Network Risk Insurance 2012: Privacy & Security Exposures and Solutions for Law Firms
Law firms are increasingly dependant on electronic information assets, which they collect, aggregate, analyze, use, and disseminate in the course of their representation of clients. This information includes attorney-client communication, clients’ proprietary data, law firm employee personally identifiable information and other confidential information. Law firms that service a significant amount of business with entities in the health care industry may qualify as “business associates” of such entities covered by HIPAA and thus be subject to its breach notification requirements. Because of ethical and regulatory obligations, law firms have a heightened obligation to their clients to maintain confidentiality, which requires lawyers to competently determine how to transmit and store their clients’ information. The attorney-client relationship is based on trust, and being able to rely upon one’s lawyer to keep sensitive information private, is at the heart of that relationship.
The emergence of new technologies and dramatic changes to existing technologies necessarily alters the types and severity of threats to law firm network security. Productive attorneys demand unlimited access to firm documents and data while on the road so they can better serve their clients, but this could create vulnerabilities in the law firm’s information technology. Increased use of social media, cloud computing and mobile device technology raises unprecedented security concerns. Law firms’ reliance on outside e-discovery vendors or “big data” applications introduces additional exposure issues. Law firms, like any other business, face threats of cybercrime, privacy breaches, theft of intellectual property, and business interruption, which could imperil the firm’s competitiveness and ability to competently represent clients. A recent study estimates that the average data breach costs $7.2 million, with an average of $214 per compromised record.1 Liability for breaches of such privacy and security could damage the heart of law firms’ financial statements. Therefore, law firms should examine their current and available insurance polices to ensure protection of their financial statements.
In 2011-2012, we have seen a number of security breaches in other industries make the news, as hackers continue to break into retailers (Amazon’s Zappos), marketing firms (Epsilon), online gaming (Sony), banks (Citigroup), government departments (Pentagon, Canadian government), defense contractors (Lockheed Martin), social networking sites (RockYou), cloud providers (Google’s Gmail) and even sophisticated security firms (EMC’s RSA, Stratfor, Symantec). Associated costs, including breach response and exposure to class action lawsuits, can be astronomical. Cybercriminals are increasingly sophisticated in terms of high-value target selection, meticulous planning, and data collection capabilities.
Law Firms as Targets
Some law firms are considered valuable targets, as repositories of the most highly sensitive client information about their clients’ corporate acquisitions, products, and intellectual property. In February 2012, attackers based in China hacked into the networks of seven Canadian law firms in an effort to sabotage a corporate deal.2 The hackers destroyed data and stole sensitive client information. With the increase in use of electronic information assets, and hackers more clever than ever, it is possible that attacks on law firms will increase.
Law firms attract particular attention if they advocate positions or represent clients who are unpopular with the hacktivist community, such as Anonymous and LulzSec. In February 2012, hackers broke into the network of Puckett Faraj, the law firm representing a Marine Staff Sergeant who was involved in a raid resulting in the death of Iraqi civilians. The hackers stole client records, evidence, lawyers’ personal email correspondence and other information, and have published it online. Last year, UK-based ACS, an anti-piracy law firm affiliated with the entertainment industry, was the victim of a coordinated attack intended to punish the firm for bringing a large number of copyright infringement actions involving peer-to-peer file-sharing. The hacker group, 4chan, leaked confidential firm information, including attorneys’ private emails and protected information (including records of downloading pornographic videos) about more than 5000 individuals targeted by ACS, subjecting the law firm to fines and lawsuits. Within a year, the firm closed and the targeted attorney went bankrupt.
Law firms are also vulnerable to breaches caused by former employees, including departing attorneys eager to retain access to client files. In February 2012, a Pennsylvania law firm, Elliott Greenleaf & Siedzikowski, sued a former partner and his new firm for allegedly installing Dropbox software onto the Elliott firm’s computers that provided ongoing remote access to client files through a third-party cloud site.
Law firms are also unique in that they have obligations to preserve evidence in litigation, and network outages and breaches can result in disrupted chain of custody and accusations of spoliation, for which their clients may be severely penalized. Failure to maintain security could result in waiver of a privilege, and lawyers have an ethical duty to protect clients from inadvertent disclosure. Indeed, the most sophisticated business clients are asking their outside law firms to demonstrate that they have adequate security measures in place.
