Some attorneys have never even heard of cyber-liability insurance, let alone accepted it as part of the cost of doing business in the Internet age.
But law firms big and small are taking notice, especially since breach-notification laws in Wisconsin and 46 other states require attorneys to alert clients if their personally identifiable information is ever hacked.
That information, commonly called PII, includes everything from Social Security and credit card information to addresses and phone numbers.
And it’s not only devices like laptops and smartphones that are vulnerable.
“It applies to paper records too,” said Sandy Hauserman, a lawyer, managing member and co-owner at Digital Risk Resources, an insurance development and distribution company specializing in cyber-liability insurance.
The vulnerability of paper files was something one client learned of the hard way after seeing about 40 of them stolen from a storage area.
“He had to try to go back and re-assemble those records,” Hauserman said. “As you can imagine, that guy went bankrupt.”
Too many lawyers, particularly solo practitioners, are willing to simply accept such risks rather than buy cyber-liability coverage, said Tom Watson, senior vice president of Wisconsin Lawyers Mutual Insurance Co., which offers access to cyber-liability insurance but does not sell it directly.
“Lawyers have been a little slow in recognizing this as an important coverage or protection,” Watson said. “They have been reluctant.”
“Most large firms have some sort of coverage,” he said. “Most solos and small firms do not. And, yet, they all have the same exposure. They’re all responsible, whether they know it or not; it’s the same as the medical HIPPA law.”
It’s confounding, although not unprecedented, Watson said; there are still attorneys who forgo malpractice insurance when having it is not required.
Still, he said, “I wish I had the answer to why. Maybe they just don’t see it happening to them? Maybe it’s additional coverage they don’t want to pay for? It’s a good question, and one I think we wish we understood, too.”
A lot of the hesitation seems to come from a simple lack of understanding of what cyber-liability insurance can do for lawyers.
“It is what it implies: cyber-liability protection against hackers,” Watson said.
But, Hauserman said, it can often seem more complicated than that.
“When someone says cyber insurance or cyber it means different things to different people,” Hauserman said. “It kind of means everything and nothing. But it usually has many parts. So you have to dig a little to figure out what that means.”
Lawyers’ cyber-liability policies usually provide protection for breaches not normally covered by standard malpractice insurance.
Cyber-liability insurance first emerged in the mid-1990s in response to the third-party exposure that arose from doing business on that new thing called the Internet. Policies back then often provided coverage for little more than general liability and physical damage, Hauserman said.
Today, the cyber-liability policies that can be found on the market tend to be one of three kinds: either breach notice or privacy liability, or something known as security-breach liability.
Breach-notice coverage applies to lost or stolen data and covers the cost of telling victims that their information has been inadvertently disclosed. Companies or groups that are responsible for keeping such information private are often subject to special legal requirements.
Many are under an obligation, for instance, to provide services like credit monitoring and hotlines that victims can call to report breaches. Firms with breach-notification policies have coverage for the cost of those services.
Privacy-liability policies, meanwhile, provide coverage when a security breach causes a victim to suffer compensable losses. Losses of this sort can occur, for example, when a false tax return is filed using stolen information, Hauserman said.
Security-breach policies, for their part, cover damage caused by computer viruses, malware and similar menaces.
Other policies provide coverage for fines and penalties related to PII breaches for media liability, which is important if firms are creating or hosting online content; or for extortion, which can be suffered at the hands of something known as ransomware, which is software designed to block computer access until a ransom is paid.
Cost is a big deterrent when it comes to buying cyber-liability insurance.
Attorneys can expect to pay from $350 to $450 a year for about $50,000 worth of coverage and just under $1,000 a year for about $250,000 worth, Hauserman estimated.
“It’s not a huge expense, and it’s a way to minimize the exposure significantly,” he said. “But most solo practitioners don’t do it.”
Often, it’s an expense they can’t afford or simply don’t want to take on. Hauserman said he, in many ways, understands.
“Every 50 bucks out of their pockets is out the door,” he said. “So cost is an issue.”
Even so, Hauserman said he encourages attorneys to consider the possible cost if they choose not to prepare for the worst.
“(Notification) can cost anywhere from $50 to $200 (per client) for a small law firm,” Hauserman estimated. “It’s probably closer to the $50, but you need a lawyer to maintain confidentiality and help with the notification. The forensic scientists — I have two teenage boys, I tell them this is what you need to go into — they get anywhere from $700 to $800 an hour. You’ve got to pay for the notification, the hotline and credit monitoring on the backside.”
A firm with 1,000 clients could thus easily find the cost of meeting the notification requirements triggered by a data breach running to $50,000.
“For a small law firm, you’re out of business,” Hauserman said. “Even if it’s half that, even if it’s 25 bucks, you’re still out of business. So, in my opinion, it’s not only a responsibility you have, like (errors and omission insurance). It’s a matter of being able to stay in business.”
Still, he doesn’t expect to see many lawyers taking on additional coverage until insurance companies learn to argue their cases better.
“I think the way to sell it is just to give it to the attorneys. Say, ‘You need this. We’re going to charge you for it, unless you tell us otherwise,’” Hauserman said. “And then I bet a lot will take it. But the exposure is not going away. The exposure is only going to get more complicated.”
And the risks will only increase, Watson predicted.
“Law firms store all kinds of client information, all kinds of personal information,” he said. “So law firms have become more of a target for hackers and scammers in recent years because of this potential goldmine of information.”
Solos and small firms might be at greater risk, he said.
“Sometimes solos think they’re too small to be targeted,” Watson said. “But small firms can be scrutinized more closely by hackers because the implication may be that they don’t have the sophisticated protections in place and a sophisticated IT department to keep them up. And that may or may not be true. But solos should be more cautious, because if they think they’re too small they might want to think twice.”
“Personal information is the currency of the 21st century,” he said. “You wouldn’t leave cash lying around in a retail store, and you can’t leave PII unprotected in your system.”