Cyber-Liability – What’s my exposure? Will my insurance respond?

Law firms of every size and discipline face growing exposures with respect to breaches in their computer security and information systems, with increasingly sophisticated attacks occurring more frequently. Due to rapidly changing policy coverages and premium in this area, it is important that you frequently review your firm's exposures and options for handling them. And just because you don't handle web-based transactions it doesn't mean you are insulated from a problem. Certainly, if your firm keeps records or information on-line or stored locally on hard-drives, you may be exposed to a potential uncovered loss.

Example #1 - recently, a small law firm wanted to upgrade their office computers. In the process of replacing their old computers they reviewed the manuals and formatted the hard-drives as instructed. The discarded hard-drives fell into the hands of a hacker and he was able to restore some of the data. He then disclosed financial records and personal issues of the firm's private clients, allegedly causing damage to the client's businesses and reputations.

Example #2 - recently a small law firm experienced a spam attack on their server. The attack overwhelmed the computer's capacity to respond to requests by sending as many as 200 bogus requests a second. The business interruption caused $50,000 in lost revenue and the costs associated with the re-build of the server were substantial.

Contrary to what many lawyers believe, many business insurance policies do not cover data and security breaches as common as those detailed above. The consequences of not having coverage may be catastrophic. Damages and costs from cyber-liability include investigating and containing the breach, communicating with customers, improving system security, defense and damages for allegations relating to unauthorized use of confidential information by third parties, data recovery, and even ransom demands. Furthermore, the costs associated with lost sales and re-earning customer trust are hard to quantify. Even a small breach may lead to a significant loss of money and billable hours. Buying the most cost effective first and third party coverage for your firm is critical.

How can a law firm protect itself from cyber-liability exposures? First, make sure you are working with a broker who understands this developing area of insurance and can properly assess your cyber liability exposures. This is a relatively new area of coverage, if your agent has not discussed it with you, you probably do not have it. Second, some exposures exists that can be controlled with sound risk management practices - frequent data backup and installation of up-to-date virus and hacker software protections are critical. Also, a formal risk management plan should be put in place with respect to items like electronic data backup and safeguarding, password protections and laptop handling procedures.

Cyber coverage can be complicated, and policy wordings and premiums vary dramatically and need to be negotiated correctly. Your broker should take the time to understand your business operations, identify your exposures, and complete a cost benefit analysis so a sound business decision can be made. Your broker can also be a risk management resource for you, helping to design non-insurance solutions to minimize exposures.

I, like many experts, believe that it is not whether you have the potential for a data breach. It is more a question of when that breach will occur.