Cybersecurity experts like to say that there are two types of businesses today: Those that have been breached and know it, and those that have been breached and just don’t know it.
It’s a bad joke, no doubt, but law firms in particular will want to take it seriously.
Hackers are increasingly targeting law firms for one very simple reason: they hold huge amounts of sensitive information about their clients’ finances, including documents related to mergers and acquisitions, litigation papers and emails containing reams of intimate and private details of their clients’ lives.
The problem becomes worse as more law firms allow their employees to use their own devices – devices that often are not in the firm’s control and, therefore, are run without enhanced security controls in place. The use of public wireless services at places such as airports, train stations and coffee shops also presents risks.
Hackers use the stolen data to manipulate company share prices, access bank accounts or simply to embarrass.
Cyber criminals aren’t always to blame. Data losses sometimes can result from innocent mistakes such as losing a smartphone, unintended transmissions, or everyday human error of the sort present in any busy practice.
Either way, these losses have led to lawsuits, regulatory investigations, and fines and penalties, not to mention a client’s loss of trust.
There’s hardly any shortage of examples of this.
The most dramatic occurred in early 2016, an unprecedented leak of 11.5 million files from the database of one of the world’s largest offshore law firms, Mossack Fonseca. Client information on more than 210,000 offshore entities was leaked in what came to be known as the “Panama Papers” breach.
How ubiquitous are these attacks?
The American Bar Association in 2015 said it found one in four firms with at least 100 lawyers have experienced data breaches of one sort or another.
Unfortunately, too many firms are behind the eight ball when it comes to ensuring their digital systems are as secure as they should be. That includes failing to take simple action such as routinely encrypting flash drives and emails.
Perhaps more alarming, the ABA determined that only about 11 percent of the law firms it surveyed said they had standalone cyber liability insurance, despite the fact that the earliest cyber-risk policies were introduced in the 1990s.
Law firms often mistakenly assume that their standard professional liability policies cover data breaches.
That can be a costly error on their part. NetDiligence, a Philadelphia-based cyber-risk assessment company, estimates that the median cost for a claim in the professional services industry is $230,000.
While there are no silver bullets, cyber coverage provides an extra layer of protection that can include risk and crisis management services. The Department of Homeland Security has said the cyber insurance market remains confusing, so needless to say, not all cyber-security insurance policies are created equally.
There are “first-party” and “third-party” risks associated with data breaches and cyber risks.
Coverage of first-party risks would include loss of a policyholder’s own data, while third-party coverage addresses liability to clients or government entities.
The better policies allow law firms to tap into a built-in network of IT experts, PR firms and “breach coaches” who are experienced in responding to cyber-security matters and whose rates the insurance carrier has already negotiated.
Beyond covering the theft or destruction of confidential information, more robust cyber policies typically also include:
- the costs of client notification and expense of providing credit monitoring services to affected clients;
- the costs associated with restoring, updating, or replacing business assets stored electronically;
- business interruption;
- liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the breach involves a business website, social media or print media;
- expenses related to cyber-extortion or cyber-terrorism; and coverage for expenses related to regulatory compliance for billing errors.
Many cyber policies exclude coverage for data lost from unencrypted devices. If possible, seek cyber coverage without this limitation. In any event, encrypt confidential data in every device, including phones, tablets, notebooks, network storage and backups, whenever possible.
Given the distinct likelihood that hackers will only grow more sophisticated and aggressive, cyber insurance is expected to become as commonplace as, say, property insurance or health insurance.
There’s another good reason to get cyber coverage: clients are likely to require their law firm to carry it as a prerequisite to doing business.
Jeff Parent is an Insurance Advisor at CCIG. Reach him at email@example.com or at 720-330-7918.