Orrick Ex-Employee Drops Data Breach Suit, Keeps Refile Option

TL;DR: Joseph Casillas dismissed his data breach lawsuit against Orrick without prejudice, keeping the option to refile. The case arose from a January breach that exposed personal data.

Context: Orrick Herrington & Sutcliffe disclosed a cyber incident in January 2024 that compromised employee and client personal information. The firm detected the intrusion after noticing unusual file access patterns and engaged external forensic investigators. Public statements noted that the breach involved unauthorized access to internal servers but did not disclose the exact number of records affected or the financial impact.

Key Facts: Casillas, a former Orrick employee, filed a complaint seeking damages for himself and other alleged victims of the January attack. Hours after filing, he voluntarily dismissed the complaint without prejudice, which preserves his right to refile in another jurisdiction. His attorney, Andrew Gunem, did not respond to requests for comment after the dismissal and had previously declined to comment when the suit was filed.

What It Means: The withdrawal leaves Orrick without immediate litigation risk from this claim, but the without‑prejudice dismissal allows Casillas to pursue the case elsewhere, potentially in a state court or with a different legal theory. For security teams, the episode highlights how litigation can follow breach disclosures and underscores the importance of clear communication and timely remediation to limit exposure.

Mitigations: Organizations should ensure timely patching of known vulnerabilities, monitor for anomalous access using SIEM rules aligned with MITRE ATT&CK T1078 (Valid Accounts) and T1059 (Command‑Line Interface), and enforce multi‑factor authentication on all privileged accounts. Regularly review incident response plans to include legal‑liaison procedures that prepare for possible civil actions following a breach.