD) at 12. It is true that some courts have gone so far
    as to hold that corporations maintain a duty to consumers to “‘protect against a criminal act of a
    third person,’ which could include hacking into a private data system, ‘if it is alleged that the
    entity had reason to anticipate the criminal act.’” Attias v. CareFirst, Inc., 
    365 F. Supp. 3d 1
    , 21
    (D.D.C. 2019) (quoting In re Arby’s Restaurant Group Inc., Litig., 
    2018 WL 2128441
    , at *5
    (N.D. Ga. Mar. 5, 2018)). As a result, those courts have held that if a corporation fails to prevent
    a forseeable cyber attack, it thereby breaches fiduciary duties owed its customers. 
    Id. This Court,
    however, need not go so far as to find that any corporation’s failure to protect against any
    forseeable cyber attack, standing on its own, constitutes a breach of fiduciary duty.
    A fiduciary relationship –– like that between a lawyer and client –– “is founded upon
    trust or confidence reposed by one person in the integrity and fidelity of another.” Democracy
    Partners v. Project Veritas Action Fund, 
    285 F. Supp. 3d 109
    , 121 (D.D.C. 2018) (quoting
    Bolton v. Crowley, Hoge, & Fein, P.C., 
    110 A.3d 575
    , 584 (D.C. 2015)). The duty of loyalty in
    this context “has been described as one of ‘uberrima fides,’ which means, most abundant good
    faith, requiring absolute and perfect candor, openness and honesty, and the absence of any
    concealment or deception.” Herbin v. Hoeffel, 
    806 A.2d 186
    , 197 (D.C. 2002) (emphasis added)
    (quotation marks omitted); see also Seed 
    Co., 840 F. Supp. 2d at 126
    –27 (attorney breaches
    fiduciary duties when providing clients with “incorrect and misleading” advice); 
    Herbin, 806 A.2d at 197
    (“Disclosure of client confidences is contrary to the fundamental principle that the
    7
    attorney owes a fiduciary duty to her client and must serve the client’s interest with the utmost
    loyalty and devotion.”) (quotation marks omitted).
    Plaintiff has sufficiently pleaded that Defendants breached their duties of loyalty and
    good faith by misrepresenting the manner in which they would protect his confidential
    information in order to secure his business. Although they promised to take special precautions,
    they placed that information, including his asylum application, on their server and conveyed it
    via a firm email account –– in direct contravention of his instructions –– leaving Plaintiff
    vulnerable to the precise sort of machinations he had forewarned counsel about. See Compl., ¶¶
    2–3, 40–43. He further alleges that the firm breached the applicable duty of care in its treatment
    of his information by utilizing security measures that were “inadequate, unreasonable, and fell
    woefully far short of [D]efendants’ promises, assurances, obligations, and commitments to
    provide adequate security measures.” 
    Id., ¶ 42.
    Discovery may reveal that Defendants never
    made any such misrepresentations to Plaintiff and were not negligent in their handling of his
    confidential information, but the well-pleaded allegations in the Complaint preclude granting
    Defendants’ Motion to Dismiss.
    Defendants argue in the alternative that even if they misled Plaintiff and were negligent
    in handling his confidential information, the cyber attack did not actually cause him any
    cognizable harm. Under D.C. law, not surprisingly, a breach of a fiduciary duty requires a
    showing of injury or damages. See Headfirst Baseball LLC v. Elwood, 
    239 F. Supp. 3d 7
    , 14
    (D.D.C. 2017) (canvassing D.C. caselaw); see also Becker v. Colonial Parking, Inc., 
    409 F.2d 1130
    , 1136 (D.C. Cir. 1969) (“A simple breach of duty having no causal connection with the
    injury, we have admonished, cannot produce legal responsibility.”) (quotation marks omitted).
    In arguing that Plaintiff has not made such a showing, Defendants rely on Randolph v. ING Life
    8
    Insurance & Annuity Company, 
    973 A.2d 702
    (D.C. 2009), where the District of Columbia
    Court of Appeals held that an “increased risk of future identity theft” does not qualify as an
    “actionable” injury “required to maintain a suit for common-law breach of fiduciary duty.” 
    Id. at 708.
    Although this case, like Randolph, concerns a data breach, the similarities end there. In
    Randolph, an unknown burglar stole a laptop computer owned by the employee of an insurance
    company, which contained the plaintiffs’ insurance information, including their names,
    addresses, and social-security numbers. 
    Id. at 704.
