Why You Want To Have Cyber Liability Insurance

Updated June 2023

An attorney’s decision to use a computer tablet, a cloud-based service such as Dropbox, a smart phone, a Wi-Fi network, or even basic email in the furtherance of delivering legal services is not in and of itself unethical nor a poor business decision. The real concern is with what the attorneys who use such tools do or don’t do with them. For example, portable devices, to include external hard drives, can be lost or stolen; rogue programs that can capture banking passwords, encrypt your data, or steal your data can be unintentionally downloaded; or unauthorized access to your entire network can occur as a result of someone opening an email attachment. Network breaches are often the result of common missteps such as lax security procedures, falling victim to a social engineering attack, and even simple ignorance about how a given device works or what a computer app or program really does.

We all have read the headlines. Ransomware continues to plague businesses of all shapes and sizes, state-sponsored threat actors have launched countless covert cyber espionage and sabotage attacks worldwide, and deepfakes are no longer considered an emerging threat. And did you know that according to the 2021 ABA Legal Technology Survey, approximately 25 percent of participating law firms reported experiencing a data security breach of some kind? Taken together, it’s clear that cybercrime is going to continue to be a serious concern for the foreseeable future.

Not to be pessimistic but my personal perspective on the odds of a law firm having to deal with the fallout of a security breach is this. It’s not if it will happen, it’s solely a matter of when. Now if your response happens to be “we’re too small to be on anyone’s radar,” know that 17% of the solo and small firms (2-9 attorneys) that participated in the ABA’s 2021 survey reported experiencing a breach. Also understand that a significant percentage of cybercrime attack vectors are automated. The size of the target isn’t part of the equation. The hackers simply want to get their hands on as much data or money as they can.

Given all this, the question becomes what might the fallout be for any attorney or firm who experiences a breach? The things that come immediately to mind include legal liability to others for the theft, loss, or unauthorized disclosure of personally identifiable non-public information; legal liability for the theft or loss of third party corporate information; being subject to regulatory action or scrutiny due to the failure to comply with relevant security breach notification laws; having to cover the costs associated with responding to and recovering from the breach to include the costs of finding, notifying, and perhaps providing at least one year of credit monitoring for all who were impacted by the breach; the consequences of any loss or damage to your reputation; and the loss of revenue due to the breach.

These risks are not something to take lightly. Consider just the response and recover concern. Here’s what this might look like. Once a breach has been discovered (the timing of which can vary from becoming immediately aware, with something like a lost laptop, to it taking months or even a year or more with something like a sophisticated network breach), you must first terminate the breach and then determine what and whose data has been exposed. For example, you might need to investigate whether the login credentials on a stolen laptop were used to gain access to the network. If not, you would then need to take steps to prevent that from ever happening. Or it might be necessary to try to determine what data was on the stolen backup drive or what data the hacker had access to while on the network. In other words, the specifics of the initial called for response will vary depending upon the specific circumstances of the breach.

If a mobile device was stolen, the called for response may be quick and easy. Perhaps a remote wipe of its data will solve the problem. On the other hand, if it’s your firm’s network that was breached, the network must be disconnected from the Internet and a computer forensic expert brought in to investigate. Obviously, the network would be unavailable for use until that work is completed. Typical downtime could easily run from a day or two to a week or more. The reason is the forensic expert will need to create a duplicate image of the breached systems in order to have the ability to properly analyze the data. This expert will try to determine the who, what, when, where, and how of the breach and then provide a report of the results. The costs associated with this service will vary widely depending upon the situation at hand. Plan on several thousand at a minimum but it could go much higher even for small law firms.

Once this effort is complete, however, the network is still unavailable. In addition to having someone come in to analyze the breach, someone must also remove the rogue software; fix the vulnerability that enabled the attack to occur; and, if possible, try to recover or restore any damaged or lost data. And again, downtime for this work can run from a day or two to several weeks depending upon the severity of the attack. Once all this is completed, the office can begin to use network resources again. While the system recovery process may now be over, realize the overall response process is just getting started.

