This post is the second in a series about the growing need for law firms to invest in cyber liability insurance coverage. Click here for Part I, here for Part III, and here for Part IV (the conclusion).
Why Does Your Firm Need Cyber Liability Insurance?
Attorneys have access to their clients’ private and personal information. Whether the information is learned through an engagement agreement or during the course of the case, attorneys have confidential information that needs to be kept safe. At a minimum, most attorneys have their client’s Social Security Number. Whether this information is kept at the office or stored by a third party, the attorney is responsible for the safe-keeping of their client’s information.
Although an attorney may do all he or she can to keep the information safe, the information is still at risk. Consider the following scenarios:
- An employee sending an e-mail with confidential client information could inadvertently type the address wrong, sending the information to an unintended recipient.
- A hacker could attack your firm’s network, stealing sensitive client information such as credit card numbers, driver’s license numbers, and/or Social Security Numbers.
- An attorney may open an e-mail attachment that appears to come from a client, but is actually a virus which shuts down the office network.
Once an event happens which causes a breach, the exposure to costs if your firm does not have cyber liability insurance could be exorbitant.
The average total organizational cost of a data breach is $5.85 million. A company that has a data breach faces the costs of detection of the breach (average cost $417,700); notification to victims of the breach (average cost $509,237); post-data breach costs such as legal expenditures, identity protection services, and regulatory interventions (average cost $1,599,996); and lost business costs, such as turnover of customers and damage to reputation (average cost $3,324,959).
These numbers come from a 2014 study performed by the Ponemon Institute, which has been studying data breaches and reporting its findings for the past nine years. The study surveyed 314 companies in 11 different countries, including the U.S, which was ranked as having the highest total cost associated with a data breach, perhaps due in part to the costs involved in state data breach notification laws.
Almost every state, including the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, has a data security breach notification law. The only states that have yet to adopt one are Alabama, New Mexico and South Dakota. However, the notification requirement is based on where the victim currently resides. Thus, although Alabama does not have a data breach notification law, if a firm is doing business outside the state of Alabama, some form of notification may be required if the victim lives in a state where there is a notification law. While notification laws vary in scope, the general concept is that the laws require a company to notify an individual if personal identifiable information, such as a Social Security Number or driver’s license number, is compromised.
Alabama firms should also keep in mind that a federal notification law may be on the horizon. In light of President Obama’s State of the Union address encouraging Congress to enact a uniform federal notification law, both the House of Representatives and the Senate introduced bills that would require companies to notify individuals of a data breach. This would mean Alabamians must be informed of a data breach, regardless of a lack of state law on the subject.
To more fully understand the impact of a data breach, consider the recent cyber attack on Anthem Inc., which was reportedly detected on Jan. 27, 2015. The attack is said to be the largest data breach to the nation’s health care sector – impacting around 80 million current and former Anthem customers and employees, and could cost the company over $100 million. Fortunately for Anthem, it has cyber liability coverage; however, it may not be enough to cover the costs of the breach.
One of the measures Anthem is taking to address the effect of the breach is to offer its customers services that provide credit monitoring and identity protection for up to 24 months free-of-charge. Should all 80 million customers take advantage of that offer, it would cost Anthem more than $28 billion according to the monthly price for the services posted on its website.
While most law firms do not service 80 million customers, firms are not immune from the devastating effects of a cyber attack. According to a February 2015 article in Law Technology News, “Larger law firms are starting to recognize the reality of cyberthreats and other data security risks, however many mid-size and small firms are taking the more complacent ‘it won’t happen to me’ approach that is bound to fail them.” The article warns, “Law firms and companies that take a more lax approach to data security and risk management in general make them vulnerable to an inevitable breach that will force them to change their ways.”
The American Bar Association published an article entitled, “Hackers Are Targeting Law Firms: Are You Ready?” in 2013. The article noted the reasons for hackers’ affinity for law firms:
“[L]aw firms store client information on a single network that is often far less secure than those of the corporate clients they represent. Lawyers often use passwords that are easily cracked. Lawyers are more likely to click on malware-infected phishing email links. And lawyers review sensitive information at unsecure Wi-Fi hotspots. Also, law firms are one-stop shops for hackers. According to the General Counsel of Mandiant, a cybersecurity firm, ‘[B]y targeting large law firms, hackers can obtain information about hundreds or thousands of companies by breaching a single network.’”
Clients, particularly financial institutions, are beginning to realize the amount of information kept by their attorneys and the value of that information to hackers. Some clients are now requiring firms representing them to have cyber liability insurance. While every firm has confidential client information, firms that represent financial institutions or industries in the health care sector should be especially concerned considering their files contain highly sensitive information such as credit card and bank account information. As clients become more leery of cyber security, attorneys may be required to purchase cyber liability insurance as a safeguard to ensure that their firms are doing all they can to protect clients’ information from cyber attacks.
This post, as well as the others in this series, was excerpted from our “Cyber Liability Insurance: Is Your Firm Covered?” article in the spring issue of the Alabama Defense Lawyers Association Journal magazine. Click here for the full article.