Recently, Sensei Vice President John Simek and I were lecturing to the Young Lawyers Division about cybersecurity. As always, we stressed that firms need to take reasonable steps to secure client data – and what is reasonable will vary with the sensitivity of the data, the technology being used and the size of the firm and its available resources.
One lawyer asked, “Once I’ve done what is reasonable, aren’t I ok? Won’t my insurance policy cover me if I have a problem?”
Sadly, the answer is usually no. If your server suffers physical damage, most insurance companies will replace it. When Sensei’s building had a fire and we were largely out of commission for a week, our insurance company picked up lost profits.
But if you suffer a data breach, it is unlikely that your current policy covers the cost of complying with Virginia’s data breach law or your ethical duties. It probably does not cover the cost of investigating and remediating the breach. Damages suffered to your clients resulting from the breach are likewise not usually covered.
There is indeed a “mind the gap” attitude that lawyers need to have – recognizing that there is a risk between reasonable information security and the potential liabilities arising from suffering a data breach. That gap is best filled by a cyberinsurance policy – which may be a separate policy or a rider to your current policy.
Many insurance companies now offer cyberinsurance policies, but beware – terms and prices are all over the map. Be a savvy shopper and compare! Think through the liabilities that a data breach might cause and make sure you are covered.
“It can’t happen here” is a common law firm mindset. Wrong. It can and probably will. We are aware of more than 150 law firm data breaches since 2010. There are probably many more. In defiance of ethical duties and state data breach notification laws, law firms often choose to hush up a breach. The breaches range from a two attorney firm in Virginia to the well-respected Wiley Rein firm in D.C.
The FBI began notifying law firms that they were being targeted in 2009 and has been hammering law firms ever since, trying to impress upon them that they are easy targets and often the “soft underbelly” through which hackers can get to client data. You are far more likely to get into the network of IBM’s law firm than into IBM’s own network.
So do what your insurance company and all infosec experts recommend. Get a security assessment – at least annually. You may even get a discount on your insurance if you have one done by an outside security firm. These assessments may be less expensive than you think – and go a long way toward hardening your data security. We have never – ever – done an assessment and found a law firm to be wholly secure.
And being secure today doesn’t mean you’ll be secure in six months. So – mind the gap – and look into cyberinsurance to mitigate your risk!
Thanks to our friend Sharon D. Nelson, Esq. for this great guest blog entry. Sharon is President of Sensei Enterprises, Inc., a computer forensics and legal technology firm headquartered in Fairfax, VA. You can follow her blog at: http://ridethelightning.senseient.com/.
ALPS is now offering Cyber Liability Insurance Coverage to our insured attorneys. To learn more about ALPS Cyber Response, go to http://protectionplus.alpsnet.com/cyber/ or call us at 800-367-2577.