This post is the first in a series about the growing need for law firms to invest in cyber liability insurance coverage. Click here for Part II, here for Part III, and here for Part IV.
Eighty percent of the 100 largest law firms have been hacked.1 In 2014, over 29,000 records were lost or stolen in the U.S. The average cost to cover the expenses related to a cyber breach was $5.85 million. Is your firm prepared to handle a cyber attack?
Before thinking your firm is immune, consider three questions:
- Have you used your computer to send an e-mail containing a client’s personal information?
- Have you used your smart phone to access a document containing confidential data?
- Have you used your iPad to connect to a server containing your firm’s client files?
If you answered yes to any of these three questions, have you considered the costs of responding to a cyber attack that intercepts that data? Should that e-mail, document or file be stolen by an unintended recipient, the damage caused and cost to respond can be stifling.
This article is designed to help you determine whether your firm needs cyber liability insurance. Most firms have policies covering property damage, business interruption, and professional liability; cyber liability should be added to the list of insurance policies held by both small and large firms.
What Is Cyber Liability Insurance?
Cyber liability insurance is designed to cover the costs associated with an electronic security breach. Whether the breach is due to a criminal attack, human error, or a system glitch, cyber liability insurance protects the costs incurred when electronic data is compromised. Data includes personally identifiable information, such as an individual’s name associated with his or her Social Security Number, driver’s license, credit card number or debit card number.
The first cyber liability policies began to develop in the 1990s. Although coverage had been sought under commercial general liability policies for cyber attacks, the growing risks involved in using technology to store and send personal identification information presented a need for a more specialized type of insurance designed to cover the growing costs of a cyber attack.
In a world where the use of technology was becoming prevalent, companies found themselves exposed to the risks of hackers shutting down their network, human error leaking personal identification information, expenses of credit monitoring services for victims who were affected by the breach, and lawsuits related to the data breach. Professional liability policies that covered website design, content and services, and commercial policies that covered business injury or property damages, were not enough. Thus, cyber liability policies began to take an individual shape and form.
Cyber liability policies provide a wide spectrum of coverage designed to insure against the risks involved in a cyber attack, and typically provide first-party and third-party coverage. Coverage ranges from policies insuring business interruption from a network being shut down, costs related to cyber criminals who steal personal identification information that can be monetized, costs associated with restoring business assets stored electronically, costs of customer notification, costs of providing credit monitoring services to victims, and costs of lawsuits relating to the data breach.
Currently, between 25 and 35 percent of organizations have some form of cyber insurance policy, with the total market value at around $1.7 billion last year. While law firms should be among the top organizations seeking coverage due to the sensitive client information, it appears that firms need to be more proactive in buying cyber liability insurance. According to a 2014 survey of 50 law firms:
- 79 percent said cyber security was one of their top 10 risks in their overall risk strategy.
- 72 percent said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
- 51 percent said that their law firms either have not taken measures to insure their cyber risk (41 percent) or do not know if their firm has taken measures (10 percent).
- 62 percent have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.
The survey was performed by Marsh, a leading insurance broker and risk adviser. Of the 50 law firms surveyed, 25 percent employed between 50 to 100 attorneys, 46 percent employed between 101 to 500 attorneys, and 23 percent employed between 501 to 1,000 attorneys. These results highlight the importance of law firms understanding why their firms need cyber liability insurance and the need to act on that knowledge.
This post, as well as the others that will follow in this series, was excerpted from our “Cyber Liability Insurance: Is Your Firm Covered?” article in the spring issue of the Alabama Defense Lawyers Association Journal magazine. Click here for the full article.