A cyberattack or breach can have serious consequences for law firms, including: theft of client monies and assets, breaches of confidential and sensitive information, structural and financial instability, reputational damage, damage to IT infrastructure and loss of clients. Cyberthreats continue to escalate and law firm leaders face a lot of pressure to protect their clients’ data as well as their own.
A law firm’s entire business is built on trust. If a law firm suffers a cyber breach or loss of client data it can substantially impair their reputation in the community. The impact will be even more severe if the firm has no cyber insurance to help them respond financially for the loss. Attorneys, like the rest of the business world, simply cannot afford to suffer these types of losses and continue to operate.
A firm victimized by a cyberattack may need to hire experts to investigate the breach, reassure clients, stop any reputational damage and address possible regulatory inquiries- which can all be very costly and time consuming. A common question we get asked is, isn’t this covered under my Lawyer’s Professional Liability (LPL) policy? The answer is NO.
It is a grave misconception that a law firm’s professional liability insurance will cover everything related to a data breach. An endorsement to your LPL may be added depending on the carrier, however, that provides a “sliver of coverage”. For example, an endorsement might cover the cost to restore data, but not pay any fines stemming from the breach. Then what? The firm pays out of pocket for those fines.
To understand why law firms need cyber insurance, it is helpful to get a firm grip on what exactly these policies are and what they cover.
First Party Coverage
First party coverage covers your own data or lost income after a data breach. It is designed to lessen the financial impact on your company for a data breach or cyber attack that targets your own business. It covers the cost of:
- Communicating with affected customers
- Providing credit monitoring
- Executing PR and reputation management campaigns
- Other recovery activities
This portion of the policy is crucial for businesses that store sensitive client or customer information online, such as credit card numbers or Social Security numbers. Below are some common first party claim scenarios:
- Someone plants a virus, malware, or spyware on your computer hard drive
- An employee accidentally destroys a database
- A hacker launches a denial of service (DoS) attack against you
- A power surge wipes out your business server
- Someone holds your computer data for ransom
Third Party Coverage
As a law firm that most times has clients personal identifiable information (PII), you are responsible for the online security of that data. This includes protecting your clients information from cyberattacks and data breaches. If your law firm experiences a cybersecurity breach and you are sued by your client- Third party cyber liability insurance can pay for your business’s legal expenses. Things having third-party cyber insurance covers:
- Legal defense costs
- Settlements if you and the client settle out of court
- Judgements you’re legally obligated to pay after a data breach
When there is a system failure, and a company has to face a direct loss of income, it’s called business interruption (BI). The failure could be due to a variety of different reasons such as a criminal hacking, malicious inside elements, and distributed denial of service (DDos) attack.
Almost all BI coverage has a waiting period. This holds a company responsible for a period of system downtime before the insurance starts paying out, meaning short-term outages won’t result in a claim paid. Most sophisticated Cyber Insurance carriers have an 8-12 waiting period, at The Bunker we have partnered with Corvus who gives our policyholders a six hour waiting period as a standard on every policy.
A loss of access or even a slowed down network can lead to lost revenue. Any kind of disruption in work, even if it’s for a short duration, it can be costly. In 2016, Delta Airlines faced a major network outage that lasted for five hours, and it cost the company $150 million.
You Have an Ethical Responsibility
The American Bar Association Formal Opinion 483 makes it clear that lawyers have a duty to notify clients of a data breach and details reasonable steps for them to take to meet obligations set for by the ABA model rules. By purchasing cyber liability insurance you can fulfill your ethical responsibility when it comes to taking reasonable steps to keep your clients data safe. The opinion states matter-of-factly that the risk of law firms experiencing a data breach is not if, but when. The opinion outlines requirements for before, during, and after a cyberattack targeting law firms:
- Duty of competence – Adequate security measures must be taken regarding technology
- Obligation to monitor- you must reasonably and continuously assess their systems, standard operating procedures and plans for mitigating a security breach
- Stopping the breach- if a breach is suspected or detected, the lawyer must take reasonable steps to stop the attack and prevent any further exposure of data
- Notice of breach- Lawyers who can detect a breach must inform their clients in a timely manner and with reasonable information for the clients to make informed decisions
Having a cyber liability insurance policy is becoming less of an option and more of a requirement. At The Bunker, we are ready and equipped to help your business stay protected and also your clients. Start by receiving a Dynamic Loss Prevention report that scans your law firm’s digital presence by searching for vulnerabilities. The DLP report breaks down the information into a single Smart Score (a weighted measure of overall security), Risk Exposures (ratings for eight risk groups that comprise the Smart Score), a Peer Benchmark, and recommendations to fix vulnerabilities, prioritized by potential impact on overall security. Give us a call at 954-239-7346 or send us an email to get started today!