Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cyberinsurance for Data Security Risks

By Ed Poll
October 29, 2007

The harms that can result from computer security breaches are largely uncovered by the types of insurance policies most law firms maintain. Combined with the inadequate security most law firms provide for client data, the resultant risk exposure arguably violates legal professional ethics. A firm's failure to adequately protect computer-based master files, time-and-billing records, court filings, wills, powers of attorney, corporate records, and other client-related materials is a violation of bar association requirements to preserve client files and more generally a failure in the firm's overall duty to act competently in the best interests of its clients.

Types of Exposure

Computer security breaches can have a first-party impact (on the firm itself) and a third-party impact (on clients). For example, an unauthorized system access that damages data or online services may render the firm itself inoperable.

Typical examples of third-party harms are identity theft and invasion of clients' privacy. Yet another area of exposure is Web site content and the infringement of a third-party's intellectual property. A hacker could access the system to grab control of an e-mail database or client mailing list. The hacker could also hijack the firm's system to send out damaging malicious code such as computer viruses or worms.

Many insurers simply do not provide coverage for these unique exposures, or they take a band-aid approach by providing endorsements to their traditional property, fidelity, or professional liability insurance policies.

Cyberinsurance

The most effective way to provide relatively comprehensive coverage for computer disasters is through cyberinsurance, a specialized form of computer insurance that organizations such as American International Group, Chubb, and Lloyd's of London have offered since the late 1990s.

An effective cyberinsurance policy can handle both first-party losses and any third-party liabilities that a firm faces in a computer security disaster. Typical coverages include the following:

  • First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, however, similar to standard exclusions for floods or other 'acts of God.'
  • First-party electronic data damage covers recovery costs associated with compromised data such as those caused by virus infections.
  • First-party extortion covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm.
  • Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud.
  • Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over the firm's system.
  • Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyberinsurance usually costs more than conventional liability or business interruption insurance. Unlike traditional insurance policies, cyberinsurance has no standard 'scoring system' or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers provide a cyberinsurance policy quote, they usually require potential purchasers to fill out a questionnaire detailing the steps already implemented to ensure computer security ' firewalls, laptop computer encryption, anti-virus protection, and similar common-sense steps that all firms should take.

A desire to buy cyberinsurance is no guarantee that a carrier will sell coverage. Industry estimates are that about 10% of applicants are turned down, and around 25% pay higher premiums or have coverage restrictions because they do not have adequate data security procedures in place. Some insurers require verification of safeguards by an outside data security firm, much as they require a doctor's physical before granting a life insurance policy.

The costs of cyberinsurance vary substantially. A June 2007 Computerworld assessment by Lamont Wood [see, http://tinyurl.com/3co9hd] quotes two insurance executives as saying that policies could cost anywhere from $7500 to $20,000 per million dollars of coverage. An insurance broker noted that costs for his company's network-risk policies ($10,000 to $20,000 per million dollars of coverage) would double if coverage were added for professional services Errors & Omissions. Wood further quotes an exasperated customer who asked five insurers to bid on the identical coverage and received quotes ranging from $16,000 per year to $70,000.

Purchase Strategies

Any firm interested in cyberinsurance should first review current liability coverage. Ask if there is too much being spent on the traditional plans like property, and errors and omissions, when more of the firm's worth resides in unprotected data.

Itemize those aspects of firm operations that would be affected by a data security disaster and attempt to quantify how much loss could result ' particularly in third-party litigation.

Be sure that data security policies and procedures will pass scrutiny before attempting to purchase a policy.

Get multiple cyberinsurance policy quotes. It is estimated that up to 20 companies now offer some kind of coverage. Compare policies carefully to determine what they cover and exclude.


Ed Poll is the president of LawBiz' Management Company (www.lawbiz.com and www.lawbizblog.com) and a longtime member of the Board of Editors of our sibling newsletter Accounting & Financial Planning for Law Firms. Disaster Preparedness & Recovery Planning for Law Firms is the most recent title in his Business of Law' series of special reports. He may be contacted at 800-837-5880 or [email protected].

