Cyber attacks on the rise: Does your law firm have insurance coverage?

 Collin Hite, The Daily Record Newswire

Cyber attacks and theft are on the rise around the country. Law firms, while not currently a prime target, certainly have reason to worry. Unlike manufacturers, banks and retailers, law firms are a unique type of organization, and that makes them highly vulnerable.

Law firms are tempting targets

Sophisticated hackers do not try to penetrate outer defenses, such as firewalls. Instead, they target individual workstations through email, and hope a careless or unsuspecting employee will open the email. If opened, the fraudulent email allows the hacker into the network.

As usual, the human element is the weak link in the defenses employed by law firms. Most law firms allow almost every employee (including contractors) within the organization access to client data, regardless of sensitivity. Almost every employee has a computer connected to the firm network and the Internet, giving them great latitude to access the web and personal email through the firm’s computers.

In addition, law firms use a large amount of mobile technology. Regardless of type, most technology within the firms is not encrypted. Wire transfers are routine for law firms and are enticing to criminals.

Making matters more complex, law firms allow many outsiders, such as cleaning staff and security guards, to come inside the firm with few, if any, background checks, or knowledge of who these people are wandering around after hours. You may recall the original Wall Street movie — how did Bud Fox gather the inside information? He got himself hired as custodian for the cleaning crew inside a law firm.

All of these factors make firms very vulnerable and likely targets. Hackers no longer grab the goods and run away, they stay within a network for months, remaining undetected while they collect more and more sensitive data on employees, clients and other private information.

Even more problematic, cyber insurance is an afterthought to many firms.

Tailor cyber insurance to fit the firm

Lawyers should consider that their legal professional liability is unlikely to cover a cyber breach, or at least much of it. Firms face third-party exposures, but also their own first-party ones. If a firm’s computer network is compromised, the potential for losses — such as business interruption — are large.

Cyber security breaches may raise ethical issues as well. Thus, it is critical to implement enterprise solutions for risk protection, which needs to include appropriate cyber insurance.

Firms can obtain cyber insurance for first-party and third-party losses. It is critical to understand both and ensure there is appropriate coverage for both.

First-party coverage can include within its scope: 1) computer data restoration; 2) re-securing a company’s information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; and 6) extortion.

Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.

Third-party coverage is needed as well. Of course, most coverage in this area will provide for a defense to litigation from your customers for their direct losses due to a breach. Insurance may also cover the following: 1) crisis management; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations.

Some of the benefits of cyber insurance for firms include lower retention levels. This specialty insurance provides access to the insurer’s external resources for legal, forensic and credit protection services. Coverage may provide for privacy regulatory costs and payment of civil fines and penalties.

But, this is an area of insurance in which the buyer must beware.

Cyber insurance is new, and the market does not have the benefit of understanding the scope of coverage through negotiations and court opinions. Therefore, due diligence before buying coverage is paramount.

All cyber insurance policies are definitely not created alike. For example, some policies may exclude coverage for unencrypted mobile devices such as laptops. Firms need to develop a thorough understanding of their risks and also understand the scope of the cyber insurance they are placing.

A firm’s traditional insurance program likely will not cover cyber losses, or it may contain gaps in such coverage for cyber breaches. Cyber insurance policies can fill many of the gaps in traditional insurance, and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations.

There is no time like the present for policyholders (large and small) to analyze their insurance programs to determine if their current insurance will cover cyber risks or identify any gaps that may need to be filled. An ounce of prevention upfront from such an analysis may prevent a catastrophic breach, but insurance can be a valuable resource to backstop the problem.

—————

Collin Hite is the practice leader of the Insurance Recovery Group at Hirschler Fleischer P.C. He may be reached at (804) 771-9595 or chite@hf-law.com.