Law firms that think they are adequately covered for cybersecurity risks may want to think again.
A firm’s insurer may have slipped an exclusion for data breaches into the general liability policy the firm has been renewing year after year. And even if there’s no troublesome exclusion in the professional liability policy, experts say it’s still likely that the firm will be left seriously exposed to a full range of cyber risks.
Now suppose a firm has taken the smart route and purchased cyber-specific coverage. Is the policy tailored to cover all the various losses and costs the firm should reasonably anticipate in the event of a privacy breach or computer attack?
“Data security and cybercrime are probably two of the greatest threats to law firms currently,” says Brooks R. Magratten, the partner in charge of Pierce Atwood’s office in Providence, Rhode Island.
Yet Magratten doesn’t believe that the policies typically purchased by lawyers do an adequate job protecting against cybersecurity risks.
Many of the conventional liability policies that lawyers have relied on for decades do not adequately cover the “textbook” data breach in which a person or entity reaches into a firm’s servers and pulls out sensitive information, according to Magratten.
“The insurance industry is creating a new line of specific coverage for data security that law firms will have to carry,” Magratten says.
Steven L. Schreckinger is a legal malpractice and insurance attorney at Anderson & Kreiger in Cambridge, Massachusetts. According to Schreckinger, while most big firms have comprehensive coverage under cyber-specific policies with all the “bells and whistles,” the average law firm still relies on either its general liability or professional liability policy. And that can be a mistake, he says.
“First, they may contain specific cyber-liability exclusions,” Schreckinger says. “Second, even if there are no exclusions for cyber-liability, they often contain sub-limits for data breaches that only cover a small fraction of the firm’s potential liability.”
Cyber-specific trend
Alan M. Reisch, an insurance coverage attorney at Boston’s Goulston & Storrs, sees two distinct coverage issues when it comes to law firms and cybersecurity.
The first relates to the lawyer’s professional obligation to protect his clients’ information. When a data breach involves a breach of that duty, Reisch says, a lawyer ordinarily should be able to look to his professional liability or malpractice policy for coverage.
“That professional obligation is part of a lawyer’s standard practice obligation and should be covered as a component of their legal work subject to the malpractice policy,” he says. “Some insurers agree with that; some don’t.”
The second coverage issue for Reisch is the law firm’s exposure both financially and “reputationally” from a cyber event — exposures that are distinct from the firm’s ethical obligation to its clients. Reisch sees cyber-specific policies increasingly becoming the best option for the coverage of those direct costs to the firm.
“There are specific cyber policies that are written for professionals,” Reisch says. “If you don’t have the coverage you need in place, you have to make a business decision about whether you want to go out and buy it.”
Stephen M. Prignano, whose practice includes insurance coverage disputes, says he’s noticed more insurance companies developing special-purpose policies addressing cyber risk.
“The typical professional liability policies, the typical general liability policies and property damage policies are not necessarily going to cover cyber risks,” says Prignano, a civil litigator at McIntyre Tate in Providence. “Many of those have exclusions for those risks or they may not address them directly, such that a court may not read those policies to cover risks associated with cyber activity.”
Schreckinger says insurers also are trying to restrict coverage of cyber claims under professional liability policies through the use of caps or “sub-limits.” In other words, a policy that would have $1 million in coverage for other kinds of breaches of professional obligations might provide only $5,000 or $10,000 worth of coverage for cyber liability.
“All of this is designed to get law firms to get cyber[-specific] insurance coverage,” Schreckinger says.
Law firms tend to be prime targets for cyber-extortion because they often don’t have the encryption and other information security protocols that publicly held companies make heavy investments in, according to Meredith Schnur, senior vice president of professional risk practice at Wells Fargo Insurance.
Coverage gaps
Every law firm should be conducting “desktop” reviews of their policies for gaps in cyber coverage, according to Reisch.
One insurance executive who understands the problems facing law firms that are counting on their professional liability policies in the event of a cyber event is Meredith Schnur, senior vice president of professional risk practice at Wells Fargo Insurance.
