From the White House to Congress and from Wall Street to the mom and pop storefront on Main Street, the issue of cybersecurity is one that is here and here to stay. Hacking computers is no longer a “cottage industry” or something done by lone disgruntled individuals or teenagers in their parents’ basement. This is now a criminal endeavor that is highly organized and getting more sophisticated each week. An article (Cyber Situations) in the magazine Best’s Review (April 2013) points out, the new breed of cyber criminals does not discriminate between large and small companies. As long as you have personally identifiable information in your database, whether internal server or cloud based, that information is at risk.
Obviously the best defense is a good offense as the saying goes, including ongoing staff training in the ever evolving cyber threats law firms or other businesses face. There is no easy solution, but a diligent IT department and well-informed C-suite and senior and risk management staff can certainly facilitate the research and deployment of prudent firm data security policies and procedures. But what if a breach does occur?
Cyber liability insurance, while relatively new to the law firm market, is emerging as an important component of a firm’s overall liability coverage. Client data, including social security numbers, credit card and other financial accounts, notes from attorney-client conversations, business transactions, etc., is enticing information that can be sold to illegitimate parties looking to make a quick profit or to exploit persons or businesses. Even the process of completing a law firm cyber insurance application can be enlightening, pointing out potential data security holes in a firm’s database, website, or portable devices such as smartphones, notebooks, and laptops used on the road or in the courtroom.
For perspective on the vulnerability of law firm data, the 2011 International Legal Technology Association (ILTA) Survey (pdf) indicated that 87% of law firms do not encrypt laptops; 61% have no intrusion detection tools; 64% have no intrusion protection tools; and for firms that purchase iPhones and Androids for employees, 94% don’t bother to track them. Not good for an industry that harbors highly sensitive information. And in a separate 2011 study (article), at least 80 major US law firms were hacked in that year.
An online article by Minda Zetlin on Inc.com (6 Reasons You Should Have Cyber Liability Insurance) brings home the argument that cyber liability insurance just isn’t for big businesses; that it totally makes sense for small business owners to get. If you get hacked, if customer or employee data is compromised, being covered may save your bacon and keep your doors opened for business as your general liability policy probably excludes losses because of the Internet, laptops, and mobile devices.
“Big corporations have entire departments devoted to analyzing the risks the company could face and helping set policies and procedures to protect against them. You don't--but a good insurance carrier can perform a similar function.”
Judy Selby and Brain Esser at Baker Hostetler penned a great post for Law Technology News about the basics of purchasing Cyberinsurance. More and more products like this are showing up on the insurance landscape and require some time for research and evaluation of what’s appropriate for your law firm or business. Depending on what you require, the applications can vary in depth and length.
"While cyberinsurance is not a replacement for diligent in-house data security policies and procedures, prudent businesses should seriously consider it as part of their risk management program. In fact, even the process of applying for cyberinsurance can serve as a useful road map for a business to improve its data security processes."
In this age of not if, but when a cyber breach occurs, law firms need to take the issue of cyber security and cyber liability extremely seriously, no matter if you’re a solo in Des Moines or a C-suite partner in Los Angeles.
Note: A component of the ALPS comprehensive Lawyers' Professional Liability Insurance coverage, ALPS Cyber Response was designed by cyber risk experts specifically for attorneys and is available with an ALPS LPLI policy on an opt-out basis. Learn more at: try.alpsnet.com/cyber