As attorneys, our clients trust us with confidential information. Criminals are attracted by confidential information such as financial records, health records, Social Security Numbers, intellectual property, depositions, and criminal records. Loss of such information may result from a malicious attack (e.g., hacking, malware, or deliberate espionage), a dishonest employee, or theft of a notebook, tablet, or smartphone. Loss can also result from innocent mistakes such as losing a smartphone, unintended transmissions, or other human error that can occur in any busy practice.
According to Aon Corporation, the average cost for a privacy data breach is $217 per compromised record. Further, 47 percent of privacy breaches are the result of criminal activity, 25 percent employee error, and 28 percent system errors (tinyurl.com/hkldjyz).
Few lawyers or law firms attempt to practice without professional liability insurance; however, according to a recent ABA technology survey, only about 11 percent of responding lawyers indicated that their firm has cyber liability insurance. I believe that cyber liability insurance is an increasingly popular, almost necessary choice for law firms. In a recent ABA Journal article (April 1, 2015,), David L. Hudson Jr. came to the same conclusion. Overall, cyber insurance has been growing by about 60 percent per year over the past three years, according to Amy G. Mitchell, CIC CISR, vice president of commercial solutions for Murray Securus Insurance, a provider of cyber insurance (murrayins.com).
Your lawyer’s professional liability (LPL) insurance policy may help protect against third-party lawsuits, but there could be gaps related to
- privacy notification,
- crisis management,
- business interruption,
- cyber extortion threats (yes, this has happened to solos and small law firms), and
- recovery of data.
You need to ask whether your firm’s LPL policy has affirmative coverage for loss of client or third-party data as well as the out-of-pocket costs associated with responding to an incident. I have also seen instances where the firm’s own proprietary information was completely wiped out, leading to costly data restoration and/or re-creation expenses, such as with ransomware. Ransomware is malicious computer software that encrypts your firm’s files and holds them for ransom. Recent versions of ransomware encrypt even unmapped network drives and accessible backup files. If your firm lacks a protected backup of the files that have been encrypted by ransomware, your firm may have to pay the ransom or struggle without these files.
How Does Cyber Insurance Work?
Generally, cyber insurance is designed to assist before, during, and after an attack:
- Prevent: risk management resources.
- Protect: data risk liability and defense coverage.
- Respond: breach services and remedies with incident response.
Coverage generally falls into two categories: third-party, which often extends to fines and penalties arising from regulatory actions, and first-party, which addresses costs and expenses the insured incurs because of a security failure including notification, credit monitoring, investigation, forensics, and perhaps even lost income.
Cyber insurance policies often include one or more of the following types of coverage:
- liability for security or privacy breaches, including loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems;
- the costs associated with a privacy breach, such as consumer notification, customer support, and costs of providing credit monitoring services to affected consumers;
- the costs associated with restoring, updating, or replacing business assets stored electronically;
- business interruption and extra expense related to a security or privacy breach;
- liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the allegations involve a business website, social media, or print media;
- expenses related to cyber extortion or cyberterrorism; and
- coverage for expenses related to regulatory compliance for billing errors.
Third-party (liability) coverage:
Privacy liability coverage. This coverage includes liability to the firm’s clients and employees for breach of private information. Seek trigger language that focuses on the firm’s failure to protect confidential information, regardless of the cause, rather than language requiring an intentional breach. Some, but not all, cyber policies also provide coverage for the firm’s failure to disclose a breach in accordance with privacy laws.
Regulatory actions. Not all cyber policies provide coverage for regulatory and other governmental actions. Even when they do provide regulatory coverage, some policies require that the action be initiated by a formal “suit” to trigger the defense obligation. Look for policies that cover defense from the earliest stages of an investigation, typically including a civil investigative demand or similar request for information. Try to include coverage for civil fines and penalties, too.
Notification costs. This coverage includes the costs of notifying third parties potentially affected by a data breach.
Crisis management. Most, but not all, cyber policies contain some form of public relations crisis management coverage.
Call centers. Because call centers tend to be one of the higher costs associated with data breaches, it is important to identify whether this coverage is expressly provided and any applicable limitations.
Credit/identity monitoring. This coverage is included in most cyber policies.
Transmission of viruses/malicious code. This coverage protects against liability claims alleging damages from the transmission of viruses and other malicious code or data. This risk may be relatively low in many law firms.
Theft and fraud. This covers certain costs related to the theft or destruction of the firm’s data, as well as theft of the firm’s funds.
Forensic investigation. This covers the costs of determining the cause of a loss of data.
Network/business interruption. This covers the costs of business lost, as well as additional expenses resulting from an interruption in the firm’s computer systems. Such coverage is often subject to limitations and conditions.
Extortion. This covers the costs of “ransom” if a third party demands payment to refrain from publicly disclosing or causing damage to the firm’s confidential electronic data.
Data loss and restoration. This covers the costs of restoring data if it is lost, and in some cases, diagnosing and repairing the cause of the loss. It may be excluded or limited.
Other key provisions:
Trigger—loss or claim. Cyber policies typically are triggered either by an event that results in the loss of data, or a “claim” arising from the event that is made against the insured firm during the policy period. The loss-type policy is often the preferred option, even though it may be more expensive.
Trigger—defense. In some cyber policies, the defense obligation is triggered by a “suit,” which requires a lawsuit or written demand against the insured. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or a written demand (such as investigations).
Defense—choice of counsel. Given the substantial costs likely to be associated with a significant data breach (which could exceed the limits of the policy), the insured should seek to have substantive input into the choice of counsel.
Retroactive coverage. Cyber policies often contain a “retroactive date.” Losses arising from events prior to the retroactive date will not be covered.