In the absence of an exclusion, Schnur says, professional liability policies generally do a fair job of insuring a firm against financial injury suffered by a third party as the result of a lawyer’s breach of his professional obligation to safeguard information.
However, Schnur says there are many cyber risks that would not be covered under the type of professional malpractice policy familiar to most attorneys.
For example, a law firm ordinarily would need a cyber-specific policy for coverage of crisis management costs, such as hiring outside counsel and forensic investigators to determine the nature and extent of a data breach, she says.
A professional liability policy also ordinarily wouldn’t cover the cost of notifying impacted parties and dealing with regulators in the event of a data breach that triggered obligations under state privacy law, she says.
Reisch says Massachusetts firms should be thinking in terms of cyber-specific policies that would cover the costs incurred in complying with the notification requirements of the state’s privacy statute, Chapter 93H.
“A cyber policy will probably protect you from those costs, subject to a deductible,” Reisch says. “Even a small firm has a lot of clients, and if it’s a broad-based breach, notification could be a very expensive proposition.”
Cyber-extortion is one risk that might not occur to lawyers. According to Schnur, law firms tend to be prime targets for cyber-extortion because they often don’t have the encryption and other information security protocols that publicly held companies make heavy investments in.
Schnur cites the problem of “ransomware,” a type of malicious software that blocks an organization’s access to its own computer system until a sum of money is paid to the hacker.
“These ransomware and cyber-extortion claims have been rampant,” Schnur says. “[Hackers] threaten to hold the information hostage and won’t release it unless you pay them a million dollars.”
Some businesses across the country have succumbed to ransom demands in order either to regain control of their computer systems or to prevent the release of confidential information, she says.
But firms also need to think seriously about business interruption coverage for cyber events, Schnur says.
“What happens if you have data that’s been corrupted and it wasn’t backed up? You’re frozen. Your attorneys can’t bill,” she says. “The business income loss that the firm incurs is not covered under a [professional liability] contract.”
Firms might be wise to ensure that a cyber-specific policy includes “dependent” business interruption coverage when there’s a risk that operations may be impaired due to problems with a third-party vendor, she adds.
“A typical malpractice policy is probably not going to cover the activities of that vendor,” Prignano observes. “That would be another example where it makes sense to have a separate standalone [cyber] policy.”
According to Prignano, too many firms use cloud services without really thinking through issues like the extent to which the data is secure.
“There have been breaches with respect to data contained in cloud services that end up coming back to haunt the attorney or the law firm,” he says.
Options aplenty
In shopping for cyber-specific policies, law firms that outsource computer services are advised to be mindful that coverage matches the way they operate because even some cyber policies don’t cover the negligence of third-party vendors.
Joseph J. Laferrera, head of the data security and privacy law practice at Gesmer Updegrove in Boston, says that, apart from third-party vendors, there may be cybersecurity risks stemming from other structural issues in a law firm. For example, a firm with multiple offices should be assessing the cyber risk posed by the sharing of information between offices.
“[Depending on the firm,] you present a different kind of target to hackers, so therefore what you need to do to protect yourself may be different, and what you need to do to insure against risk may be different,” Laferrera says, adding that it’s important to obtain a rider or separate policy when business interruption coverage under existing policies doesn’t appear to adequately protect against cyber risks.
Reisch says he’s noticed a big change in the availability of cyber insurance products in just the last five years.
“If what you’re looking to do is fill gaps with fairly standard cyber coverage that would provide protection for notification expenses and some reasonable amount of business interruption protection, those policies are available,” he says. “There is probably a policy at a price point that’s acceptable to anyone who’s practicing these days.”
Prignano, too, sees ample variety in terms of cyber coverages available to law firms.
“Some cyber policies are quite specific as to the risks that they address,” Prignano says. “For instance, you have policies that are specific to HIPAA violations, and policies specific to data breaches for financial losses like wire transfer fraud.”
Laferrera agrees that lawyers will find plenty of options to fill their coverage needs in the marketplace.
“If you’re willing to pay, you can get coverage for damn near anything,” he says.