(Hailshadow / iStock)
If you’re reading this at work, then you survived the attack.
Employees the world over were locked out of their computers on Friday and even over the weekend into Monday as an insidious and widespread cyberattack nicknamed “WannaCry” rolled through the Internet and into headlines. The ransomware attack, which for now seems to have been halted, encrypts a computer or network’s data and demands $300 in the online currency bitcoin to unlock the data.
While data breach experts said the attack was not particularly complex—it was distributed through an infected email attachment and could have been prevented by staying up-to-date with a Windows patch—the scale of the breaches served as a reminder of the seemingly ubiquitous risk of cyberattacks.
Luckily for U.S. law firms, those same experts said it was unlikely that this particular ransomware attack hit many of them. The targets were disproportionately located overseas and in the health care industry.
But that doesn’t mean law firms can’t do more to prevent a shutdown caused by ransomware similar to one in March that recently led a small Rhode Island firm to sue its insurer for $700,000 that the firm alleges it lost as a result of being locked out of its computers for months.
In a complaint filed in Rhode Island state court and recently moved to federal court in Providence, 10-lawyer Moses Afonso Ryan said it was hit with a ransomware attack in May 2016 that disabled its computers for about three months. During that time, the firm scrambled to buy bitcoin—one can purchase only a limited amount of the digital currency each day—in order to make contact with the hackers and negotiate a $25,000 ransom.
Ultimately, the firm said it had to negotiate a second ransom payment after the decryption tools it acquired after the first payment failed to unlock the files on its computer network.
Moses Afonso Ryan’s suit claims the firm had insurance through Sentinel Insurance Co. Ltd.—a subsidiary of investment and insurance giant The Hartford Financial Services Group Inc.—that covered an unlimited loss of business income, which it measured at $700,000. Name partner Thomas Moses did not return an email seeking comment on the case.
But Sentinel, advised by Robinson & Cole, claims in court filings that its policy is capped at $20,000 via another clause related to damages caused by a computer virus. The case, filed April 21, remains pending. But security experts said it represents a worst-case scenario for firms struck by ransomware.
“There have been a few of our clients who have been locked out of their computers without disaster recovery systems,” said Bryan Cave partner David Zetoony, head of his firm’s consumer protection practice. “So they’re locked out, basically, until they pay or they put up new systems. For us, that’s less than five percent of our client base.”
Zetoony also leads Bryan Cave’s Data Breach Hot Line, which he said was curiously quiet over the weekend, despite news reports of widespread ransomware attacks.
The New York Times reported that the cyberattack, as of Sunday, had hit 200,000 computers in more than 150 countries. Most notably, a number of hospitals in the U.K. were infected, causing emergency rooms to divert patients and cancel surgeries. Those hit in the U.S. included FedEx Corp., while telecommunications giant Telefónica SA was impacted in Spain and automaker Renault stung in France. Chinese universities, Germany’s federal railway system and Russia’s Interior Ministry also got hit.
Stephanie Snyder, a U.S. cyber expert at insurance and risk management giant Aon plc, said losses from ransomware and other attacks can be covered by most cyberattack policies. But law firms are not among the largest contingent of purchasers of those policies, she said.
In general, 30 to 40 percent of companies have specific cyberinsurance, and that number is as high as 70 percent for industries such as hospitality, which have a lot of customer data. But she said professional services firms, including law firms, have not been as quick to purchase insurance, with the caveat that some firms seek coverage through professional liability insurance.
Still, Snyder said that number has grown as attacks like the one over the weekend proliferate.
“I would say 2016 was the year of ransomware and it certainly has bled over into 2017,” she said.