With the forensic breach analysis report in hand, it’s now time to look into the breach notification laws you might be subject to. All fifty states, Washington DC, Puerto Rico, and the USVI have enacted laws that require those who maintain personal information of others to not only protect that information, but to notify the owners of the information if and when a data breach occurs. The type of information you need to be concerned about includes the names, birth dates, social security numbers, credit card numbers, financial account information, and health records not only of clients but firm staff and attorneys as well.

While an in-depth review of these statutes is beyond the scope of these materials, know that in the event of a breach these statutes require that state governments and those who have been impacted by the breach be notified without delay. Also, be aware that the notice requirements are not based upon the location of the network or computer that was breached. They are based upon where those impacted by the breach reside. Thus, a breach of your network could result in an obligation to notify multiple state governments and to comply with their various statutes.

The tasks associated with notification compliance include determining which state law’s you’re going to be subject to, meeting notification deadlines that can be as short as five days, setting up the contact database, verifying contact information, writing the notification letter, printing and mailing these letters, dealing with any returned mail, and handling all the calls that will come in once these letters are received. If your firm’s entire contact database was breached, the total cost of complying with breach notification laws could become significant and we’re still not done.

Obviously, your firm’s reputation could be in serious jeopardy post notification. One way this can be controlled is by offering to provide credit monitoring depending upon what type of information was breached. Not only might this help with reputation damage control, but this may prevent some clients or others from seriously considering suing your firm because you have taken steps to help put their concerns to rest.

Finally, one brief aside. By way of state breach notification laws, a few states have mandated the use of encryption of all records and files that will be transmitted across public networks or through wireless connections that contain personal information such as social security numbers. Another jurisdiction requires encryption if such information is stored on portable devices like laptops and computer tablets. My point is this. Hopefully, you don’t discover post breach that you have been out of compliance with any of these regulations. Awareness of what these statutes say in jurisdictions you might be subject to may prove to be a worthwhile endeavor.

Clearly technology is a double-edged sword. While its use in the practice of law is quite appropriate, and I would argue mandatory in this day and age, doing so does expose attorneys to additional liabilities that can arise from identity theft, hacker malfeasance, cyber extortion, a security failure, or hardware theft just for starters. The problem is there may be an insurance gap in play. Should you ever find that your firm has been a victim of cybercrime, would your existing insurance cover it? For far too many, the answer would be no because malpractice policies and most general business insurance policies offer little to no coverage for cybercrime losses. The good news is that these risks can be properly covered with the purchase of a cyber liability insurance policy.

If you are not familiar with Cyber liability insurance products, know that they can vary greatly in terms of price and offered coverage provisions so a little comparison shopping might prove worthwhile. These are also claims-made policies which means that they must remain in force if one is to have on-going coverage. As a group, these policies are designed to provide coverage for things like the following:

Conduit Injury – a lawsuit resulting from a network security failure that caused additional damage to a client’s computer network

Reputational Injury – a lawsuit resulting from an attorney’s participation in social media

Disclosure Injury – a lawsuit resulting from the unauthorized access to or dissemination of client information

Content Injury – a lawsuit alleging intellectual property or copyright infringement perhaps due to postings on the firm’s website or blog

Privacy Notification Expenses – the costs associated with complying with relevant breach notification laws, and with some policies, can include the cost of attorney fees and/or credit-monitoring services

Crisis Management Expenses – the costs associated with bringing in outside experts to investigate the incident and fix the problem, and with some policies, can include the cost of a public relations consultant

Extortion Expenses – the costs associated with investigations or paying for the return of or gaining back access to data

Theft of Money – available with some polices, but note that a separate crime policy may cover this as well

Be aware, however, that the costs for cyber liability insurance can vary greatly depending upon the desired limits and the specific coverages being offered. Relatively speaking, this is a newer insurance product. As such, the pricing and product will evolve and change as the cyber liability marketplace continues to mature.

While one can never be completely free of the risk of becoming yet one more cybercrime statistic, the good news is that with the addition of cyber liability coverage this risk can be appropriately managed. Better yet, if you are or become an ALPS insured, this coverage is available as a separate policy on an opt-out basis which makes obtaining coverage quite convenient.