It’s a sign of the times that professional liability insurers have started tailoring products to address privacy breaches and other costs of cybercrime.
“As a lawyer in private practice, it does scare me that if I’m holding onto information that is breached or lost, I could be sued,” admits Daniel Strigberger, a partner in the insurance and litigation group of Miller Thomson LLP in Waterloo, Ont.
“It is a growing trend for law firms to realize that we are targets. We’ve all seen cyber liability affect the big entities like Home Depot, Target, and Sony. Cyber criminals can go after the individual storefronts or a larger body that contains the information of lots of entities. If they go to a law firm, they can get access to all their individual clients, their trade secrets, and business strategies.”
Strigberger notes that would apply to any company with several clients. “It does lots of damage to the firm, not just the clients, and then the clients turn around and sue the firm.”
In 2014, LawPRO responded to the issue by introducing new limited cybercrime coverage into its mandatory policy. Victoria Crewe-Nelson, assistant vice president of underwriting at LawPRO, explains that everyone in the insurance and legal worlds had been talking about the risks. “It is a huge issue for the insurance industry as a whole,” she says. “At one point, it was rumoured that seven Bay Street firms may have had intrusions. It was something on the horizon, so we came up with a specifically Ontario-made solution.”
Dan Pinnington, vice president of claims prevention and stakeholder relations at LawPRO, describes the $250,000 offered as a modest amount of coverage given that the costs of a breach can be substantial. LawPRO first inserted a general exclusion for cybercrime into its main policy and then added limited coverage by way of an endorsement.
“There are so many forms it could take,” says Crewe-Nelson. “We tried to address what they are most likely to be. There are two scenarios. There is lawyer liability because of cybercrime where an intrusion causes the loss of confidential client information, such as a hacker infiltrating the firm data, or the loss of something held in trust.
This could occur when someone uses malware to break into the online banking system.”
An incident of this nature occurred in 2012 when a highly sophisticated attack allowed for direct access to a firm’s trust account.
Crewe-Nelson is adamant that law firms should obtain extra cyber coverage that works alongside the LawPRO policy. “As part of the exercise of coming up with our own policy, we looked at what the commercial market offers. There is communication and media liability which covers someone infringing your trademark or plagiarizing your work. It will also cover the expenses involved in regulatory offences, such as providing defence funds. There is insurance for crisis event management where a PR firm might come in to manage a reputation crisis or costs to improve and repair the system.”
She also lists extortion of electronic commerce and business interruptions as events not naturally covered by the LawPRO policy.
Strigberger is familiar with some commercial insurance policies that work in conjunction with LawPRO.
“If a breach happens on Day 0, on Day 1 they come in and do the clean-up, protecting the first-party property and dealing with the business interruption. Notifications are required to all the people whose information might have been breached, and they will clean up internal communications and vandalism. If the lawyer is sued, the private policy deals with the excess costs over and above the LawPRO coverage. They work hand in hand.”
Pinnington warns that while traditional insurance policies may offer a limited amount of coverage for cyber-related exposures, specifically designed products are preferable.
“Property policies may not cover the loss of data because it may not be considered real or personal property. General liability policies are intended to cover bodily injury and property damage scenarios and would not cover network implications.” He has seen the creation of specific coverage for the spread of computer viruses, the use of systems to hack a third party, and the outsourcing of data storage to third-party cloud providers.
LawPRO still considers insurance to be a remedy of last resort and is attempting to educate the bar about cyber risks. “If businesses insure themselves without taking active steps to secure their computers and networks, cyber criminals will continue their efforts undeterred,” says Pinnington.
“Insurance is there if all else fails,” says Strigberger.
“If a law firm doesn’t have that protection and it sustains a serious breach, it’s likely it will never open its doors again. We need a proactive risk-management approach, organizing not just financial backing but an IT system to protect the infrastructure, and education to prevent incidents happening. We should be training staff not to be careless with information, such as losing hard drives or laptops. Insurance is more of a way to mitigate the loss if an attack happens.”
Another issue Strigberger believes needs attention is the fact that a lot of breaches go undetected for a long time. “You need the technology, the infrastructure, and the people to find the breaches and plug the leak sooner,” he says.
He repeats this advice for his clients as well: “Privacy is definitely at the forefront in cases and legislation now.
Courts and lawmakers recognize privacy as a right and do what they can to protect people from privacy breaches and punish businesses that fail to comply. If they don’t have the resources to deal with the ramifications of a breach, the costs can be astronomical. The safest companies are the ones that try and prevent it from happening, protect themselves from attack, and more so, respond if it happens.”
Ironically, he doesn’t see law firms taking their own advice. “It seems kind of odd that lawyers are so quick to advise their clients on how to clean up their business practices, comply with their obligations, and avoid legal risks. When it comes to our own firms, I’m not sure how many of us could respond to a cyber attack and the aftermath. We need to change our thinking.”