So a few weeks back I was interviewed about several current issues in cyber liability insurance. As part of the lead-up to the interview, I was sent a couple of links concerning issues that the interviewer wanted my take on. Most of them I’d seen before, but there was one that was new to me:
After reading the article, I was stunned that a law firm, as in a business that performs at least most of its work in the practice of law, would even consider filing such a lawsuit. Turns out, they even got an attorney in a different firm to represent them, because apparently they weren’t all about having – and being – a fool for a client. While you might disagree with me on the merits of this particular lawsuit – as an attorney whose practice includes insurance coverage matters, I am willing to concede that all states treat insurance a little differently – there’s definitely something that everyone can take away from this incident.
Yep, it turns out there is one thing you absolutely, positively must do before purchasing cyber liability insurance:
Talk to a lawyer!
Not just any lawyer, but a lawyer who understands insurance coverage and has at least a basic familiarity with cyber security. They don’t need to have a side career in IT, just an understanding about how cyber attacks work, and how they may or may not be interpreted in the context of your cyber liability insurance policy.
Here’s an example of what happens when you wait until after a cyber attack to understand what your insurance covers:
The Case: Moses Alfonso Ryan, Ltd. v. Sentinel Insurance Co., Ltd.
Before I continue, my opinions concerning the merits of this case, and of the actions taken by Moses Alfonso Ryan, their attorneys, and representatives, are based solely on the published articles concerning this lawsuit, the filed complaint and answer in this action, and my experience in both insurance coverage issues and cyber security.
For those not familiar, this case deals with a Rhode Island law firm, Moses Alfonso Ryan, and their recent experience with ransomware. On May 22, 2015, an attorney at the law firm opened an attachment in an email, and the next thing they knew, everything they had was encrypted. [Compl., ¶¶ 26-31.] At least, that’s what the lawsuit alleges. What actually happened was the malware planted itself within the law firm’s network, and at a pre-set time, it began the process of encrypting the law firm’s files.
The law firm’s network was encrypted, rendered “inoperable,” resulting in the lawyers and staff losing access to the data they’d stored in their network. [Compl. ¶ 32.] According to the lawsuit, this rendered the firm “essentially unproductive.” [Id.] The law firm hired experts in “computer cyber-attack responses” in order to “remedy its computer network and return the firm to efficient productivity.” [Compl., ¶ 34.] Unfortunately, the experts were unable to do anything. [Compl., ¶ 35.]
The firm then began to “search for the identity of the perpetrators” of the attack – something that’s really not hard to find, as anyone who has been the victim of a cyber attack would know (it’s a really bad hostage-taker who makes it hard to learn what his ransom demand is). [Compl., ¶ 36.] The firm made contact with the hackers in June (which, as you noticed, is at least 9 days after the hack first took place), and through what I can only hope was a ridiculous, Keystone Kops comedy of errors, didn’t get their system decrypted until sometime in July, after paying two separate ransoms. [Compl., ¶¶ 37-52.]
There are a ridiculous number of problems that the law firm in this case apparently created for themselves – none of which have anything to do with their insurance policy and all of which I hope the insurance company raises (that I will discuss in a subsequent post). The firm reported the cyber attack to their insurance company sometime in June (June 2nd, I believe, based on reading in a different publication that I am unable to recall at the moment).
Even though the insurance policy in this matter isn’t what I would necessarily call a “cyber liability insurance policy,” my advice applies to anyone who believes the insurance policy they’re purchasing protects them in the event of a cyber attack.
The lawsuit alleges that the policy covered the law firm $700,000 in purported losses under “Loss of Business Income” under the policy’s Special Property Coverage Form. [Compl., ¶¶ 55-61.] The lawsuit then, inexplicably, actually quotes the terms of the policy:
[The Insurance Company] will pay for the actually loss of Business Income you sustain due to the necessary suspension, (sic) of your “operations” during the “period of restoration”. (sic) The suspension must be cause by direct physical loss of or physical damage to property at the “scheduled premises” including personal property in the open (of in a vehicle) within 1,000 feet of the “scheduled premises”, (sic) caused by or resulting from a Covered Cause of Loss.
