If there was any doubt among law firms about their potential vulnerability to cyber-attacks, recent reports of the so-called “Panama Papers” serve as a sobering reminder that the threat is not only real, but also widespread and substantial.
In this case, a law firm was victimized by a series of hacking incidents by a single perpetrator. The hacks occurred without its knowledge, over several years, and involved more than 11 million documents and confidential details of more than 200,000 offshore facilities the firm established on behalf of its clients.
More recently, and closer to home, a specialty law firm in the U.S. Midwest is bringing suit against another Midwestern firm alleging it failed to maintain a solid security system and safeguard client data. It’s feared that this action will trigger a wave of similar cases.
As individual hackers and organized criminals look for new ways to steal funds and access confidential corporate and personal financial information, professional services firms have become soft targets for their actions. Indeed, law firms have stores of personal and confidential financial data on employees and clients; they maintain sensitive information about client strategies, trade secrets, and pending business transactions. Firms may also have significant employee and client health data and information protected under the Health Insurance Portability and Accountability Act (HIPAA).
A privacy or security incident can cause a firm a great deal of unwanted press and involve substantial costs. If the firm’s system goes down for any amount of time, significant billable time may be lost. Then there’s also the cost of any forensic investigation, potential federal and state regulatory fines and notification costs, not to mention issues with third parties; a flurry of lawsuits, negative publicity, reputational damage, and disgruntled clients.
Network security lapses could also give rise to ethical complaints, as inadequate data security or protection of privacy can constitute a failure to abide by the duty of confidentiality. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Unfortunately, law firms generally have lagged behind other industries when it comes to data protection. To make sure your firm gets up to speed, the following are some suggested best practices for firms to follow to anticipate, prevent, and respond to a data breach, including the purchase of a cyber-liability insurance policy.
In the wake of so many cyber-breaches, cyber-liability insurance should be considered a critical component of every law firm’s risk management portfolio along with a comprehensive breach response plan. Keep in mind, however, that all cyber-insurance policies are not identical.
In choosing a cyber-liability insurance policy, carefully consider the scope of coverage and exclusions under a data breach policy, including whether the policy covers costs related to lawsuits, regulatory investigations, internal investigations, notifications to affected consumers, public relations management, credit monitoring, and/or statutory penalties.
Standalone cyber-liability insurance policies, addressing both first- and third-party perils, offer a full range of cover that is key to mitigating risk. The policies typically provide coverage through numerous insuring clauses that afford coverage for losses arising out of data or privacy breaches. These include expenses related to the management of an incident, such as forensic investigation, remediation, notification and credit checking. They also provide coverage for business interruption losses, extortion network damage, and regulatory investigation costs arising out of a cyber-event.
Understanding Potential Coverage Restrictions
Law firms purchasing standalone cyber-liability insurance policies should thoroughly understand exactly what their insurance covers, the extent of coverage provided, as well as any coverage exclusions or restrictions.
In comparing various cyber-liability policies offered by different insurance companies, be aware that many insurers will attempt to add exclusions either through the policy wording itself or by endorsement.
While it is not always possible to remove these exclusions, law firms should understand their potential impact and attempt to have them modified or removed. There are more than a dozen specific types of coverage exclusions or restrictions that might appear in many or some cyber-liability insurance policies for law firms. Here are a few key examples:
- Definition of confidential information. Some policies define confidential information as only Personal Identifiable Information (or PII, such as date of birth, Social Security number, driver’s license ID, etc.). However, a good cyber insurance policy will define confidential information as anything protected under the attorney-client privilege.
- Encryption exclusions for mobile devices. Some policies exclude coverage if the firm’s mobile devices are not encrypted. Encrypting these devices is sound risk management and should be standard practice. Ideally, however, coverage is not contingent on this being done.
- Retroactive date. Some policies exclude coverage for claims the firm could have reasonably foreseen. For this reason, firms should try to limit their knowledge of claims to key individuals at firm, such as the head of IT or the firm’s managing partner. Furthermore, coverage under a good cyber insurance policy is triggered by the “discovery of the network security event” and not the occurrence of the incident. This negates the need for full prior acts or a retroactive date prior to the inception of the policy. However, if you don’t have date of discovery language, you will need a full prior acts policy or one with a retroactive date prior to the inception of the policy.
- Definition of damages/loss. Certain risks covered by cyber-policies may have unique remedies and involve related costs. For example, privacy violations can result in a duty to notify affected individuals and to provide credit monitoring for defined periods of time following the violation. Law firms should be sure the “loss” as defined and covered by the policy addresses the types of relief they may be required to provide.
- Data outside an insured’s network or premises. This wording affects cloud providers or other outsourced vendors and should be reviewed carefully. Most cyber-insurance policies define a “computer system” to include third-party networks with which you have contracted to support your firm. Thus, in the event of a breach, the policy will respond regardless of where data were stored when the breach occurred. In other words, the coverage should follow the data, no matter where they are stored.
