A cyberattack or breach can have serious consequences for law firms, including: theft of client monies and assets, breaches of confidential and sensitive information, structural and financial instability, reputational damage, damage to IT infrastructure and loss of clients. Cyberthreats continue to escalate and law firm leaders face a lot of pressure to protect their clients’ data as well as their own.
A law firm’s entire business is built on trust. If a law firm suffers a cyber breach or loss of client data it can substantially impair their reputation in the community. The impact will be even more severe if the firm has no cyber insurance to help them respond financially for the loss. Attorneys, like the rest of the business world, simply cannot afford to suffer these types of losses and continue to operate.
A firm victimized by a cyberattack may need to hire experts to investigate the breach, reassure clients, stop any reputational damage and address possible regulatory inquiries- which can all be very costly and time consuming. A common question we get asked is, isn’t this covered under my Lawyer’s Professional Liability (LPL) policy? The answer is NO.
It is a grave misconception that a law firm’s professional liability insurance will cover everything related to a data breach. An endorsement to your LPL may be added depending on the carrier, however, that provides a “sliver of coverage”. For example, an endorsement might cover the cost to restore data, but not pay any fines stemming from the breach. Then what? The firm pays out of pocket for those fines.
To understand why law firms need cyber insurance, it is helpful to get a firm grip on what exactly these policies are and what they cover.
First Party Coverage
First party coverage covers your own data or lost income after a data breach. It is designed to lessen the financial impact on your company for a data breach or cyber attack that targets your own business. It covers the cost of:
- Communicating with affected customers
- Providing credit monitoring
- Executing PR and reputation management campaigns
- Other recovery activities
This portion of the policy is crucial for businesses that store sensitive client or customer information online, such as credit card numbers or Social Security numbers. Below are some common first party claim scenarios:
- Someone plants a virus, malware, or spyware on your computer hard drive
- An employee accidentally destroys a database
- A hacker launches a denial of service (DoS) attack against you
- A power surge wipes out your business server
- Someone holds your computer data for ransom
Third Party Coverage
As a law firm that most times has clients personal identifiable information (PII), you are responsible for the online security of that data. This includes protecting your clients information from cyberattacks and data breaches. If your law firm experiences a cybersecurity breach and you are sued by your client- Third party cyber liability insurance can pay for your business’s legal expenses. Things having third-party cyber insurance covers:
- Legal defense costs
- Settlements if you and the client settle out of court
- Judgements you’re legally obligated to pay after a data breach
Business Interruption
When there is a system failure, and a company has to face a direct loss of income, it’s called business interruption (BI). The failure could be due to a variety of different reasons such as a criminal hacking, malicious inside elements, and distributed denial of service (DDos) attack.
Almost all BI coverage has a waiting period. This holds a company responsible for a period of system downtime before the insurance starts paying out, meaning short-term outages won’t result in a claim paid. Most sophisticated Cyber Insurance carriers have an 8-12 waiting period, at The Bunker we have partnered with Corvus who gives our policyholders a six hour waiting period as a standard on every policy.
A loss of access or even a slowed down network can lead to lost revenue. Any kind of disruption in work, even if it’s for a short duration, it can be costly. In 2016, Delta Airlines faced a major network outage that lasted for five hours, and it cost the company $150 million.
You Have an Ethical Responsibility
Cyber liability insurance plays an important role in helping law firms meet their ethical obligations to protect client information. Ethical guidance on this issue is clear: the risk of a law firm experiencing a data breach is no longer a question of if, but when.
As an attorney, you are expected to take reasonable steps to safeguard client data and confidential information. That responsibility extends beyond basic IT practices and requires ongoing attention to how technology, systems, and processes are managed within the firm.
Duty of competence
Attorneys have a duty to understand the risks associated with the technology they use. This includes implementing reasonable and appropriate security measures to protect electronic data and communications. Competence today requires an awareness of cyber risks and how those risks can impact client confidentiality.
Obligation to monitor systems and procedures
Law firms are expected to reasonably and continuously assess their systems, standard operating procedures, and incident response plans. Cyber risk is not static. Monitoring access, security controls, and response readiness is part of meeting ethical expectations in a technology-driven practice.
Duty to respond and stop a breach
If a breach is suspected or detected, attorneys must take reasonable steps to stop the attack and prevent further exposure of client data. This often requires quick action, coordination with IT and legal professionals, and access to resources that can contain and investigate the incident.
Duty to notify affected clients
When a breach has occurred, attorneys have an obligation to notify affected clients in a timely manner. Clients must be provided with sufficient information to understand what happened and to make informed decisions about how to protect themselves moving forward.
Cyber liability insurance does not replace ethical responsibility, but it can support a firm’s ability to respond effectively when an incident occurs. In today’s environment, preparing for a breach is part of practicing law responsibly — and protecting client trust depends on it.
Having a cyber liability insurance policy is becoming less of an option and more of a requirement. At The Bunker, we are ready and equipped to help your business stay protected and also your clients. Start by receiving a Dynamic Loss Prevention report that scans your law firm’s digital presence by searching for vulnerabilities. The DLP report breaks down the information into a single Smart Score (a weighted measure of overall security), Risk Exposures (ratings for eight risk groups that comprise the Smart Score), a Peer Benchmark, and recommendations to fix vulnerabilities, prioritized by potential impact on overall security. Give us a call at 954-239-7346 or send us an email to get started today!