The past year has made very apparent the risks to law firms and the need for a proactive cyber risk management plan. In January 2023, the SEC subpoenaed a D.C. law firm regarding a cyber incident that may have resulted in disclosure of client data. In March, the New York Attorney General announced a settlement with a New York-based law firm requiring payment of penalties and implementation of enhanced cybersecurity protocols. In July, several top law firms reported data breaches at the hands of a ransomware group. Finally, in August, a putative class action was filed in California against a major law firm, alleging liability flowing from a data breach that resulted in the disclosure of protected personal information of more than 150,000 people.
Law firms are increasingly becoming victims of phishing attacks and scams, seeking to capitalize on the firm’s name and reputation. Recently, a North Carolina law firm sued its insurer after a phishing scheme allowed hackers to send emails from firm accounts, demanding payment of closing funds to the hacker’s bank account. In another example, a firm went to federal court to seek an injunction against the use of domain names to prevent scammers from impersonating firm personnel in furtherance of fraudulent schemes being perpetrated against clients and the public.
Firms also face risks from new artificial intelligence (AI) tools. The use of AI products like ChatGPT poses a professional risk and a risk to private and protected information kept by law firms. Such tools may collect data from the users themselves, risking unintentional disclosure of client confidences. OpenAI currently faces at least one putative class-action lawsuit alleging that several activities, including the use of user data, violate privacy laws.
“The best time to negotiate for approval of particular vendors with whom the firm has ongoing relationships is when the policy is being purchased, not after an incident.”
Law firms need procedures to safeguard client information and comply with applicable law if and when a breach occurs. Equally important is working with insurance professionals to ensure the coverage purchased adequately protects against the risks the firm may face.
Such a review should consider the following:
1. Network Security
The firm’s IT systems are critical to its operation. Its insurance should cover losses from security failures, including business income.
Law firms should consider whether disruption of a third-party vendor’s network would result in a business interruption and whether to insure that risk. Forensics and IT costs, as well as legal and public relations expenses, should also be covered. Many insurers have preferred vendors for such services, and the best time to negotiate for approval of particular vendors with whom the firm has ongoing relationships is when the policy is being purchased, not after an incident. Coverage should also include cyber extortion or ransomware scenarios.
2. Funds Transfer
Law firms face significant risk concerning their funds and client funds. The firm should carefully review requirements in its policies regarding verifying transfer of funds and how insurance applies to instructions to transfer funds. “Social Engineering” coverage is particularly important because it applies to transfers made by spoofed or otherwise fraudulent email instructions. This coverage should be as broad as possible to protect against scammers impersonating clients, vendors or even firm members.
3. Privacy Liability
Many law firms deal daily with data and information protected under privacy laws and could face liability or other expenses even when the breach involves a third party’s network. Risk managers and brokers should work together to ensure that potential losses and privacy law liabilities beyond the scope of the firm’s network security policy are adequately addressed.
4. Errors and Omissions
Many law firms carry insurance to cover errors made in the rendering of professional services. The evolving practice of law and the professional responsibility of a lawyer to protect client confidence in an environment of increased cyber risk demands that the firm examine whether cyber liability is included, limited or entirely excluded from its existing coverage. Claims by clients that a law firm failed to meet professional standards may not involve facts sufficient to trigger other cyber liability coverage, but they nonetheless present a real risk to the firm.
Risk identification and underwriting of a sophisticated coverage program require identification of sensitive information kept by the firm, an analysis of network security and a close partnership with a knowledgeable broker that can provide guidance on the insurance options available. Timely advice from experienced counsel and industry professionals will help create an insurance program that maximizes a firm’s ability to mitigate loss through insurance recovery.
Jeremy King recently joined Legal Management Talk to discuss all things cyber insurance, including what to look for when choosing or changing your coverage. Watch or listen today!