Editor’s note: This is the third installment in a series on law firms’ efforts to secure client data.
Despite the risk-averse nature generally associated with the legal industry, many law firms do not view themselves as at risk for a data breach and, therefore, have not purchased what is known as cyberinsurance. The lawyers in firms whose practice is concentrated in data security see this as a mistake given what they say is the “if, not when” likelihood of a firm being breached.
There is a bit of a rift in the legal marketplace between law firm leaders who remain somewhat skeptical of the need for insurance to protect them in the event of a data breach, and the attorneys and insurance companies who practice in this space and see a gap in law firms’ coverage of what they perceive as a very real threat.
Judi Flournoy, chief information officer of Kelley Drye & Warren and head of the International Legal Technology Association’s security initiative, LegalSEC, said there is a lot of discussion in the industry around cyberinsurance.
“I don’t know what the outcome will be,” Flournoy said. “Even though cyberinsurance has been around for a while, no one has ever really felt the pain.”
Flournoy recalled the number of firms who looked to create a disaster recovery plan only after the attacks of Sept. 11, 2001.
Cyberinsurance has been around for more than a decade, but has only reached, on the high end, about 25 percent of the potential marketshare, those who spoke to The Legal estimated.
Mark Greisiger is president of NetDiligence, a company that is called in by cyberinsurers to handle the overall response when an insured is breached. NetDiligence also does audits for companies, whether or not they have cyberinsurance, to determine the soundness of their security protocols.
Greisiger said cyberinsurance has become more popular in the last two to three years, particularly with the health care and retail sectors. He said he doesn’t think many law firms have it. Those that do typically are the largest of firms and whose clients are often requiring they have cyberinsurance, he said.
“So far, I haven’t seen a big uptick in the legal community, which is surprising because I think we all know they have a tremendous amount of information in their possession,” Greisiger said.
He said law firms are probably being breached as much as any other type of company in corporate America.
The debate about the need for cyberinsurance often comes down to the fact that law firms feel they are covered under their E&O or professional liability policies. But attorneys and insurers alike have said that could be a false sense of security.
“If there is a question of coverage under a traditional professional liability policy, you could spend years arguing and litigating the issue with your carrier,” said Cozen O’Connor partner Matthew J. Siegel, who focuses his practice on cybersecurity risks and the insurance industry. “But if you have a dedicated cyberpolicy, you avoid that risk altogether.”
Greisiger said the issue comes down to whether a data breach event is part of a lawyer’s job that would be covered under an errors and omissions policy. He said a firm might be able to argue that a lost laptop falls under an E&O policy, but it would be harder to argue that protecting against a hacker from Russia is part of a lawyer’s duties, he said.
Fox Rothschild partner Scott Vernick focuses his practice on privacy and data security. He said he thinks cyberinsurance is a “very good idea to consider” for law firms that don’t think their general liability policy will cover them. Vernick said case law is coming down on the side of the insurer when it comes to whether a commercial general liability policy would cover a data breach.
Last month, for example, a federal judge in New York ruled it would be an improper expansion of Sony’s general liability policy to grant the PlayStation maker coverage in suits related to a data breach of the gaming system network.
Siegel, whose law firm has cyberinsurance, said even if a firm could rely on general liability coverage for a data breach, it could erode the policy for when a malpractice case comes down the pike.
Siegel said firms need to be mindful of what a cyberinsurance policy covers.
“I think we need to make sure that when we are looking for a policy, it has to be broad to cover all of the types of data that we have,” Siegel said.
What cyberinsurance policies typically cover that a general liability policy most likely wouldn’t are everything that a data breach response entails before a lawsuit is ever filed against a firm.
“Most data breaches don’t turn into lawsuits,” said John F. Mullen, chairman of Lewis Brisbois Bisgaard & Smith’s data privacy and network security practice.
The first-party benefits coverage—essentially coverage of the insured’s damages and not a third party’s—can add up to hundreds of thousands, if not millions of dollars, Mullen said.
“I’ve handled law firm breaches where they haven’t been sued,” he said. “That’s why the first party is so important. That’s why people who think they’ve got coverage don’t.”
Richard Bortnick of Christie Pabarue and Young, and author of blog CyberInquirer, said the average data breach could cost around $70 per piece of data stolen. A panel discussion held by the American Bar Association’s Standing Committee on Lawyers’ Professional Liability in January cited data from Greisiger’s company that placed the average cost of a breach at $3.7 million.
First-party costs after a data breach include hiring forensic investigators to determine the cause and extent of the breach, and notifying those affected under the 46 or so disparate state laws requiring notification, typically if two pieces of identifiable information about a person are stolen.
“The notification costs alone could be staggering and that’s specifically what a cyberpolicy picks up,” Siegel said.
‘Dirt Cheap’ Policies?
Robert Weaver, director of information security at Blank Rome, said he thinks cyberinsurance is a good idea to cover things such as forensic experts, regulatory fines, legal costs and other costs of a breach. But Weaver said the underwriting process is still not matured and there remain questions about how things get covered. He said firms have to be careful about what they are buying and what the limits and deductibles are. Weaver said there are “wildly varying” premiums for cyberinsurance.
But Bortnick said cyberinsurance is “dirt cheap” for most industries, with the exception, perhaps, of the retail industry moving forward, given some of the notable data breaches in that realm recently. Bortnick said he has seen cyberinsurance limits at the rate of $15,000 for every $1 million in coverage. Greisiger put the figure at about $5,000 to $10,000 for every $1 million in coverage.
He said it is “still a soft market” with “a lot more insurers out there chasing the same clients.” Greisiger said firms can get a wide scope of coverage for a “great price.”
Greisiger said a cyberinsurance policy also gives the added value of a firm being able to tell its clients that it has that protection in place.
“The cost is relatively low, and lower than people may think,” Siegel said. “But the benefit you get from it is absolutely worth the cost.”
As Weaver noted, no insurance policy can rebuild a law firm’s brand after a breach. As lawyers and IT professionals alike have said, cybersecurity needs to begin with strong policies and procedures that are explained to all employees and that are enforced. Perhaps even before a policy can be created, firms need to accept they are at risk.
“We’re too smart to be caught in that tangled web … until we’re not,” Bortnick said of the legal profession.