Acts and omissions of third parties. Acts or omissions of third parties often may not be covered expressly, or even may be excluded. For example, if a firm uses the services of a third-party vendor to maintain its confidential employee or client information in the “cloud” and the vendor experiences a data breach, the firm could be sued by its clients or employees and may not have any coverage. There are cyber policies providing coverage for breaches of data maintained by third parties as long as there is a written agreement between the insured and the vendor to provide such services. If a law firm relies on any third parties to maintain any of its confidential client or employee information, it should seek to have coverage for breaches of data maintained by third parties expressly covered.
Coverage for unencrypted devices. Many cyber policies exclude coverage for data lost from unencrypted devices. If possible, seek cyber coverage without this limitation. In any event, encrypt confidential data in every device, including phones, tablets, notebooks, network storage, and backups, whenever possible.
Coverage for corporations and other entities. Cyber policies often define covered persons, for liability purposes, to include only natural persons. Firms should seek coverage that appropriately defines the scope of entities potentially affected by a data breach.
Policy territory—occurrences outside the United States. Even if a firm does not have offices outside the United States, its lawyers may lose or have stolen their notebooks, phones, and tablets containing confidential information while traveling abroad. Many cyber policies restrict the applicable coverage territory to the United States and its territories.
Breaches not related to electronic records. Some cyber liability policies restrict coverage to loss or theft of electronic data. However, many breaches occur as a result of loss or theft of paper (or other non-electronic) records. The best course of action is to choose a policy that covers both electronic and non-electronic data.
Location of security failure. Coverage under some cyber policies is limited to physical theft of data on the firm’s premises. This could be problematic in a number of situations, including theft of a laptop, phone, tablet, or external drive from an airport, restaurant, car, or an employee’s home.
Exclusion for generalized acts or omissions. Some cyber policies exclude coverage for losses arising from (1) shortcomings in security of which the insured was aware prior to the inception of coverage; (2) the insured’s failure to take reasonable steps to design, maintain, and upgrade its security; and (3) certain failures of security software. Avoid these types of exclusions, if possible.
Exclusion for acts of terrorism or war. It is unclear to what extent insurers will rely on this common type of exclusion when a data breach results from an organized attack by a foreign nation or hostile organization. To the extent possible, it’s preferable to avoid these types of exclusions.
The overall cyber insurance market saw robust growth in 2015, although large accounts and certain industries such as point-of-sale retailers and large health care companies began to see cyber insurance price increases. These trends are likely to continue through 2016 as this insurance segment matures. Further, policyholders and insurance carriers are likely to utilize the courts to refine the meaning of non-standard policy terms.
Cyber Insurance Litigation
Two recent cases may influence the expanding cyber insurance market. In Travelers Property Casualty Company of America v. Federal Recovery Services, Inc., No. 2:14-cv-170 TS (D. Utah, May 11, 2015), a Utah federal court found the insurer had no duty to defend its policyholder in the underlying lawsuit. Significantly, the parties were disputing coverage under the network and information security liability and technology errors and omissions liability parts of a CyberFirst Policy. Reportedly, this was the first coverage decision with respect to a stand-alone cyber insurance policy.
This case did not involve a data breach or other cybersecurity loss, but rather was a classic intent to injure versus negligent conduct dispute. Nevertheless, this case is important because the court interpreted the cyber insurance commercial general liability (CGL) and errors and omissions liability policy as if it was any other non-cyber policy. Thus, despite some novel terminology in cyberinsurance policies, court interpretations of cyber insurance policies may be more predicable than some feared.
In Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015), Columbia Casualty Company (CCC) filed a declaratory judgment action in federal court in California in 2015 seeking a declaration that it is not obligated to cover Cottage Health Systems (CHS). The litigation concerned a NetProtect360 policy containing privacy injury claims and privacy regulation proceedings coverage parts. The claim involved a data breach resulting in release of private health care patient information. CCC sought reimbursement for $4.125 million it paid in a related class action settlement. The policy contained a failure to follow minimum required practices exclusion. CCC contended that CHS failed to adhere to certain basic security practices such as file transfer protocol (FTP) settings, the application of patches, computer network assessments, and detecting network intrusions, and that its failure to do so was the cause of the data breach and subsequent loss. This case was dismissed for alternative dispute resolution. It serves as a reminder that policyholders do not want to be like CHS and think they are covered for data breach losses, only to discover post-breach that a broad exclusion and deficiencies in their cybersecurity apparatus and implementation left them exposed not only to data breaches but also potentially uninsured.
Where to Turn
Law firm cyber insurance is available from, among others, American Bar Insurance (ABI), some state bar associations, and perhaps your current insurer.
American Bar Association members are offered cyber insurance for law firms through ABI via Aon CyberBusinessPro plans. Aon has plans for solos and small firms of up to ten employees and up to $2.5 million in annual revenue; pricing ranges from $199 per year to $599 per year. (For full details of pricing and options, see aoncyberabi.com.)
Although cyber insurance is not a complete answer, many solo and small firm lawyers will undoubtedly sleep better at night knowing that some of the growing cyber risk can be mitigated with insurance.
Cybersecurity can no longer be ignored. Take action today to protect your clients, your firm, and yourself from this ever-growing threat to your pocketbook, privacy, and reputation. There is no silver bullet. Sound law firm cyber risk management includes people, policies, procedures, technology, and insurance solutions.
Protecting Against Cyber Attacks
For general tips on protecting your practice from the risks of cyber attacks, I recommend “What to Do When Your Data Is Breached” by Sharon D. Nelson, David G. Ries, and John W. Simek (GPSolo, January/February 2016, page 24). I also published some tips in my regular column, “Technology—Frankly Speaking: Cybersecurity for Law Firms” (The Berks Barrister, Fall 2015, page 8).