Cyber Crime Now Targeting Law Firms

Additionally, law firms allow many outsiders, such as cleaning staff and security guards, inside the firm with few background checks and little knowledge of who these people are who are wandering around after hours. For those old enough to remember the original Wall Street movie, how did Bud Fox gather the insider information? He got himself hired as custodian for the cleaning crew inside a law firm. Physical security is an important cybersecurity consideration.

Finally, law firms are not great about ensuring that software is regularly updated. Many use older versions of software that is more vulnerable. Two-factor authentication, now an accepted standard by cybersecurity experts, is rarely used at most firms. Cybersecurity training for employees is sparse, ineffective when done, and rarely consistent.

Law firms must understand the difference between information technology and information security. Just as tax and personal injury are separate practice areas for attorneys, IT and IS are distinct functions for a firm's operations. Allowing IT to moonlight as your information cybersecurity official is a mistake. All firms need a Chief Information Security Officer (CISO), whether in-house or virtual, to oversee the cybersecurity aspects of operations. Rarely does the firm's IT staff possess the requisite training or functionality to serve both roles.

All of these factors make firms very vulnerable and likely targets. Theft is not the only motivator for cyber criminals. In April 2016, law firm Mossack Fonseca was hacked, resulting in the release of client files, now known as the “Panama Papers.” The information contained highly confidential and embarrassing details about clients' efforts to dodge tax laws. In the summer of 2015, some of the nation's largest law firms admitted to being breached, including Cravath Swaine & Moore LLP and Weil Gotschal & Manges LLP. Unfortunately, a common misconception across all industries is that smaller entities are not on the cyber radar for hacking and theft. Incorrect! Criminals are very aware that smaller entities, including law firms, are far more vulnerable.

Hackers no longer grab the goods and run. They can often stay within a network for months, remaining undetected while they collect more and more sensitive data on employees, clients and other private information. Even more problematic, cyber insurance is still an afterthought to many firms.

The Best Defense Is an Aggressive Offense

Once firms recognize they are targets, and all are, they must be proactive in addressing the situation. Where to start? A comprehensive cyber risk assessment is critical to structuring a strong, multi-pronged defense. Think enterprise risk management — not to mention ethical concerns if breached. The American Bar Association just revisited the issue of cybersecurity as an ethical consideration for attorneys and sets out some limited guidance. (See the ABA's Cybersecurity Legal Task Force.)

An assessment becomes the guide to building a robust cybersecurity defense for any law firm. However, once a firm's security is implemented and verified, the process cannot stop there. Just like malpractice insurance, cybersecurity insurance is a must these days. For many firms, a breach exposing large amounts of clients' private information can quickly escalate into a bet-the-firm proposition to survive. The average cost for responding to a breach is approximately $221 per client. Do the math. And that does not even begin to address a firm's costs to re-secure its network, public relations expenses, lost income, and the likely lawsuits from unhappy clients.

Where Does Cyber Insurance Apply to Law Firms?

Law firms must recognize that their legal professional liability insurance is unlikely to cover a cyber breach, or at least much of it. The same is true for the firm's CGL and property coverage. Firms face third-party exposures as well as their own first party ones. If a firm's computer network is compromised, the potential for losses, such as business interruption, are large. Even with the best computer security, one thing is certain: The element for human error is always unpredictable. Employee negligence accounts for 25% to 35% of all cyber events. Cybersecurity breaches may also raise ethical issues. Thus, it is critical to implement enterprise solutions for risk protection, which needs to include appropriate cyber insurance.

Firms can obtain cyber insurance for first-party and third-party losses. Understanding both and ensuring there is appropriate coverage is a must. First-party coverage can include within its scope: 1) computer data restoration; 2) re-securing a company's information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; and 6) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.

Third-party coverage is needed as well. Most coverage in this area will provide for a defense to litigation from your customers for their direct losses due to a breach. Insurance may also cover the following: 1) crisis management; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations.

Some of the benefits of cyber insurance include lower retention levels. This specialty insurance provides access to the insurer's external resources for legal, forensic and credit protection services. Coverage may provide for privacy regulatory and payment of civil fines and penalties. Ransom and extortion schemes can be covered.

But this is a line of insurance with which the buyer must exercise extreme diligence. Cyber insurance is a newer form of coverage that does not benefit from long-term placement in the market. Policyholders and insurers are grappling to understand the scope of coverage through negotiations and court opinions. Coverage disputes are just now yielding some initial legal decisions. All cyber insurance policies are definitely not created alike. For example, some policies may exclude coverage for unencrypted mobile devices, such as laptops. Firms need to develop a thorough understanding of their risks and the scope of the cyber insurance they are placing.

Due diligence in placing such coverage is critical. The Moses Afonso law firm in Rhode Island learned this lesson the hard way. The 10-person firm was a victim of ransomware. Their computers and network were encrypted by criminals until the $25,000 ransom, and a second one, were paid. However, the firm lost over $700,000 in revenue during the episode from lost work without their computer systems. When the system was unlocked, there were still problems for records stored on a temporary server. All in all, an expensive problem. The law firm submitted the loss to its business owner's insurer, which paid $20,000 for losses caused by computer viruses, which are covered under a computers and media endorsement. Now the law firm and insurance company are squaring off in court. The best lesson to learn is that endorsements for “cyber type coverage” tacked on to other policies are rarely the best option. As demonstrated, such endorsements carry low sublimates and are usually restrictive. Moreover, they usually do not provide for collateral response services provided by the insurer, which is almost always the case with true cyber insurance.

A firm's traditional insurance program likely will not cover cyber losses, or contain gaps in such coverage, for data breaches. Cyber insurance policies can fill many of the gaps in traditional insurance, and provide direct loss and liability protection for risks created by the use of technology in an organization's day-to-day operations. There is no time like the present for law firms to analyze their insurance programs to determine if their current insurance will cover cyber risks and identify any gaps that need to be filled. It is time for law firms to become cyber savvy.

*****
Collin J. Hite is with Markel Service, Incorporated in Glen Allen, VA. A member of the Board of Editors of Cybersecurity Law & Strategy, he can be reached at 804-864-3664 or chite@markelcorp.com.