- Voluntary notification. During the past several years, most states and various countries have enacted breach notification laws. Generally, they require firms that lose sensitive personal data to provide written notification to all individuals potentially affected. Even without a legal obligation to do so, the trend is toward voluntary notification to protect your brand and reputation. In any event, clients expect such notification. Not all cyber-policies cover costs of providing a breach notice, so be sure to check whether and how your policy will respond to these circumstances.
- Limitations on the cost to investigate, defend, and settle issues surrounding civil penalties and fines. While most cyber-liability policies cover civil fines or penalties imposed by a governmental agency, as well as the costs incurred in connection with a governmental investigation, some permit coverage only to the extent they are insurable by law in that jurisdiction. This coverage limitation raises questions of law not directly specified in policy terms; policyholders may wish to consult knowledgeable personnel in their corporate risk and legal departments, along with their other professional and legal advisors.
- Breaches caused by rogue employees. All policies have a specific “conduct exclusion”; however, it should be strictly limited to dishonest, fraudulent, or criminal acts committed by the firm and/or its senior management. While most data and security breaches result from negligent acts, such as failure to properly configure software or firewalls, many breaches are caused by malicious acts, perpetrated or assisted by insiders. Thus, law firms should seek an exception to the conduct exclusion for “rogue” or disgruntled employees to guarantee coverage for malicious conduct by an insider.
With respect to the last point, the conduct exclusion for fraudulent or criminal acts of senior management should be worded to apply only after final adjudication, or determination, that the excluded conduct did, in fact, occur.
Many policies don’t cover theft of hardware from your premises and limit protection for breaches to those involving only U.S. privacy statutes or regulations. There are also inadequate sublimits for forensics and crisis management expenses, which can leave law firms without sufficient funds to investigate where their systems were infiltrated or to address the costs of effectively managing a related crisis event.
In addition, there are likely to be restrictions for restoration of intellectual property or proprietary business information. And when related coverage is provided, it typically is limited to the amortized value.
Another area to check involves the policy’s requirements regarding use of vendors to address data breaches and related issues. Many insurers require policyholders to use the insurance company’s preferred vendors; to have this language changed to allow a law firm to choose its own vendors may require additional premium.
Policy Waiting Periods
Cyber-liability insurance policies offer an aggregate limit of liability (i.e., the total limit of liability for all claims) as well as sublimits for each first-party coverage and the fines and penalties aspect of the third-party coverage.
The sublimits have generally increased in recent years so that law firms can typically get up to 50 percent of the total limit to apply to first-party costs. A dollar deductible also applies to each coverage part that varies, depending on the size of the policy and the firm insured. In addition to a dollar deductible, most policies include a “time element” or waiting period deductible to trigger the first-party business interruption coverage.
For example, a cyber-policy might require that your network be impaired for more than 12–24 hours before the business interruption coverage would apply or be triggered. Law firms should be aware of these policy features and requirements for reporting incidents and related business loss.
Determining How Much Coverage You Need
While there’s no simple formula for determining how much cyber-liability insurance any law firm should purchase, there are three key considerations when choosing insurance policy limits and deductibles:
- What is the most likely total dollar amount of any particular risk? Firms maintaining a significant amount of personal identifiable information, intellectual property, or highly confidential information either for clients or staff, may need higher limits.
When evaluating appropriate limits, typical first-party costs incurred when a cyber-breach occurs include lost billing time, forensic Investigation, legal fees to determine regulatory or notification obligations, notification, communication, and public relations costs, credit monitoring, and regulatory fines and penalties.
Third-party costs may include settlement/damages to third parties, legal fees to respond to a third-party loss, damages to network security of a trading partner or vendor, intellectual property infringement, and regulatory proceedings.
- How much of these costs can your firm afford to retain, either by not purchasing insurance or through a deductible or retention? Even if your firm has multiple safeguards to prevent a cyberattack, the risk exists and recovery cost can be substantial. In determining insurance needs, many firms consider the worst-case scenario.
- What are your firm’s contractual obligations? Firms serving institutional clients may be contractually required to purchase certain minimum limits of cyber-liability insurance. Increasing numbers of law firm clients, particularly financial institutions and health groups, for example, are requiring their counsel to carry this insurance.
As Internet and cyber-related risks become increasingly widespread and complex, law firms and other professional services firms have become targets of a growing number of attacks. Managing these exposures requires a comprehensive approach that includes sound risk management practices and a careful evaluation of available insurance. Although insurance coverage and pricing has been improving, law firms need to evaluate their coverage options carefully, note potential coverage restrictions and work with insurance companies to address them.
Portions of this article were adapted from the ABA’s guide, Protecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy, which also was authored by Eileen Garczynski, a member of the ABA’s Standing Committee on Professional Liability. To order this publication, visit http://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=240650436&term=cyber