Lawyers often share with us that, as they see it, they really don’t need a cyber liability policy. They seem to base this conclusion on the fact that they believe they are not subject to the HIPPA regulations or their state’s breach notification laws and/or that they intentionally don’t store much in the way of personally identifiable information about their clients. The interesting question is, are these lawyers correct in their thinking? One could make that argument if viewing the theft of personally identifiable information of your clients as the only cyber risk worth insuring against.
The problem with that line of thinking is that it ignores all the other cyber risks, several of which, at least in my mind, are every bit as concerning as the theft of personally identifiable information of clients. Consider this. Firms routinely have insurance in place to cover losses due to a fire, flood, or another catastrophic event because they know that after such events their ability to provide the legal services they agreed to provide are going to be greatly impaired. A ransomware or wiperware attack can be every bit as severe and potentially even worse. As a reminder, and at a minimum, ransomware encrypts your data and wiperware permanently destroys your data. Certain types of cybercrimes fit the catastrophic loss category. Failing to understand that, and thus deciding to go bare on this type of risk is a major insurance coverage misstep if you ask me.
Of course, cyber criminals have also been quite successful in stealing money from law firms of all shapes and sizes, including a number of solo firms. There are a variety of attack vectors in play and the methods cybercriminals use can be quite sophisticated. Here again, the potential loss just from wire fraud could be devastating.
While Ransomware, wiperware, and theft of funds are risks that in and of themselves justify serious consideration of cyber liability coverage, I’d like to share one other concern. While some firms don’t keep much in the way of personally identifiable information of their clients, they usually still maintain some; and some isn’t the same as none. And what about all the personally identifiable information of everyone who works at a firm, including your own? Your obligation to protect personally identifiable information isn’t limited to just clients.
Cyber liability insurance isn’t just about insuring against the theft of personally identifiable information of clients. That’s only one of the many cyber risks all lawyers face. So, if something I’ve shared above motivates you to take a second look at cyber liability coverage, that’s a good thing. Just be aware that cyber liability polices differ widely in terms of the coverage they offer. You’re going to need to devote a little time to look for coverage that appropriately addresses the cyber risks that concern you the most.
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.