An attorney’s decision to use a computer tablet, a cloud based service such as Dropbox, a smart phone, a Wi-Fi network, or even basic email in the furtherance of delivering legal services is not in and of itself unethical nor a poor business decision. The real concern is with what the attorneys who use such tools do or don’t do with them. For example, portable devices, to include backup drives, can be lost or stolen; rogue programs that capture banking passwords, encrypt your data, or steal your data can be unintentionally downloaded; and unauthorized access to your data can occur as a result of a successful phishing attack just for starters. These kinds of breaches are often the result of common missteps such as lax security procedures, falling victim to a social engineering attack, and even simple ignorance about how a given device works or what a computer app or program really does.
You’ve read the headlines. Who hasn’t heard about the Yahoo breach, the DNC email hacks, the rise of ransomware, Chinese cyber-spying, or Microsoft ending support of all of its browsers other than ie11 and Edge? And did you know that according to the 2018 ABA Legal Technology Survey, approximately 23 percent of participating law firms reported experiencing a data security breach of some kind? Taken together, one can surmise that cybercrime is going to continue to be a serious concern for the foreseeable future. Not to be pessimistic, but my personal perspective on the odds of a law firm having to deal with the fallout of a security breach is this: It’s not if it will happen, it’s solely a matter of when. Now if your response happens to be “we’re too small to be on anyone’s radar,” please understand that a significant percentage of cybercrime attack vectors are automated. The size of the target isn’t part of the equation. It’s simply about taking as much data or money as can be taken.
A significant issue that must be addressed given the proliferation of cybercrime is what the fallout might be for any attorney or firm who experiences a data breach. The things that come immediately to mind include legal liability to others for the theft, loss, or unauthorized disclosure of personally identifiable non-public information; legal liability for the theft or loss of third-party corporate information; being subject to regulatory action or scrutiny due to the failure to comply with relevant security breach notification laws; having to cover the costs associated with responding to and recovering from the breach to include the costs of finding, notifying, and perhaps providing one year of credit monitoring for all who were impacted by the breach; the consequences of any loss or damage to your reputation; and the loss of revenue due to the breach.
Clearly technology is a double-edged sword. While its use by attorneys in order to practice is very appropriate — and I would argue mandatory in this day and age — doing so does expose attorneys to additional liabilities that can arise from identity theft, hacker malfeasance, cyber extortion, a security failure, hardware theft, and again, the list goes on. The problem is that for many there is an insurance gap in play. Should you ever find that your firm has been a victim of cybercrime would your existing insurance cover it? For far too many the answer would be no because malpractice policies and most general business insurance policies offer little to no coverage for cybercrime loses. The good news is that these risks can be properly covered with the purchase of a cyber liability insurance policy.
If you are not familiar with cyber liability insurance products, know that they vary greatly in terms of cost and offered coverage provisions so a little comparison shopping might prove worthwhile. They are also claims-made policies which means that they must remain in force if one is to have on-going coverage. As a group these policies are designed to provide protection against things like the following:
First Party Data Protection Loss – expenses incurred in order to regain access to, replace, restore, or recollect data impacted by a breach.
First Party Business Interruption – covers business interruption losses during the period of network restoration or extended network unavailability due to a breach.
Reputational Injury – a lawsuit resulting from your participation in social media.
Disclosure Injury – a lawsuit resulting from the unauthorized access to or dissemination of customer information.
Content Injury – a lawsuit alleging intellectual property or copyright infringement perhaps due to postings on your business website or blog.
Regulatory Defense and Penalties – Covers claims, expenses, and penalties resulting from regulatory proceedings resulting from a breach.
Privacy Breach Response Expenses – to include costs associated with complying with relevant breach notification laws, public relations and crises management, and computer security experts.
Cyber Extortion Expenses – the costs associated with investigations or paying for the return of or gaining back access to data.
Funds Transfer Fraud Coverage – available with some policies but note that a separate crime policy may cover this as well.
While one can never be completely free of the risk of becoming yet one more cybercrime statistic, the good news is that with the addition of cyber liability coverage this risk can be appropriately managed. Better yet, if you are an ALPS insured, this coverage is available as a separate policy on an opt-out basis which makes it quite easy to put a policy in place.