[Compl., ¶ 55 (emphasis added).] Yes, that’s from the plaintiff’s complaint. Yeah, note that in what’s supposed to be a document providing the most persuasive case for why the law firm is entitled to recover from the insurance company, their only claim is based on a policy provision that covers “direct physical loss of or physical damage to property.”
How much are they demanding from the insurance company? According to press reports, $700,000. Oh, and that’s just the compensatory damages. The lawsuit also seeks attorney’s fees, expert witness fees (apparently beyond what would normally be allowed in a breach of contract case), and… yep, punitive damages.
So how does the policy cover cyber attacks?
First place I’d look? The specific section that includes the word “Computer” in its title.
So where is that found in this particular policy? Under a completely separate endorsement to the policy – the Computers and Media Endorsement. [Answer, Affirmative Defense 1-4.] That endorsement is the only part of the policy that provides protection for… wait for it… a “computer virus.” And the policy in place did provide coverage for loss of data and business income due to a computer virus – $20,000 in total, to be exact. All of which, the insurance company notes in its response, it has paid.
I’m honestly not sure how this lawsuit will play out.
I know how I think it should play out, and likely how it would in North Carolina: In my mind, this is a 12(b)(6) or 12(c) win for the insurance company in a heartbeat.
The language of the policy, directly cited by the law firm in it’s freaking complaint, should be enough to show that the policy didn’t cover hacks under the physical damage provision. Moreover, the fact that the policy did provide coverage for hacking in a different section was information that the law firm will likely be charged with knowing, since most states assume an insured has read their own policy. Plus, it’s difficult for me to envision a judge agreeing that a law firm, as a sophisticated party, has any legitimate reason to claim lack of understanding of an insurance policy.
However, it’s clear that the law firm, and their counsel, fundamentally don’t understand cyber security, or the insurance that provides coverage in the context of a cyber attack.
This case is, to me, not the best example of honest, legitimate confusion concerning whether a policy should apply. A better example might be a real estate law firm that mis-directs a wire transfer as a result of a hack. However, they both demonstrate the trouble you could be in if you don’t fully understand how your insurance policy is designed to protect you in these types of situations.
How Well Do You Know Your Cyber Liability Insurance Policy?
Does your insurance policy include any coverage for cyber attacks?
Do you fully understand whether your insurance policy will treat a ransomware attack differently than a breach where confidential data is stolen?
Do you know if your insurance company will pay for IT specialists to help you recover your data after they’ve dealt with the cyber attack?
Do you know if your insurance company will limit or deny coverage all together if your law firm’s cyber security policy is lax in its enforcement?
Do you understand how your insurance policy works in the event you are attacked?
Since You Don’t Know, You’d Better Ask!
… and probably before you’re in the position Moses Alfonso Ryan found themselves.
I don’t care that you’re a lawyer. The intersection of cyber security and insurance is difficult enough to navigate for insurance brokers and insurance attorneys – trust me, I know. It’s beyond disturbing to me when I hear a pitch from a broker about cyber liability coverage that I know is a misrepresentation of the policy. It happens more often than not, sadly. But for lawyers, it could be worse.
If you’re not familiar with how your cyber liability insurance policy operates (or if you have one), or you have a fundamental misunderstanding as to what your insurance policy covers – as the Moses Alfonso Ryan law firm clearly did, how will you feel? Do you really think that the attorneys at Moses Alfonso believed that their law firm name would be synonymous with ignorance of both how to respond to a cyber attack and how your own insurance policy works? Too bad, they already are, at least to the people I’ve talked to about this case.
Before you purchase a cyber liability insurance policy, talk to someone who knows them. I actually recommend bringing them with, if you can. There is no standard policy yet, this is a new area, and insurers are oftentimes very willing to modify premiums in exchange for slight modifications in the terms of the coverage. Do you fully understand the ramifications of those changes? Can you truly be comfortable if you’re not?
About the Author
Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.