Feature Article

Cyber Insurance 101 for Small and Mid-Sized Law Firms

by Rian Jorgensen


Rian Jorgensen is an insurance coverage attorney in the Executive Liability Practice of HUB International’s San Francisco office. He can be contacted at rian.jorgensen@hubinternational.com.

Suppose tomorrow you come to work, fire up your computer, and instead of getting your usual screen asking for log-in credentials, an ominous message appears advising that your firm’s computer system has been hacked. The “ransom note” states that if a certain amount of Bitcoin is forwarded to the hacker’s account in 48 hours, you can have your system back. If the demand is not met, the hacker promises to wipe out any and all of your records, essentially burning your “computer house” to the ground. What do you do? With apologies to the Ghostbusters, who you gonna call?

As an unpleasant thought experiment, imagine trying to function and provide competent legal services to your clients without access to any firm e-mails or computer records.

The first insurance for “cyber loss” was written in the mid 1990’s. Cyber policies have come a long way since then, but the forms still vary widely. This industry might properly be considered to be in its adolescence—still a long way from seeing “standardized” policies such as those that we all purchase to insure loss for fire or theft. That said, there are some basic precepts that law firms should be aware of as they weigh whether to purchase this coverage.

Typically, cyber losses will not be covered by other insurance

Your professional liability policy will respond to allegations of malpractice and breach of fiduciary duty, but damages from these causes of action are rarely alleged in “pure” data breach situations. If a client’s confidential information has been compromised, the client will not be happy, but it does not necessarily follow that the client has a viable case for malpractice.  In many cyber-loss situations (such as that described in our opening scenario), it is not even certain if client information has even been accessed.

Similarly, general liability (“GL”) and property policies exclude these “ephemeral” types of cyber losses. These traditional policies are simply not sold by insurers to address cyber claims–trying to secure coverage for a cyber loss under a GL or property policy is certainly akin to trying to pound a square peg into the proverbial round hole.

The main benefit of cyber insurance is to have experts teed up to address the problem immediately

Whether the first notice of claim is the message from a hacker, a visit from the FBI (surprisingly common), or advice from your IT professionals that they think something with the system is amiss, the problem needs to be addressed correctly, and as soon as possible. There is simply not the time to perform the traditional due diligence that most of us typically undertake when needing to hire a professional in an unfamiliar area. Should a law firm be hired? Which one?  Should we let our IT guy or gal address the problem? They say they’ve got a buddy who deals with these issues all the time, should we turn it over to them? (To confirm, the unequivocal answers to these last two questions are “No”).

The insurance companies that write this coverage have, by now, seen thousands of cyber claim scenarios. They have well established playbooks, and vetted professionals on speed-dial who know what they are doing, can ask the right questions, and bring the correct resources to bear to properly address the claim, such as:

• Forensic IT expert “swat teams” to contain and fix the problem to the extent possible (including negotiating with the hackers and potentially paying the “ransom”–dealing in Bitcoins takes expertise all on its own).

• Legal advice on potential breach notification obligations to clients whose private data may have been compromised (each of the 50 states has its own requirements).

• Public relations consultants.

Qualified professionals in these disciplines are rare, and not inexpensive. Having an insurance policy in place to facilitate access to them on a turn-key basis is incredibly valuable.

Law firms have unique “first party” cyber exposures that need to be insured

If a small “main street” retailer’s computer system gets hacked, it can limp along to some degree. A wine shop can still sell its wine, an appliance store can still sell plumbing fixtures, and a grocery store can still ring up sales for groceries, adding up sales by hand if necessary.

The equation is fundamentally different for a law firm (along with most other “white collar” professional firms). Without access to computer systems, a lawyer cannot access the data he or she needs in order to work a billable hour. As an unpleasant thought experiment, imagine trying to function and provide competent legal services to your clients without access to any firm e-mails or computer records.

Lost billable hours resulting from a hack can quickly add up to tens (and in some cases hundreds) of thousands of dollars. A decent cyber policy will provide coverage for this “business interruption” loss (which is pointedly excluded from property policies that will otherwise typically respond in the event of a “standard” cause of loss, such as water damage or fire).

A well-constructed cyber policy with a reputable insurer (providing adequate limits of liability for a small law firm), can typically be placed for less than $10,000. If such coverage is purchased, it should be structured to meet the law firm’s needs (as opposed to accepting standardized off-the-shelf cyber endorsements from the GL or property insurer).

Editor’s note. Do you think that this article does not apply to your practice? Your firm is too small? Your data is not worth hacking? Think again. A recent CNA report, based upon its claims data, describes the vulnerability of law firms to internal data breaches. Lost or stolen laptops, tablets, and phones are the most frequent cause of a data breach claim. BYOD practices that enable lawyers to access the firm’s network and download proprietary or privileged data on, for example, personal cellphones without password protection, encryption, or remote data wiping capability creates a significant risk. Staff can inadvertently cause a problem (“I just knew I shouldn’t have opened that attachment”). And then there is the “rogue (former) employee” problem—data stolen by uploading it to Dropbox, etc. or the firm’s server sabotaged on the way out the door. See CNA, Safe and Secure: Cyber Liability Practices for Law Firms, March 2015, at https://www.cna.com/web/wcm/connect/61aec549-ac28-457b-8626-aa791c782459/Safe_Secure_Cyber_Security_Practices.pdf?MOD=AJPERES.