The harms that can result from computer security breaches are largely uncovered by the types of insurance policies most law firms maintain. Combined with the inadequate security most law firms provide for client data, the resultant risk exposure arguably violates legal professional ethics. A firm's failure to adequately protect computer-based master files, time-and-billing records, court filings, wills, powers of attorney, corporate records, and other client-related materials is a violation of bar association requirements to preserve client files and more generally a failure in the firm's overall duty to act competently in the best interests of its clients.

Types of Exposure

Computer security breaches can have a first-party impact (on the firm itself) and a third-party impact (on clients). For example, an unauthorized system access that damages data or online services may render the firm itself inoperable.

Typical examples of third-party harms are identity theft and invasion of clients' privacy. Yet another area of exposure is Web site content and the infringement of a third-party's intellectual property. A hacker could access the system to grab control of an e-mail database or client mailing list. The hacker could also hijack the firm's system to send out damaging malicious code such as computer viruses or worms.

Many insurers simply do not provide coverage for these unique exposures, or they take a band-aid approach by providing endorsements to their traditional property, fidelity, or professional liability insurance policies.

Cyberinsurance

The most effective way to provide relatively comprehensive coverage for computer disasters is through cyberinsurance, a specialized form of computer insurance that organizations such as American International Group, Chubb, and Lloyd's of London have offered since the late 1990s.

An effective cyberinsurance policy can handle both first-party losses and any third-party liabilities that a firm faces in a computer security disaster. Typical coverages include the following:

  • First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, however, similar to standard exclusions for floods or other 'acts of God.'
  • First-party electronic data damage covers recovery costs associated with compromised data such as those caused by virus infections.
  • First-party extortion covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm.
  • Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud.
  • Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over the firm's system.
  • Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyberinsurance usually costs more than conventional liability or business interruption insurance. Unlike traditional insurance policies, cyberinsurance has no standard 'scoring system' or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers provide a cyberinsurance policy quote, they usually require potential purchasers to fill out a questionnaire detailing the steps already implemented to ensure computer security ' firewalls, laptop computer encryption, anti-virus protection, and similar common-sense steps that all firms should take.

A desire to buy cyberinsurance is no guarantee that a carrier will sell coverage. Industry estimates are that about 10% of applicants are turned down, and around 25% pay higher premiums or have coverage restrictions because they do not have adequate data security procedures in place. Some insurers require verification of safeguards by an outside data security firm, much as they require a doctor's physical before granting a life insurance policy.

The costs of cyberinsurance vary substantially. A June 2007 Computerworld assessment by Lamont Wood [see, http://tinyurl.com/3co9hd] quotes two insurance executives as saying that policies could cost anywhere from $7500 to $20,000 per million dollars of coverage. An insurance broker noted that costs for his company's network-risk policies ($10,000 to $20,000 per million dollars of coverage) would double if coverage were added for professional services Errors & Omissions. Wood further quotes an exasperated customer who asked five insurers to bid on the identical coverage and received quotes ranging from $16,000 per year to $70,000.

Purchase Strategies

Any firm interested in cyberinsurance should first review current liability coverage. Ask if there is too much being spent on the traditional plans like property, and errors and omissions, when more of the firm's worth resides in unprotected data.

Itemize those aspects of firm operations that would be affected by a data security disaster and attempt to quantify how much loss could result ' particularly in third-party litigation.

Be sure that data security policies and procedures will pass scrutiny before attempting to purchase a policy.

Get multiple cyberinsurance policy quotes. It is estimated that up to 20 companies now offer some kind of coverage. Compare policies carefully to determine what they cover and exclude.


Ed Poll is the president of LawBiz' Management Company (www.lawbiz.com and www.lawbizblog.com) and a longtime member of the Board of Editors of our sibling newsletter Accounting & Financial Planning for Law Firms. Disaster Preparedness & Recovery Planning for Law Firms is the most recent title in his Business of Law' series of special reports. He may be contacted at 800-837-5880 or [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.