    The DCCA reasoned that the plaintiffs had
    failed to plead “actual harm” because they had not alleged that the burglar stole the laptop in
    order to access their information or that their information had even been accessed since the
    laptop was stolen. 
    Id. at 706–08.
    Instead, they simply alleged “the anticipation of future injury
    [identity theft] that has not materialized.” 
    Id. at 708;
    see also In re Sci. Applications Int’l Corp.
    (SAIC) Backup Tape Data Theft Litig., 
    45 F. Supp. 3d 14
    , 19 (D.D.C. 2014) (dismissing case
    where plaintiffs’ information, along with other items, was allegedly stolen from parked car
    because “mere loss of data –– without evidence that it has been either viewed or misused –– does
    not constitute an injury sufficient to confer standing”).
    Plaintiff, however, has gone well beyond pleading the anticipation of future injury and
    has instead alleged an actual injury resulting from Defendants’ conduct. According to the
    Complaint, the Chinese government or someone associated with it hacked Defendants’ server for
    the express purpose of stealing Plaintiff’s information. The hacker then “published” the
    confidential material, including Plaintiff’s application for political asylum and passport
    identification number, on social media. See Compl., ¶¶ 43–44. This chain of events occurred in
    the context of a broader propaganda campaign orchestrated by the CCP, one that included
    9
    utilizing social-media platforms to spread information about Plaintiff and mobilizing
    demonstrators to protest his presence in the United States. 
    Id., ¶¶ 22–24.
    Wengui therefore does
    not “speculate” as to potential uses of the stolen information; it has already been employed as
    part of the CCP’s persecution and harassment of him. The Court therefore rejects Defendants’
    invitation to find that the cyber attack did not actually harm Plaintiff as a matter of law.
    Legal Malpractice
    Count III alleges legal malpractice, asserting that Defendants breached their “common
    law” and “professional and ethical duties and obligations to plaintiff . . . by failing to use the
    required degree of professional care and skill in representing plaintiff,” and in failing to maintain
    “reasonable security measures to secure their computer system from unauthorized access, as
    required and promised to plaintiff.” 
    Id., ¶¶ 82–85.
    The elements of a legal-malpractice claim are similar to, but slightly distinct from, those
    for breach of fiduciary duty. See Hickey v. Scott, 
    738 F. Supp. 2d 55
    , 67 (D.D.C. 2010) (quoting
    Shapiro, Lifschitz & 
    Schram, 24 F. Supp. 2d at 74
    ). As Justice O’Conner has commented,
    “Lawyers are professionals, and as such they have greater obligations.” Zauderer v. Office of
    Disciplinary Counsel, 
    471 U.S. 626
    , 676 (1985) (O’Connor, J., concurring). To succeed on a
    legal-malpractice claim in the District of Columbia, “the plaintiff must show that (1) the
    defendant was employed as the plaintiff’s attorney, (2) the defendant breached a reasonable duty,
    and (3) that breach resulted in, and was the proximate cause of, the plaintiff’s loss or damages.”
    Beach TV Props., Inc. v. Solomon, 
    306 F. Supp. 3d 70
    , 93 (D.D.C. 2018) (quoting Martin v.
    Ross, 
    6 A.3d 860
    , 862 (D.C. 2010)).
    For the reasons recounted above, this count may also proceed as to the cyber attack
    because the Complaint identifies a breach of the duty of reasonable care owed by attorneys to
    10
    their clients and actual damages. To be sure, attorneys cannot be held “liable for mistakes made
    in the honest exercise of professional judgment.” Biomet Inc. v. Finnegan Henderson LLP, 
    967 A.2d 662
    , 665 (D.C. 2009). Honest mistakes, however, are a far cry from the conduct alleged
    here: misrepresentations made in order to secure a prospective client, the failure to follow
    promised procedures to adequately secure confidential information, and damages. See Swann v.
    Waldman, 
    465 A.2d 844
    , 846 (D.C. 1983) (finding plaintiff’s allegations that attorney lied to
    him about attempting to obtain continuance and was negligent in failing to obtain expert witness
    sufficient to withstand motion for summary judgment on legal-malpractice claim).
    Breach of Contract
    Plaintiff also brings a claim for breach of contract in Count II, alleging that the firm
    violated its contractual obligation to provide “competent representation” by undertaking a matter
    beyond its “professional or technical competence” and “neglecting to undertake reasonable
    security measures.” Compl., ¶ 76. “To prevail on a claim of breach of contract, a party must
    establish (1) a valid contract between the parties; (2) an obligation or duty arising out of
    the contract; (3) a breach of that duty; and (4) damages caused by breach.” United States
    Conference of Mayors v. Great-W. Life & Annuity Ins. Co., 
    327 F. Supp. 3d 125
    , 129 (D.D.C.