After Sony’s PlayStation Network was hacked last April, Sony has been engaged in a battle with its insurer, Zurich, over whether its general liability policy covered such a breach, for which the remediation actions alone are estimated to cost at least $171 million. Similar declaratory judgment general liability insurance denials have been filed against Michaels Stores (by Arch Insurance), Crate and Barrel (by Hartford) and seeking enforcement of coverage by University of Utah/Perpetual Storage (against Continental Casualty). For example, in the Arch v. Michaels coverage litigation, Arch alleges that the comprehensive general liability policy excludes electronic data from the definition of tangible property, for purposes of determining whether “property damage” has been alleged. Furthermore, the policy excludes damages arising out of the loss of, loss of use of, damages to, corruption of, inability to access, or inability to manipulate electronic data.
Unlike retailers Michaels Stores, Crate and Barrel, the infamous TSJ breach ($256 million in liability) and other non-professional service companies (e.g., retail, manufacturing, hospitality/food and beverage, utilities, education, transportation, defense industry), law firms provide professional services, similar to accountants, architects & engineers, consultants, financial institutions, payment processors, brokers & agents and health care providers. Typically, such professional service providers will have some type of professional liability insurance coverage. A broad-based professional liability policy is intended to cover defense costs and indemnity liability for alleged errors, omissions or negligent acts. Do professional liability insurance policies extend to address first and third party network risk exposures? Does the firm’s property policy address business interruption due to inaccessibility of systems due to an “intangible property peril,” such as a computer hack where there has been no tangible property damage?
Exposure Analysis Roadmap
A number of different insurance products may be responsive to part of such losses, including Crime, General Liability, Professional Liability, Employment Practices Liability (think Social Media exposures), Kidnap and Ransom (Cyber Extortion), Internet Media Liability (libel, plagiarism, defamation, or invasion of privacy), and Property Business Interruption and Data Loss policies (losses for firm’s “downtime). Conduct a coverage analysis comparing a list of potential exposures against all available existing lines of coverage. Law firms should evaluate the financial impact of network risk exposures by undertaking several inquiries.
- Has the firm taken inventory and thoroughly qualified and quantified its information assets, including classification of confidential information?
- Does the firm understand and comply with the constantly evolving applicable state, local and industry association statutory and contractual compliance regulations, including international, if applicable?
- Has the firm implemented risk management best practices with respect to the protection of information assets, including, but not limited to the following?
- Information Technology Security (insurance underwriters desire to measure IT security assessments against standards, such as ISO 27001, SAS 70, Type II, etc. – including same requirements for outsourced operations of third party IT vendors).
- Limit access to confidential information, including control of software, hardware and system access.
- Develop data protection and privacy policies and procedures for partners, associates, employees and independent contractors.
- Appropriate training, awareness and monitoring, which must be updated regularly.
- Third party vendor network risk management, including appropriate contractual allocation of liability.
- Implementation of data breach response plan. Insurers now realize that every entity will suffer some type of breach and the underwriters are increasingly conducting due diligence regarding breach response plans to determine the scope of insurability and pricing costs.
- Evaluate what the firm’s current professional liability policy was intended to cover. Law firms can obtain coverage for many cyber risks, but breadth of cover, sublimits, and exclusions vary by insurer.
- Does the policy specifically describe “intangible information assets?”
- Does the policy address wrongful dissemination of data?
- Does the policy address wrongful collection of data?
- Does the policy address dissemination of a computer virus, worm or Trojan horse?
- Does the policy cover claims against the firm that are due to a third party IT or security vendor?
- Does the policy cover advertising injury and personal injury claims that could arise from social media usage, such as defamation, libel, invasion of privacy, copyright, trademark and service mark infringement?
- Does the professional liability policy cover employee claims (as opposed to client claims) regarding breach of personally identifiable information?
- Do the existing property or professional liability policies cover first party costs, such as forensic and investigation expenses, data breach notification disclosure costs, credit monitoring, business interruption (due to the firm’s systems), contingent business interruption (due to a third party vendor)or the lost value of business assets?
Mind the Gaps
Specifically, law firms should consider comprehensive Network Risk Privacy and Security Liability insurance, which protects the firm in the event of a security or privacy breach. Policy forms are claims-made and reported, and coverage is available on a worldwide basis. Most insureds purchase $5 million to $20 million in limits, although smaller firms may purchase $1 million -- $2 million in coverage and a few larger law firms may consider buying up to $100 million in total limits.
