Panama Papers Leak a Reminder of the Need for Law Firm Cyber Insurance

By Amy Elizabeth Stewart

People will be talking about the Panama Papers leak – called the biggest leak in the history of data journalism – for a long time. And there is certainly a lot there to talk about: offshore holdings, shell corporations, tax evasion and the financial accounts of an international roster of world leaders, businessmen, criminals, celebrities and sports stars, just for starters.

The Panama Papers, so named because the information that was hacked came from Panama law firm Mossack Fonseca, are a solid reminder that law firms are seen as a “soft target” in the hacking world. That’s because their cybersecurity protocols aren’t usually as robust as those in the financial services world, even though they maintain huge amounts of confidential information on behalf of their clients.

Clearly, taking steps to prevent a data breach or other cyber event should be high on every business owner’s list, but we live in the real world. It’s impossible to eliminate risk entirely. That’s where cyber insurance comes in.

If your law firm does not already have a cyber policy, it’s wise to consider purchasing one. Traditional law firm policies often exclude cyber risks, so you most likely won’t be able to rely on your existing policies to protect you in the event of a data breach or other cyber event.

Amy Stewart Law works with businesses, including law firms, at every step of the insurance process (from purchase and renewal, to filing insurance coverage claims and dispute resolution). Here are some tips if your firm is embarking on the cyber insurance-purchasing process:

1. Take time to assess potential risk scenarios: Spotting key risks will help the firm identify the coverage components most relevant to its practice.

• Analyze the firm’s dependence on computer systems and online applications to conduct business. Does the firm need network interruption coverage to protect against lost income resulting from a breach that takes those systems down? 
• Consider network security issues. If an unauthorized person gains access to a laptop or to the firm’s servers, what risks are presented? Could the confidentiality of client data be compromised? What about personal information about employees or clients?
• Does the firm accept payment by credit card? Would the firm face liability associated with the unauthorized access or misuse of that information?

2. Identify the coverages the firm should purchase: Cyber insurance policies are not standardized and vary widely from insurer to insurer; even from policy to policy. Many cyber insurers offer some combination of the following coverages (among others):

• Network interruption coverage protects against losses resulting from the firm’s inability to produce income due to a cyber-security event, typically after a waiting period.
• Security liability and privacy liability coverages protect the firm against claims brought by third parties arising from a cyber-security or privacy event.
• Event management insurance covers expenses the firm may incur in connection with a data breach or other cyber event, such as notification expenses, credit monitoring, etc.
• Cyber extortion coverage protects the firm from extortion demands with cyber consequences.

3. Beware of exclusions: Read the fine print. For example, some insurers are using broad exclusions to shift substantial risk back to the insured for a breach that results from the insured’s failure to implement and maintain cyber security protocols, particularly those protocols that are listed in the insurance application. In 2015, CNA filed suit against an insured to avoid coverage based on a “failure to follow minimum required practices” exclusion, which eliminated coverage for “any failure” of the insured to “continuously implement” such policies and procedures identified in its application. Such an exclusion should be avoided, since its application could significantly impair coverage for an event caused by human error.

4. Ask the broker for benchmarking information: Premiums and limits of liability vary based on firm size, revenue and practice areas.  To improve the decision-making process, the firm’s broker should be able to provide information regarding the types of coverage and limits of liability similarly-situated law firms are buying. 

5. Assess coverage for regulatory matters: If the firm represents high-profile or large corporate clients, realize that a security breach involving the firm could attract regulatory attention. State and federal agencies are becoming increasingly involved in the investigation of data breaches and other cyber security events. Coverage for regulatory investigations is available, along with coverage for regulatory fines and penalties. 

6. Look for BYOD coverage: If employees are able to access firm systems, e-mail or client data on personal devices (not owned or controlled by the firm), consider whether the firm’s cyber policy extends to a data breach or cyber event involving employee-owned phones, tablets and laptops. The risk scenarios are endless—an employee’s 6-year old downloading a game containing malware onto a tablet that accesses firm systems and applications, a laptop with client files and e-mail left in an airport lounge, or a smartphone stolen from an employee’s purse at the grocery store. While many policies specifically extend coverage to mobile devices, make sure the coverage language in the firm’s policy is abundantly clear.