    2018), aff’d, 767 F. App’x 18 (D.C. Cir. 2019) (quoting Tsintolas Realty Co. v. Mendez, 
    984 A.2d 181
    , 187 (D.C. 2009)). Defendants concede that the parties entered into a valid contract
    (in this case, an engagement letter) that set forth their “respective obligations and expectations.”
    See Def. MTD at 14. They dispute, however, that Plaintiff has alleged a breach of that contract.
    Accepting the facts in the Complaint as true, Wengui has met his pleading burden –– if
    just barely –– of establishing that Defendants did not meet their contractual obligations. In
    particular, he alleges that they violated their obligations to provide “competent representation”
    11
    and keep Plaintiff “reasonably informed about the status of the matter,” Def. MSJ, Exh. A
    (Retainer Agreement) at 2, by misleading him as to the manner in which his information would
    be handled in the future, and then by failing to inform him when they eventually placed that
    information on their server. For the reasons stated in regard to the prior counts, this claim can
    proceed on the basis of failing to safeguard his information, which could amount to incompetent
    representation.
    Going forward, however, Plaintiff may need to clarify this count because he appears to be
    exploring several different theories as to how Defendants breached the retainer agreement. First,
    he seems to be laying the groundwork for the introduction of extrinsic evidence. This evidence
    might demonstrate that Defendants orally amended the terms of the contract in making
    representations regarding higher-level protection of Plaintiff’s personal information. See Segal
    Wholesale, Inc. v. United Drug Serv., 
    933 A.2d 780
    , 784 (D.C. 2007) (extrinsic evidence
    “consistent with the terms of a partially integrated agreement is permissible”); see also
    Stamenich v. Markovic, 
    462 A.2d 452
    , 455 (D.C. 1983) (extrinsic evidence permissible to
    demonstrate “a contemporaneous agreement in addition to and not inconsistent with or a
    variation of the written agreement between the same parties, which was an essential inducement
    of the written contract” or where “fraud, mistake, or duress is alleged”).
    Alternatively, Plaintiff also appears to be seeking to demonstrate that Defendants violated
    a general obligation to provide competent representation in providing insufficient protection of
    client materials. See Compl., ¶ 76. Or, finally, he may be asserting that Defendants breached the
    “implied duty of good faith and fair dealing” that D.C. courts have found to be contained within
    all contracts, one that prohibits “evad[ing] the spirit of the contract” or “willfully render[ing]
    imperfect performance.” Murray v. Wells Fargo Home Mortg., 
    953 A.2d 308
    , 321 (D.C. 2008)
    12
    (internal quotation marks omitted). Plaintiff will have to choose among these theories, and
    provide much more substantial support for them, should he decide to defend this count against
    further dispositive motions.
    Duplicative Nature of Claims
    Finally, the Court rejects Defendants’ argument that the three claims chronicled above
    are necessarily “duplicative” of one other and thus that only one can proceed past the pleading
    stage. Under D.C. law, when a plaintiff’s breach-of-fiduciary-duty claim rests on the same
    factual allegations and requests the same relief as his professional-malpractice claim, a court “as
    a matter of judicial economy, should dismiss” one of the claims as duplicative. See N. Am.
    Catholic Educ. Programming Found., Inc. v. Womble, Carlyle, Sandridge & Rice, PLLC, 887 F.
    Supp. 2d 78, 84 (D.D.C. 2012) (collecting cases). The same holds true for tort claims that arise
    out of the same factual circumstances as a breach-of-contract claim. See 
    Attias, 365 F. Supp. 3d at 18
    (“Under D.C. law, for a plaintiff to recover in tort for conduct that also constitutes a breach
    of contract, ‘the tort must exist in its own right independent of the contract, and any duty upon
    which the tort is based must flow from considerations other than the contractual relationship.’”)
    (quoting Choharis v. State Farm Fire & Cas. Co., 
    961 A.2d 1080
    , 1089 (D.C. 2008)).
    Down the line, Plaintiff may indeed have to choose among his three common-law claims.
