At a legal technology trade show earlier this year, FBI special agent Mary Galligan, who is in charge of cyber and special operations, warned that law firms are increasingly being targeted for the valuable information they possess, including confidential client communications and private information about their employees, such as Social Security numbers.
One way that law firms can protect themselves in case of such an attack is through cyber liability insurance.
“Law firms, like any other business, can use insurance to help manage risk, and today, law firms face a real risk of cyberattacks and data breaches,” said Wesley Sunu, a director at Chicago law firm Tribler Orpett & Meyer, where he concentrates in reinsurance, insurance coverage and professional liability litigation. “Rather than assume the risk of having to pay for and comply with the notification laws in the event of a data breach, a law firm can purchase cyber liability insurance.”
The cost of a cyberattack can be substantial. The average annual cost of a cybercrime incident in 2012 was $8.9 million, according to the Ponemon Institute’s 2012 Cost of Cyber Crime report. The survey is based on a representative sample of 56 U.S. organizations in various industry sectors.
Some law firms may believe that they are protected under general and professional liability insurance policies, but Sunu said that “relying on traditional insurance to protect against cyber events is wishful thinking.”
“Moreover, if the law firm believes that there is coverage under one of its traditional insurance policies and its insurers have denied coverage for the cyber event, the firm may also have to expend further resources in litigating an insurance coverage declaratory judgment action over the possibility that insurance should cover the losses,” he explained.
Sunu, who is a member of the ABA Cybersecurity Legal Task Force, recommended that law firms ask their insurance providers to conduct a cyber risk review as well as provide information to help the firm to make an informed decision on whether to buy a cyber liability policy.
He warned that if law firms do decide to obtain cyber liability insurance, policies can vary widely in conditions and coverage, so firms must carefully review and compare them.
Cyberattack threats differ from firm to firm depending on practice areas and clients, and cyber liability policies can address issues ranging from privacy breach notification and crisis management to regulatory defense and civil penalties to liability resulting from a privacy breach.
Sunu stressed that “protecting the firm’s and the lawyer’s reputation is paramount” and that some cyber policies even provide assistance for managing public relations after a cyberattack.
“Delays in competently handling a cyber event could adversely impact the reputation of the law firm and all of its lawyers,” Sunu said.
The latest edition of The Brief, the quarterly magazine of the ABA Tort Trial and Insurance Practice Section, features articles detailing the importance of cyber liability insurance and how to prevent data breaches at law firms. The article “Network Risk Insurance 2012: Privacy & Security Exposures and Solutions for Law Firms” in Law Practice Today, the monthly webzine of the ABA Law Practice Management Section, also provides a more in-depth look at cyber liability insurance, also known as network risk insurance.
For more information on cybersecurity in the legal profession, click here.