Editor’s Note:  The author of this post is a fellow at CodeX: The Stanford Center for Legal Informatics. 

By Monica Bay, Fellow, CodeX: The Stanford Center for Legal Informatics.

Think you don’t need cyber insurance? Think again.

Big Law is a big target for cyber thieves, experts warn. For starters, law firms are viewed by criminals as low-hanging fruit — because firms are perceived as having “relatively lax security as compared with their sophisticated corporate clients,” saidRoberta Anderson ,a partner at K&L Gates,  and co-founder of the firm’s Cyber Law and Cybersecurity practice group.

Big Law firms have treasure troves full of the exact kind of data that sophisticated cyber criminals seek: protected, personally identifiable information and protected health information. On top of that, “law firms typically are a repository for valuable corporate data, including intellectual property, such as patents and trade secrets, information about important M&A activity, and other sensitive data,” said Anderson.

WHAT CYBER INSURANCE TYPICALLY COVERS

“‘Typically’ is an interesting word in the world of cyber insurance because cyber insurance is the wild west of the insurance marketplace,” said Scott Godes , a partner at Barnes & Thornburg. “Nonetheless, there is some standardization in terms of cartridges that are offered in a cyber insurance policy.”

Law firms should look for these coverages:

Investigationof cyber incidents or privacy incidents. "This includes the costs of a forensic investigation after the event; the costs of outside counsel analyzing what privacy laws need to be complied with in light of the incident having taken place; the costs related to sending out notification letters; and the costs of public relations and crisis management. This coverage should apply even if there has not been a demand letter sent or lawsuit filed against the law firm,” said Godes.

Defendingagainst demand letters, lawsuits, and other claims, as well as potential liability resulting from, the privacy event or cybersecurity incident, said Godes.

Business interruption:“Another thing to consider is coverage for business interruption losses and extra expense resulting from a cyber attack, such as a denial of service attack, deleted or corrupted data, and more,” he said.

Other exposures: “The policies can cover many other types of exposures, such as digital asset loss, cyber extortion, and business income loss associated with the interruption of its business caused by the failure of computer systems, or the computer systems of certain third party providers,” added Anderson.

Third-party liabilityarising from data breaches and other failures to protect confidential, protected information, as well as liability arising from security threats to networks, e.g., transmission of malicious code, said Anderson.

Costs of a regulatory investigation, they both said, including situations in which the regulator does not send a demand letter or file a lawsuit.

NEGLIGENT ACTS

Negligent acts, as well as internal and external hacktivists, are also typically covered — “for example, an attorney mistakenly emailing a non-encrypted file full of Health Insurance Portability and Accountability Act information to a third party, and for an external event through a phishing attack and/or a rogue employee event,” said New York-based Joe DePaul , senior vice president, Finex North America Cyber and E&O team, Willis Americas Administration Inc.

A firm can “trigger the policy even if there is no evidence of a violation of a privacy policy or state or federal law,” said DePaul. Most cyber policies allow a law firm to voluntarily trigger the policy if an event has occurred, he said.

Cyber insurance programs often “provide the firm immediate access to experts and professionals at the time of an event, who will assist the firm in navigating the complex legal minefield of knowing which direction to move in first, investigating the event, notifying the affected individuals, setting up call centers to handle the influx of calls, working with a public relations firm in distributing the correct messaging, offering credit monitoring and/or ID theft monitoring,” he said. “These are benefits that a lawyers professional liability cannot and does not provide.”

Bear in mind, warns New York-based  Judy Selby , a partner at Baker & Hostetler.  “Cyber insurance is not a substitute for reasonable cybersecurity, but can provide much needed financial and tactical assistance if the firm suffers a security incident.”

NINE QUESTIONS TO ASK

Cybersecurity policies are like snowflakes — there is no standardization and each form is different,” said Anderson. So here are the three most important questions you should ask, according to Anderson, Godes and Selby:

• Does the policy cover the acts, errors and omissions of vendors and outsource providers? • Does the policy cover data in the hands of third-parties, such as “cloud” precisions? • Does the policy cover the acts of “rogue” employees? (Anderson)

• Do we have high enough limits for our risk? • What is the insurance company’s reputation for paying expensive or complicated claims? • Based on the work we do, clients we serve, and the way that we operate our firm, does the policy have exclusions, limitations or sublimits that could wipe out coverage when we need it most? (Godes)

• What type of data are we in control of, including data in the possession of vendors, and does the policy provide adequate coverage for this data? • Is there potential coverage for cyberrisks under any of our other policies and how will those policies and a cyberpolicy all respond to a cyberevent? • Does the policy provide retroactive coverage? This is especially important for cyber claims because they often aren’t immediately discovered. (Selby)

COMMON MISTAKES

Mistakes include:

• ...not understanding how long the application process will take, said Godes. It “takes longer than people think and may ‘take a village.’ ” Expect to involve the firm’s IT chief, the person in charge of risk management, accounting personnel and lawyers who have dealt with substantive privacy and cybersecurity issues, he noted, adding “It’s also a good idea to talk with a lawyer who has dealt with cyberinsurance questions and disputes before.”

• ...not taking advantage of the additional offeringsthat an insurer may provide, said DePaul. Many carriers offer proactive services — such as reviewing vendor contracts, offering employee training, network security audits, information governance tools, etc.

• Be careful of the “grey areas” that are not covered,advises Anderson. That being said, “cyber insurance has evolved into an extremely valuable and sophisticated risk management tool.”

• “Thinking that cyber insurance policies are all the sameand will automatically respond to any cyber event, regardless of the cause,” said Selby. “The devil is in the details, and law firms should carefully consider their unique cyber risk profile and ensure that their cyber coverage provides adequate protection against those risks,” she said. Working with an experienced cyber broker, and possibly coverage counsel, is highly recommended.”