    At this early stage, however, it would be premature to dismiss any of the three as duplicative,
    given the fact-dependent nature of such an inquiry. While the counts all relate to the cyber attack
    generally, they may be predicated on distinct wrongs surrounding the attack. Defendants’
    conduct may have, for example, violated a Rule of Professional Responsibility –– potentially
    creating liability for legal malpractice –– which does not necessarily give rise to a breach of
    fiduciary duty. See, e.g., 
    Hickey, 738 F. Supp. 2d at 67
    –68 (finding fee-related fiduciary-duty
    13
    claim distinct from legal-malpractice claim concerning breach of Rule of Professional
    Responsibility in dispute over fees).
    Finally, considerations of judicial economy do not weigh in favor of dismissal of any
    claims here. Allowing all three to proceed will not expand the scope of the case or potential
    avenues of discovery. At this juncture, therefore, the Court will decline Defendants’ invitation to
    narrow Plaintiff’s potential theories of relief. In sum, the Court will deny Defendants’ Motion to
    Dismiss Counts I, II, and III to the extent that they rely on the theft of his personal information
    via cyber attack and Defendants’ misrepresentations relating to protections from that attack.
    B. The Withdrawal
    By contrast, Defendants’ withdrawal from Plaintiff’s asylum process –– or, as Plaintiff
    labels the incident, their “firing” of him –– does not provide grounds for a viable legal claim. As
    described above, Defendants terminated their representation of Wengui following the cyber
    attack. They explained in a letter to him that the attack had created “several ethical
    complications” related to their representation. See ECF No. 12-5 (Clark Hill Termination Letter)
    at 1. Defendants’ “primary concern” was that “the cyberattack would require Mr. Ragland ––
    and possibly other members of the Firm –– to be a witness in [Plaintiff’s] asylum proceeding”
    because they now had first-hand knowledge of China’s prior persecution of Plaintiff, a factor
    relevant to that proceeding. 
    Id. In their
    Motion to Dismiss, Defendants argue that not only did their withdrawal not
    breach any duty owed to Wengui, but that it was in fact required by the Rules of Professional
    Conduct. See D.C. R. Prof. Conduct 1.16(a)(1) (D.C. Bar 2010) (attorney must withdraw from
    representing client if ongoing representation would violate Rule of Professional Conduct).
    Defendants again rely on Rule of Professional Conduct 3.7(a), which states that an attorney
    14
    “shall not” act as an advocate for a client when she is “likely to be a necessary witness” in the
    proceeding. They also invoke Rule 1.7(b)(4), which requires withdrawal if the lawyer’s ability
    to represent a client “reasonably may be adversely affected by the lawyer’s responsibilities to or
    interests in a third party or the lawyer’s own financial, business, property, or personal interests.”
    Defendants explain that following the cyber attack, they had their “own interests in investigating
    and mitigating the incident –– which conflicted with their representation of Plaintiff.” Def. MTD
    at 8.
    Regarding Rule 3.7(a), Plaintiff counters that Defendants’ withdrawal was premature at
    best, given that Wengui “did not have an asylum interview, let alone any hearing” and “had not
    asked that Mr. Ragland be a witness.” ECF No. 14 (Pl. Opp.) at 8. Additionally, Plaintiff argues
    that Rule 1.7(b)(4) raises “inherently factual issues” as to whether the cyber attack created a
    conflict of interest, issues that cannot be resolved at this stage. 
    Id. at 21.
    The Court need not settle these disputes because Wengui’s fiduciary and malpractice
    claims run aground on a different shoal. Plaintiff has not sufficiently pled that Defendants’
    conduct, even if improper, damaged or prejudiced him. Both of these claims require a showing
    of damage or loss. See, e.g., Seed 
    Co., 840 F. Supp. 2d at 126
    (plaintiff bringing malpractice
    claim “must point to an act (or omission) by the . . . [D]efendants that resulted in a loss” to him);
    
    Randolph, 973 A.2d at 708
    –09 (same regarding breach of fiduciary duty). As one court in this
    district described the applicable test when considering legal malpractice, the claim “does not
    accrue until the plaintiff-client has sustained some injury from the malpractice[,]’ and the ‘mere
    breach of a professional duty, causing only nominal damages, speculative harm, or the threat of
    future harm — not yet realized — does not suffice to create a cause of action for negligence.’”
    15
    Venable LLP v. Overseas Lease Grp., Inc., 
    2015 WL 4555372
    , at *2 (D.D.C. July 28, 2015)
    (quoting Knight v. Furlow, 
    553 A.2d 1232
    , 1235 (D.C. 1989)).
