Another day, another hack. Yesterday brought news that four million current and former government employees may have had their personal information stolen by Chinese hackers.
Of course, this comes on the heels of what has been a staggering 18 months of hacks. Starting with the Home Depot and Target hacks, we’ve been barraged with story after story about major companies and retailers being hacked for their customers’ data. It’s not just big companies and big-box retailers, though. Law firms are increasingly the target of hackers, due to a combination of factors including relatively lax security and large quantities of organized, valuable information.
Too often when we hear about hacks, our first reaction is how much it would suck to have our own personal data stolen. We think about how much it will cost us to repair that person’s injury – particularly to things that are difficult to repair like credit scores and mental health. It’s easy to think about events like the Target hack, and think about how much Target might have to pay all those customers. You wonder: if your law firm was hacked, would you be able to afford paying for that?
Unfortunately, that’s not the real reason you need cyber liability insurance. In fact, very few law firms even have a reason to insure against third-party liability from a hack. So what is the real reason you need cyber liability insurance?
First Party vs. Third Party liability.
There are two types of damages that result from a cyber attack: 1st party and 3rd party. You’re probably most familiar with third-party liability – the damages you end up paying to your clients whose data was stolen. First-party damages are those you experience. Which will cost a lot more.
That’s right, fixing the damage in your law firm resulting from a hack is likely to be way more expensive than liability to your clients for the breach. In fact, some states may not even allow your clients to bring a claim against you in the event their information is stolen from your system. That’s the result recently reached by a court in Pennsylvania.
On the other hand, the costs involved with repairing the damage caused by the hack can be massive and crippling. That damage is actually made worse because most people simply aren’t mentally prepared for how expensive it can be to recover from a hack, making the sticker-shock of the price of repairs even worse.
Why is it so expensive? Well, responding to a cyber attack involves a lot:
Computer Forensics Experts
In order to find the source of the breach, you’re going to need a computer forensics team. Once located, they need to close the breach, and ensure that your systems are no longer infected. Given that you’ve already determined there is a breach, one of the most crucial parts of your response is that it gets done quickly.
If you currently use a third-party contractor for IT services, you already know that IT service on a regular schedule, during the normal business day, isn’t exactly cheap. Have you ever seen costs go down when any job is titled “urgent”? Because you’re going to need them working around the clock on this.
Data breach counsel
Yes, even law firms will need an attorney in the event of a data breach. Most states have very specific procedures you need to follow in the event of a data breach. However, they tend to vary from state to state. Oh, and if you deal at all with information protected under federal laws, like HIPPA or the SEC, there’s another list of procedures.
Experienced data breach counsel will be needed to guide you through these procedures, and help you minimize your data.
And they probably bill more per hour than you do.
Crisis Management/Public Relations
Unfortunately, if your clients’ personal information gets leaked due to a hack, you’re going to need to immediately do triage on your law firm’s image. Trust is a big deal for most clients, and if you want to keep your doors open at all, you’re going to need to respond quickly. More importantly than speed, though, you’re going to need to respond correctly.
You need expertise on crisis management that likely can only be provided by a professional team of public relations experts.
Administration of notice of the breach
Guess what, you can’t simply call up your clients and tell them about the hack. You have very specific rules to follow regarding notifying your clients. Setting up a notification system that complies with state and federal law isn’t something that just happens, and making sure you have all the proper follow-up in place isn’t free either.
Once set up, you might also be on the hook for providing credit monitoring systems for all those affected by the hack.
Data restoration and business interruption
Responding to a hack involves more than simply closing the security vulnerability the hackers used. Oftentimes hackers use extremely destructive malware to cover their tracks.
When was the last time you needed to restore your system or files from a backup tape? It can be disturbingly expensive. Well, now imagine that you have to determine what backups have or have not been affected by the hack, and piecing the rest together.
Let’s not forget the money you lose as a result of having to stop your law firm’s operations dead in their tracks to fix the damage. Overall, you’re looking at a lot of added expense!
You need effective cyber liability insurance
If you’ve renewed your Professional Liability or General Liability Policy in the past year, you might have noticed a small change to what your plan covers. Thanks to numerous successful attempts to force insurers to pay for cyber attack damages under general liability policies, insurers have begun to actively exclude damages from a hack.
While you might still have some protection for third-party liability, as you’ve seen above, that’s not where your major expenses will likely be. So you need specific protection from cyber threats. That doesn’t mean that you need a whole new policy. However, do your research! There are a few things to take into consideration:
1) Do you need a full cyber liability insurance policy
Probably not. For most law firms, you’ll be fine with a cyber liability insurance rider on your existing policy. However, if your law firm’s systems contain highly valuable information like trade secrets or significant amount of data protected under federal law, you’re going to want stronger protection.
2) What does your cyber security liability policy cover?
In addition to all the items listed above, your policy must provide effective coverage, so numerous questions that may not apply to any other type of insurance must be asked. For example, does the policy give the insurance carrier the exclusive right to select data breach counsel and computer forensics experts? (This is known as the “duty to defend” vs. the duty to reimburse.)
Why does this matter? Well, responses to a data breach are considerably more effective the faster they can be put in place. Rapid response is not necessarily most insurance companies’ strengths, so the ability to choose your own experts to respond immediately is likely worth more than having the insurance company process your claim at its own pace.
Additionally, you need to know whether the expenses incurred by data breach counsel are borne by the insurance company (and effectively unlimited) or whether they are part of your limits. Expensive attorneys can eat up your policy limits quickly.
3) Are your cyber security liability limits appropriate?
As strange as it may seem, a breach is likely to be less expensive than you think. However, if your cyber liability insurance contains sub-limits or onerous exclusions, it may not be worth the proverbial paper it’s printed on.
For example, if you have limits of $500,000, but sub-limits of only $10,000 for data breach counsel, you might find yourself paying out-of-pocket for your attorneys very quickly, especially if they have to deal with any regulatory agencies. As legal professionals, you’re ideally placed to look at your policy now, and determine whether or not the necessary legal work can actually be done for the amount listed.
And those pesky exclusions. Face it, this is where insurance companies make their money. Are you currently doing anything in your practice that would cause one of these exclusions to be activated? Exclusions such as failure to maintain risk controls, lack of appropriate security software, or failure to use encryption should be major concerns for law firms.
You also need to determine if your limits are per incident or per claim. While this likely has a larger impact on third-party liability, you certainly don’t want to be left with the bill if your insurance carrier determines that a regulatory action under HIPPA and all of your first-party damages all get paid out of the same pot.
4) What other services does your cyber insurance liability carrier provide?
Interestingly, many believe that the true value of a cyber liability insurance policy isn’t the coverage itself. Instead, it’s the expertise available.
Insurance companies aren’t stupid. If they sell you a policy, it’s in their interest if you never have to use it. To minimize their risk, many make available a lot of information and expertise regarding preventing and quickly addressing cyber attacks. Find out what kind of cyber-readiness and security awareness training is available. Learn the best ways to mitigate harm in the event of a breach, rather waiting until one occurs.
In the end…
You need protection from cyber attacks, of course. But the best security system in the world can’t guarantee you’ll be able to prevent a data breach. The costs of a hack can be incredibly expensive, so be prepared. Investigate your options, and find out what type of cyber liability insurance protection best fits your firm.
Whatever you do, do something.