Cyberinsurance for Data Security Risks

Typical examples of third-party harms are identity theft and invasion of clients' privacy. Yet another area of exposure is Web site content and the infringement of a third party's intellectual property. A hacker could access the system to grab control of an e-mail database or client mailing list. The hacker could also usurp the firm's system to send out damaging malicious code, such as computer viruses or worms.

When a third party is harmed and the firm is responsible, of course, a lawsuit will likely be filed.

Many insurers simply do not provide coverage for these unique exposures, or they take a band-aid approach by providing endorsements to their traditional property, fidelity or professional-liability insurance policies.

Cyberinsurance

The most effective way to provide relatively comprehensive coverage for computer disasters is through cyberinsurance, a specialized form of computer insurance that organizations such as American International Group, Chubb and Lloyd's of London have offered since the late 1990s.

An effective cyberinsurance policy can handle first-party losses and any third-party liabilities that a firm faces in a computer-security disaster. Typical coverages include the following:

• First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, similar to such standard exclusions for floods or other 'acts of God.'
• First-party electronic data damage covers recovery costs associated with compromised data, such as those caused by virus infections.
• First-party extortion covers ransom demands of hackers who claim to control systems or data, and threaten to do serious harm.
• Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit-card fraud.
• Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over the firm's system.
• Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyberinsurance usually costs more than conventional liability or business-interruption insurance. Unlike traditional insurance policies, cyberinsurance has no standard 'scoring system' or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers provide a cyberinsurance-policy quote, they usually require potential purchasers to fill out a questionnaire detailing the steps already implemented to ensure computer security:

• Firewalls;
• Laptop-computer encryption;
• Anti-virus protection; and
• Similar common-sense steps that all firms should take.

A law firm's desire to buy cyberinsurance is no guarantee that a carrier will sell coverage. Industry estimates are that about 10% of applicants are turned down, and around 25% pay higher premiums or have coverage restrictions because they don't have adequate data-security procedures in place. Some insurers require verification of safeguards by an outside data-security firm, just as they might require a potential or existing customer to have a physical examination by a physician before issuing a life-insurance policy.

The costs of cyberinsurance vary substantially. A June Computerworld assessment by Lamont Wood (see, http://tinyurl.com/3co9hd) quotes two insurance executives as saying that policies could cost anywhere from $7500 to $20,000 per million dollars of coverage. An insurance broker noted that costs for his company's network-risk policies ($10,000 to $20,000 per million dollars of coverage) would double if coverage were added for professional-service errors and omissions. Wood
quotes an exasperated customer who asked five insurers to bid on identical coverage and received quotes ranging from $16,000 to $70,000 per year.

Purchase Strategies

Principals of any firm interested in cyberinsurance should first review liability coverage they already have. Here are some steps to take on the journey to securing cyberinsurance:

• Ask whether there's too much being spent on the traditional plans like property, and errors and omissions, when more of the firm's worth resides in unprotected data.
• Itemize those aspects of firm operations that would be affected by a data-security disaster and attempt to quantify how much loss could result ' particularly in third-party litigation.
• Be sure that data-security policies and procedures will pass scrutiny before attempting to purchase a policy.
• Get multiple cyberinsurance-policy quotes. It's estimated that up to 20 companies offer some kind of coverage. Compare policies carefully to determine what they cover and exclude.

The harms that can result from computer security breaches are largely uncovered by the types of insurance policies most law firms maintain, and that makes those firms subject to unnecessary risk for theft of client data.

Combined with the inadequate security most law firms provide for client data anyway, the resulting exposure risk may well violate legal professional ethics. A firm's failure to adequately protect the following is a violation of Bar Association requirements to preserve client files and, more generally, a failure of the firm's overall duty to act competently in the best interests of its clients:

• Computer-based master files;
• Time-and-billing records;
• Court filings;
• Wills;
• Powers of attorney;
• Corporate records; and
• Other client-related materials

Types of Exposure

Computer security breaches can have a first-party impact (on the firm itself) and a third-party impact (on clients). For example, an unauthorized system access that damages data or online services may render the firm itself inoperable. (Even this scenario may also lead to a third-party loss to clients if they rely on the firm's extranet for aspects of their own business operations.)

Typical examples of third-party harms are identity theft and invasion of clients' privacy. Yet another area of exposure is Web site content and the infringement of a third party's intellectual property. A hacker could access the system to grab control of an e-mail database or client mailing list. The hacker could also usurp the firm's system to send out damaging malicious code, such as computer viruses or worms.

When a third party is harmed and the firm is responsible, of course, a lawsuit will likely be filed.

Many insurers simply do not provide coverage for these unique exposures, or they take a band-aid approach by providing endorsements to their traditional property, fidelity or professional-liability insurance policies.

Cyberinsurance

The most effective way to provide relatively comprehensive coverage for computer disasters is through cyberinsurance, a specialized form of computer insurance that organizations such as American International Group, Chubb and Lloyd's of London have offered since the late 1990s.

An effective cyberinsurance policy can handle first-party losses and any third-party liabilities that a firm faces in a computer-security disaster. Typical coverages include the following:

• First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, similar to such standard exclusions for floods or other 'acts of God.'
• First-party electronic data damage covers recovery costs associated with compromised data, such as those caused by virus infections.
• First-party extortion covers ransom demands of hackers who claim to control systems or data, and threaten to do serious harm.
• Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit-card fraud.
• Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over the firm's system.
• Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyberinsurance usually costs more than conventional liability or business-interruption insurance. Unlike traditional insurance policies, cyberinsurance has no standard 'scoring system' or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers provide a cyberinsurance-policy quote, they usually require potential purchasers to fill out a questionnaire detailing the steps already implemented to ensure computer security:

• Firewalls;
• Laptop-computer encryption;
• Anti-virus protection; and
• Similar common-sense steps that all firms should take.

A law firm's desire to buy cyberinsurance is no guarantee that a carrier will sell coverage. Industry estimates are that about 10% of applicants are turned down, and around 25% pay higher premiums or have coverage restrictions because they don't have adequate data-security procedures in place. Some insurers require verification of safeguards by an outside data-security firm, just as they might require a potential or existing customer to have a physical examination by a physician before issuing a life-insurance policy.

The costs of cyberinsurance vary substantially. A June Computerworld assessment by Lamont Wood (see, http://tinyurl.com/3co9hd) quotes two insurance executives as saying that policies could cost anywhere from $7500 to $20,000 per million dollars of coverage. An insurance broker noted that costs for his company's network-risk policies ($10,000 to $20,000 per million dollars of coverage) would double if coverage were added for professional-service errors and omissions. Wood
quotes an exasperated customer who asked five insurers to bid on identical coverage and received quotes ranging from $16,000 to $70,000 per year.

Purchase Strategies

Principals of any firm interested in cyberinsurance should first review liability coverage they already have. Here are some steps to take on the journey to securing cyberinsurance:

• Ask whether there's too much being spent on the traditional plans like property, and errors and omissions, when more of the firm's worth resides in unprotected data.
• Itemize those aspects of firm operations that would be affected by a data-security disaster and attempt to quantify how much loss could result ' particularly in third-party litigation.
• Be sure that data-security policies and procedures will pass scrutiny before attempting to purchase a policy.
• Get multiple cyberinsurance-policy quotes. It's estimated that up to 20 companies offer some kind of coverage. Compare policies carefully to determine what they cover and exclude.