    Plaintiff’s claims predicated on the withdrawal do not plead damages that rise above the
    “speculative” or “nominal” level. Wengui does not dispute, for example, that at the time of
    Defendants’ withdrawal, his asylum application had already been filed and he was awaiting an
    initial interview, which can take years to schedule. See Def. MTD at 20. He also does not claim
    to have experienced difficulties in finding a successor counsel with immigration-law expertise.
    As a result, Wengui has failed to factually substantiate his conclusory allegations that
    Defendants’ withdrawal caused him “undue delay and complications,” reputational harm, and
    prejudiced the outcome of his case. See Compl., ¶ 60; see also Hinton v. Stein, 
    278 F. Supp. 2d 27
    , 33 (D.D.C. 2003) (rejecting legal-malpractice claim where “[a]lthough there was a brief
    attorney-client relationship between the parties, defendant was justified in seeking to withdraw[,]
    . . . [h]er motion to withdraw was filed promptly[,] and there is no indication that plaintiff
    suffered any injury as a result of her withdrawal”). Put differently, the Complaint does not allege
    that Plaintiff “suffered any injury because of Defendant[s’] failure to represent him,” and the
    Court will therefore dismiss his fiduciary-duty and malpractice claims to the extent that they rely
    on the withdrawal as the purported harm. 
    Id. Plaintiff’s breach-of-contract
    claim based on the withdrawal is somewhat different, but
    also merits dismissal. A party may prevail on such a claim even if he “fails to prove actual
    damages,” although he will be “entitled to no more than nominal damages.” Wright v. Howard
    Univ., 
    60 A.3d 749
    , 753 (D.C. 2013) (quoting Bedell v. Inver Housing Inc., 
    506 A.2d 202
    , 205
    (D.C. 1986)). With regard to the withdrawal, however, Plaintiff has failed to even gesture at
    provisions of the contract that Defendants breached in terminating their representation or at
    16
    extrinsic evidence that might support such a claim. See Retainer Agreement at 2, 4 (attorney
    may terminate agreement for reasons permitted under Rules of Professional Conduct or if any
    conflict of interest arises).
    C. Punitive Damages
    The Court last tackles Count IV, which asserts a claim of punitive damages. Specifically,
    the Complaint alleges that Defendants violated Plaintiff’s “rights” in an “intentional deliberate,
    [and] outrageous” manner. See Compl., ¶ 90. To begin, punitive damages are a form of relief,
    not a stand-alone cause of action. Although the count cannot survive independently, the Court
    considers whether such damages are available to Wengui at all. “To recover punitive damages,”
    a plaintiff must establish that “the tortious act was committed with ‘an evil motive, actual malice,
    deliberate violence or oppression’ or in support of ‘outrageous conduct in willful disregard of
    another's rights.’” Embassy of Nigeria v. Ugwuonye, 
    297 F.R.D. 4
    , 14 (D.D.C. 2013) (quoting
    Robinson v. Sarisky, 
    535 A.2d 901
    , 906 (D.C. 1988)). The imposition of punitive damages thus
    requires conduct that is “replete with malice.” See Dalo v. Kivitz, 
    596 A.2d 35
    , 40 (D.C. 1991);
    see also Hendry v. Pelland, 
    73 F.3d 397
    , 400 (D.C. Cir. 1996) (“District of Columbia law
    allows punitive damages only if the attorney acted with fraud, ill will, recklessness, wantonness,
    oppressiveness, or willful disregard of the clients’ rights.”).
    The Complaint does not plead such “outrageous” activity. Instead, if true, Wengui’s
    allegations suggest that Defendants’ failure to protect his information against hacking may mean
    that the firm acted “imprudently or incompetently, but they fall far short of showing the blatant
    wrongdoing necessary for a jury to infer that [Defendants] acted either with deliberate malice or
    conscious disregard of [their client’s] rights.” 
    Hendry, 73 F.3d at 400
    ; see also Embassy of
    
    Nigeria, 297 F.R.D. at 14
    (rejecting punitive-damages claim where attorney stole client’s tax
    17
    refund and deposited it in firm’s account). Plaintiff does not allege, for example, that Defendants
    intentionally left their server vulnerable to third-party hackings or stood to profit from such an
    event in any way. The Court therefore dismisses Count IV of the Complaint.
    IV.    Conclusion
    For the foregoing reasons, the Court will grant in part and deny in part Defendants’
    Motion to Dismiss. A separate Order consistent with this Opinion will be issued this day.
    /s/ James E. Boasberg
    JAMES E. BOASBERG
    United States District Judge
    Date: February 20, 2020
    18