From a financial statement standpoint, recent claims data indicates that approximately 80 percent of reported breaches result in total defense and indemnity costs of less than $1 million, approximately 15 percent result in insurable damages between $1 million and $20 million, and approximately 5 percent result in total costs above $20 million. Moreover, security breaches cause companies to suffer embarrassment, pubic relations problems, loss of business, exposure to litigation and government investigations, and other substantial harm. Law firms, in particular, risk losing their clients’ confidence – and their business – if they cannot consistently demonstrate that they have exercised good judgment in securing their networks and in arranging for insurance to cover losses that may occur. Losses range from difficult-to-insure damages, such as lost future business and reputation, to insurable damages, such as customer class action litigation, notification costs, and credit card issuer cancellation and reissuance costs.
Due to the dynamic nature of Network Risk exposures and solutions, law firms are well-advised to assemble a privacy and security team comprised of participants from administration, risk management, information technology, legal, security and human relations to collaborate on these issues on a regular basis. Evolving developments such as the SEC Cyber Guidelines3 issued October 13, 2011, increasing privacy enforcement actions, enhanced focus on contractual allocation of liability, reconciliation of U.S. civil discovery obligations with international privacy and “blocking” laws, as well as the Obama Administration’s recent issuance of an report proposing comprehensive privacy legislation, are sure to change the legal landscape in the near future. Although the Obama Privacy Report proposes only voluntary adoption of privacy codes of conduct, many believe that the principles contained in the codes will create a new legal standard of “reasonable” practices and, as a practical matter, deviation from which could lead to negligence findings or FTC enforcement actions. Under these new SEC guidelines, which do not directly affect law firms since they only apply to public entities, directors and officers have a fiduciary obligation to exercise an acceptable level of corporate governance over their systems’ security. They must disclose security breaches, denial-of-service attacks, or any other cyber security event or risk that could have material adverse effects. Changes are also occurring at the state level. On February 22, 2012, the California Attorney General announced that all mobile applications are required to post sufficiently clear and conspicuous privacy announcements that comply with California’s Online Privacy Protection Act (“OPPA”).4 The Attorney General unveiled its recent agreement with a group of mobile application providers (Amazon, Apple, Google, Hewlett Packard, Microsoft, and Research in Motion/Blackberry) in which they agree to a set of privacy principles5, and published a “Mobile Applications and Mobile Privacy Fact Sheet” detailing the clarified expectations.6 The Attorney General emphasized that violations of the OPPA would be pursued under California’s Unfair Competition Law, which seems likely to provoke class action litigation on the issue. In May 2011, Illinois amended its Personal Information Protection Act (PIPA) to include data breach notification requirements and a data disposal mandate.7 The March 1, 2012 deadline arrived for Massachusetts businesses to adopt Written Information Security Plans (WISPs) to protect the privacy of personal information about employees, customers, prospects, business contacts, and other third parties.8 And internationally, on January 25, 2012, the European Commission proposed a new EU-Wide Data Protection Regulation to reform European privacy that has been governed for nearly two decades by the Data Privacy Directive 95/46/EC.
The Network Risk insurance marketplace is one of the most specialized in the world of commercial liability. Few privacy and security risks are alike, and law firms have unique needs, though these will vary greatly depending on their size, location, use of technology and type of legal work performed. For this reason, it is critical to consider the unique exposures of each law firm and customize a responsive program.
1 Ponemon Institute, “U.S. Cost of A Data Breach” (3 March 2011). Online at http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher. One caveat: While the Ponemon Institute is a reliable and objective source of industry data, law firms should generally eye most network security statistics with suspicion, particularly if the source is a vendor of security-related products or services.
8 Massachusetts’ “Standards for the Protection of Personal Information of Residents of the Commonwealth,” 201 CMR 17.00.
Kevin Kalinich is the Global Practice Leader for Network Risk Insurance, Aon Corporation, and is a reformed attorney.
LAW PRACTICE TODAY
John D. Bowers, Fox Rothschild LLP
Micah U. Buchdahl, HTMLawyers
Andrea Malone, White and Williams LLP
BOARD OF EDITORS
Lourdes Flora Brezo-Martinez, Greenberg Traurig LLP
Barbara H. Brown, Meagher & Geer PLLP
Andrea Cannavina, LegalTypist, Inc.
Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP
Rodney Dowell, LCL, Inc.,
Nicholas Gaffney, Infinite Public Relations, LLC
Katy M. Goshtasbi, Puris Image
Jeremy Kridel, Indiana Court of Appeals
George E. Leloudis, McGuire Wood & Bissette PA
Allison C. Shields, Legal Ease Consulting, Inc.
Thomas W. Shumate IV, Kay Griffin Enkema & Colbert, PLLC
Gregory H. Siskind, Siskind Susser, P.C.
Ben Stevens, The Stevens Firm, P.A. Family Law Center
Wendy L. Werner, Werner Associates LLC
Send us your feedback here.