We often joke that we lawyers knew more black letter law upon graduation from law school, or at the Bar Exam, than at any other time in our careers. It is always that pesky change that affects what we know. The statutory and the common law and the rules all change almost daily. Maybe that is where the phrase “practicing law” came from because you have to constantly practice dealing with changes in order to survive as a lawyer. In 1967 U.K. Prime Minister Harold Wilson said: “He who rejects change is the architect of decay.”
In this changing environment, we all learned the basics of risk arising from the practice of law and most offices have comprehensive general liability policies for our offices and equipment and Lawyers’ Professional Liability (“LPL”) for negligence, errors or omissions with regard to client work. While LPL is not required, most prudent lawyers do not want to risk their personal assets for such expected risk exposure.
Think now of the changes in your practice in just the most recent years. Electronics have replaced the traditional pen and paper approach. These changes then placed great emphasis on the protection of health and other private records that are now being used in electronic form. You and your clients are now exposed to large costs and penalties if some of these records got loose in the process. Well, the fact of the matter is that information in that form does get loose, probably far more so than when it was locked in your office in a file folder in a drawer.
Let’s just look at this month’s news feed:
• Office of Personnel Management said hackers stole 5.6 million fingerprints it had on file. (All across the federal agencies)
• Hackers stole federal personnel data on 21.5 million people including their social security numbers.
• Excellus Blue Cross Blue Shield had 7 million files breached and its subsidiary Lifetime Healthcare Cos. had about 3.5 million exposed with all their personal and medical data.
• 15 million T-Mobile customer records (including encrypted information) were stolen via Experian’s site.
• 6400 American Bankers Association e-mails and passwords stolen and posted online.
• Sony, Target, Anthem and Home Depot as just a few of the Fortune 500 to be breached in the past year.
So, if happened on this scale recently, it is likely that someone wanting something from your files has already done so, or will. A law firm would be a great place to get sensitive and valuable proprietary materials, and a lot easier to hack than those listed above. That just deals with the people trying to get in and obtain the information. Add to that the inadvertent lost laptop with lots of medical data, etc., and you have plenty of risk and exposure from these changes in the practice.
So how well are you protected for this change and this new and unexpected risk? You might have coverage if a client sues you, but then only for covered items and after your deductible under your LPL policy. But the real cost of these types of breaches or data losses comes earlier from the immediate things not covered like:
• Computer experts to discover all details and rebuild the hack;
• Public relations costs;
• Loss of reputation and business income losses;
• Damages to injured parties, not necessarily your clients;
• Notification costs;
• Government investigations;
• Employee claims.
The insurance industry responded quickly and began selling stand-alone cyber insurance policies. Yet, it seems that few firms have such policies despite these being available from many sources with various types of protection at business acceptable cost. Debra Cassens Weiss, reporting for the ABA Journal, noted a 2015 survey of 880 lawyers which had only 11% (of those responding) with cyber liability policies in place. Significant numbers of those in this Bloomberg BNA’s Big Law Business survey did report that their firms had experienced computer viruses or hacking incidents. Contrast all this with 80% of surveyed General Counsel of companies saying cyber security is their number one concern in 2015. There is a human factors element involved with the law firms here also. Lawyers do not want to reveal that their esteemed firm has been breached, and many also just do not know that they have been breached.
Dan Bressler in a recent Law Firm Risk Blog noted data from Mandiant which finds that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011. That being said, I believe the smaller your practice the easier it will be to be breached.
It does not appear this risk is a “Y2K” kind of issue that might not happen. Just think of what you might need if all your files were breached. Identifying who, what, when and where could cost a bunch. How to fix it and how to notify all who had records with you would be a problem. It would therefore appear reasonable to have such cyber insurance coverage and team up with experts to (1) help prevent the loss and (2) have all these resources on call if a firm laptop, for example, with class action medical files just disappears and the health care penalties have kicked in.