Every day we hear stories about massive computer hacking. While they oft en do not get the publicity of large firm cyber breaches, mid-sized and small law firms are not at all immune from this phenomenon. In fact, cybercriminals often consider mid-sized and small firms attractive, vulnerable “weak links,” given: (1) their relative lack of sophistication in using technology to protect confidential information; and (2) the information they may possess, such as confidential information about cases, client information, privileged communications and attorney work product, and personally identifiable information for employees, clients, and third parties.
Recent studies indicate that a quarter of all law firms have suffered cyberattacks.
The consequences of cybercrime are significant, including: business interruption from losing access to work product and documents; incurring substantial costs to regain access and repair damaged systems; payment of ransom to cybercriminals; and malpractice, ethics, governmental, and other third party claims arising from data breaches.
REDUCE THE RISK
Law firms need to use every tool at their disposal to avoid becoming the victim of cybercrime in the first place.
Steps to avoid cyber-attacks include: requiring encryption of all confidential information; using cloud computing soft ware with safeguards in place; using strong passwords in computers and other devices; using web-based client portals instead of email to share sensitive information; using strong intrusion detection and counter-espionage soft ware; having up-to-date written policies addressing cybersecurity; and providing regular, effective user education on firm policies and procedures, risks, and trends.
Taking such steps will not only reduce the risk of cybercrime but can reduce the cost of cyber insurance premiums.
EFFECTIVELY INSURE AGAINST CYBERCRIME
Even with careful and thorough protections in place, firms also need to protect themselves by having proper insurance coverage in place in case they are nevertheless victimized. Cybercrime is usually hard to detect and prevent, and the financial cost can be devastating. Firms oft en mistakenly believe they are adequately covered by their existing general liability and malpractice policies, only to discover – too late – that they will not in fact cover many of the substantial costs resulting from cybercrime.
Business interruption commonly results from computer hacking. The cost to any firm of having to shutter its business for any significant period of time – while forensic analysis is done to identify the problem and then restore the system – is substantial and could potentially threaten the financial life of the firm. General liability policies may not insure business interruption losses caused by cyberattacks.
Another growing type of cyber-attack is the ransomware attack. When ransomware soft ware is hacked into a firm’s system, the firm can be completely locked out of its own computer system including, for example, time and billing. Law firms and other entities (including governmental entities) regularly pay cybercriminals substantial sums to delete their ransomware and return control to the firm, an expense unlikely to be covered under a general liability policy.
While cyber insurance policies are not yet standardized in what they cover, they may cover costs that would not exist under the firm’s other insurance coverages, including: Legal fees, the cost of computer forensics to identify the cause and solution, and the expense of notifying affected third parties of a data breach; Ransom money paid to stave off the threats made in ransomware attacks and to return control of the computer system; Loss of income and the cost to regain lost data and restore business operations; Loss of money or securities stolen in cyber-attacks; and Liability to third parties for unauthorized access to their data or failure to provide notification of the data breach, and for government/regulatory claims.
Many insurers offer law firm risk management resources to prevent attacks from happening and to respond to them effectively.
UNDERSTAND YOUR COVERAGES
Since cyber policies are relatively new, the coverage they offer can vary significantly from insurer to insurer. It is important to understand the risks your firm faces (to avoid under or over-insuring), the coverages afforded under your existing general liability and other policies, and how those coverages interplay with the cyber policies you are considering.
An experienced insurance broker can make a difference in helping to identify the best policy for your needs. Getting the right cyber policy in place for the needs of your firm is your last line of defense in the ongoing battle against cybercrime. Daniel Hager