As a profession, lawyers are notoriously slow in staying abreast of new technology. While bar associations and state regulatory boards have emphasized for years that attorneys have an ethical duty to stay abreast of current and developing technology, many attorneys and firms fail to keep up with the ever-increasing pace of technological change. Attorneys may be unaware of the potential risks involved in the use of multiple devices used to perform work — each device is subject to being lost, stolen or hacked. These risks increase if a firm has failed to encrypt personal or other sensitive information.
Over the past several years, several large law firms have disclosed they have been the target of hacks and data breaches. Recent studies have shown that up to 25% of firms with over 100 attorneys have suffered from a data breach. These breaches to the firm’s (and potentially its clients’) data may come from a one-off compromising of a stolen smartphone or from a targeted, system-wide hacking of a firm’s network.
Law firms spend a lot of time and effort to protect their clients’ interests, but often overlook routine protection and security of clients’ (and their own) data. Law firms maintain and store a wealth of confidential data on behalf of clients, including tax information, financial statements, health records, deposition transcripts, records belonging to minor children, and intellectual property. This data is both highly sensitive and highly valuable to a potential hacker.
Clients, some of whom may be acutely aware of the risks, have begun to require that their legal service providers provide information regarding their data security processes and procedures. These clients will be much less willing to engage and provide confidential information to law firms that may not be able to adequately protect that information. Thus, law firms, like any other businesses that routinely gather, transmit, or host data, should have a comprehensive data security program in place.
While not a cure-all for data security risks, one important component to consider in putting together a comprehensive data security program is cyber insurance, as most general liability policies and professional liability policies now expressly exclude coverage for data breach claims. Many health services clients now require any vendor (including a vendor of professional services such as a law firm) who gains access to confidential information to carry cyber insurance policies with coverage up to certain limits.
The scope of cyber insurance policies can vary greatly. Law firms in particular should look carefully at the different options before investing in one, taking into consideration, at a minimum, the following.
Law firms need both first- and third-party coverage.
First-party coverage for loss of firm data: May cover loss or damage to firm data, restoration costs, corrupted or stolen data from a breach or theft, and loss of use of data from network interruption.
Third-party coverage for loss of client data: May cover breaches of client data and the exposure of that data to third parties, and may also cover governmental or regulatory costs or fines. (Make sure the policy covers corporate client data in addition to “natural person” data; some policies contain such a limitation on coverage.)
Be careful in the application and underwriting process.
Some underwriting processes will involve an audit of existing security policies and procedures prior to authorizing coverage.
Law firms should not overpromise or oversell the insurance company on any existing internal security policies.
Check on whether coverage extends to information held by third parties, such as cloud vendor, litigation support, offsite copy or storage.
Look for any geographical restrictions on coverage and extension of coverage to data transmission outside of the firm’s offices.
Analyze the interplay between the firm’s potential cyberinsurance policy and any vendor insurance policy to see how coverage is affected by a breach that involves both parties.
Look for coverage on data restoration or business interruption cost.
Coverage can include the cost of new hardware and other electronic infrastructure destroyed through a data breach, financial losses due to inability to conduct business without crucial data, and losses due to labor and technology in restoring recoverable data.
Policies differ on the insured’s ability to select professionals in the event of a breach.
The response team should include forensic investigators and attorneys experienced in cyber breaches, as well as other cybersecurity professionals.
If a firm is too small to have relationships with this spread of professionals, the stable of approved professionals by the insurance company may be sufficient for its purposes.
But a larger firm may feel confined in the event of a breach with a policy that requires the firm to use the insurer’s preferred professionals.
Ask whether the insurance company can provide a lawyer-specific endorsement, which can provide a more appropriate definition and scope of coverage for the insured law firm.
Other facets of cyberinsurance policies may include coverage for notification to affected clients or third-parties, forensic investigation costs, and coverage for any payouts in litigation over the breach. Firms should also carefully note if the policy contains exclusions for losses of unencrypted data, such as on a flash drive or other external device. If a firm has attorneys or other professionals working from home on a personal laptop or device, those devices are often unencrypted, and thus not covered by the policy. Last, firms should consider a policy that covers direct cash losses from unauthorized transfers from client trust accounts due to a breach.
Aside from the purely economic issues, there are other ways that cyberinsurance can help with overall data security policies. Internal law firm employee training on cyber risks, for example, can be coordinated with obtaining a cyber policy. Since insurance companies would prefer their insureds not to make claims, some policies include an array of pre-breach assistive services, such as independent security auditing, access to risk management firms, PR firms, and experienced cyber personnel. Firms should be aware of any policy requirements that the insured purchase suggested upgrades or expansions recommended by loss-control personnel provided prior to the insurer approving a renewal of coverage.
Remember, cyber insurance is just one weapon in the arsenal against data loss. Firms cannot rely on insurance to do the protecting — it’s there to help defray the costs of the inevitable breach that can occur even with reasonable safeguards in place. The process of obtaining cyberinsurance may help a firm become more aware of its vulnerabilities to a breach and take appropriate preventive measures to shore up those weaknesses. While it seems that no firewall or security plan is completely effective, taking appropriate precautionary measures will mitigate a firm’s risks and give clients more confidence in its security and competence.
Elizabeth (Lisa) Vandesteeg is a partner and Kathryn Nadro is an associate at Sugar Felsenthal Grais & Hammer. A member of this newsletter’s Board of Editors, Vandesteeg focuses her practice on bankruptcy, business divorce, partner and shareholder disputes, and privacy and data security issues. Nadro concentrates on commercial litigation as well as employment and labor matters. They can be reached at firstname.lastname@example.org and email@example.com, respectively.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.