Over the past few years law firms have seen a significant increase in cyber-attacks. According to the American Bar Association, of those polled nearly one third of firms with 100 or more attorneys have reported some form of data breach! That’s huge.
Of all the cybersecurity weapons the hacker’s use, the most popular one is ransomware. Ransomware extortion costs American businesses and law firms millions of dollars annually. This has become a major problem especially for law firms, which have gone relatively paperless and the information in digital storage holds immense profitability to hackers. Ransomware can bring a firm to a sudden halt and can result in the loss of important and confidential client files which can easily destroy a firm’s reputation.
How Do They Do It?
Most often cyber-attacks begin with an employee at a business or a professional services firm clicking on a bad link in an email or opening an attachment in an email. The email appears to be coming from a reputable company, even having a corporate logo and “signed” by an officer of the company. Perhaps a law firm gets a request for a wire transfer from a bank. This is done entice individuals into revealing personal or company information such as passwords, checking account information, and credit card numbers. This tactic, known as Phishing, happens to professional firms more often than people realize. Staff members may assume that the email is authentic, however once the email has been opened the hackers have access to your entire system through a code they embed in the email or link.
Upon getting into a firm’s system they “look around” to see if the information contained would have any value if made public. If so, they lock all access to the entire computer network, leaving the firm virtually unable to conduct business. The hackers take over the firm’s data until the ransom is paid for the return of the files and data. Quite often the victimized firm will pay just about anything to get its system and all information returned as quickly as possible.
How is Cyber-Liability Insurance Holding Up?
There’s the discussion of investing in cybersecurity insurance coverage…should you or shouldn’t you. The average cost to businesses of recovering from a ransomware attack has more than doubled since 2020, London-based insurance broker, Howden Broking, said, warning that companies are facing a “digital pandemic” of cybercrime. They all stated that insurers are charging 32% more for cyber-insurance cover than they were a year ago, in June 2020.1
Experiencing a deluge of cyber breach incidents and claims, the insurance industry has responded in earnest by increasing its cyber liability product offerings but in many, cases also higher prices. With the market still in its relative infancy, there is not too much clarity around coverages and expectations.
An article in NJ Property Casualty 360° states that insurers should be aware that many customers do not understand their cyber policies and this can result in accusations of bad faith on the part of the insurer. Although most states require insureds to read their insurance policies, the coverages can be confusing, which may give rise to arguments regarding the reasonable expectations of insureds. If courts apply the so-called “reasonable expectations doctrine” or find ambiguities in the insurance policies, they will likely find coverage under the policies. Policyholders’ lawyers will then include bad faith claims, arguing there were unreasonable or reckless claim denials. These help to illustrate some of the interplay between cyber liability and E&O and the challenges insurers face in delivering insurance solutions in a rapidly-evolving cyber world.2
There also might not be enough money in the still emerging sector to cover businesses’ needs. So what can companies do? They should still invest in coverage, in part to help the market grow, but they also need to look for other ways to cover their potential exposure, including self-insurance mechanisms that range from simply carrying additional capital to address future cyber-attacks through the creation of specific risk-financing activities that function like insurers.3
Michael J. Faul Jr. of Herold Law P.A., has decades of experience handling insurance coverage issues and has a clear understanding of the intricacies that are crucial to making sure the right insurance coverage is in place with no gaps to limit the liability in case of a cyber-attack.
By reviewing and evaluating how much a cyber-attack can cost not only in dollars (ransom) but also the effect on your total business operations and your reputation, they can help you stave off unimaginable headaches and potential loss of thousands or tens of thousands of dollars or more. It is essential to be sure a company has adequate insurance coverage for any type of possible cyber security breach.
How To Prevent This and Keep Your Data Secure
According to Bob Michie, President of MetroMSP in Parsippany, NJ, an IT Support & Solutions company, “Firms need to accept that 100% prevention is not possible. 2020 allowed a lot of time for the bad actors to focus on cyber-attack technology. Antivirus software is just not enough anymore. You need to employ advanced protection tools and a team of people to manage them. The problem was the alerts from the system were ignored as they were not being monitored in other words no one ‘watching the store’ for them. Having layers of protection is critical to keeping firm data safe.”
Michie and his team at MetroMSP make the following suggestions to all clients:
- BACKUP ALL DATA both local and cloud data to a 3rd party location. TEST THE BACKUPS quarterly to MAKE SURE THEY WORK.
- ENABLE MULTI-FACTOR AUTHENTICATION ON ALL DATA SYSTEMS.
- Have ONGOING Security Awareness training for all employees.
- DON’T USE PUBLIC WIFI or share the same pc as others when working from home.
- Use a Managed enterprise class Antivirus and Threat protection on all systems.*
In a perfect world, no outsider infiltrates a network. But since that’s not feasible, early detection is the next best thing. If a network is breached, the longer it takes to detect, the more damage that can be done.
Keep in mind, attorneys may have an ethical obligation to report breaches as soon as they’re detected. In 2018, the American Bar Association issued Formal Opinion 483 reaffirming lawyers’ duty to notify clients of a detected or suspected data breach, and offering reasonable steps for them to meet ABA model rules of professional conduct obligations. It says that a lawyer must act reasonably and promptly to stop the breach and mitigate damage, but doesn’t offer specific guidance.
For those of us in the legal field, as well as CPA firms and Financial Advisors, I can’t stress enough how important it is to be sure your data is as safe as possible at all times and any company you work with should be on the cutting edge of this issue.
For help with your complex insurance coverage matters, call Michael J. Faul, Jr., at Herold Law P.A. at 908-647-1022, ext. 122 or reach him online. Michael has decades of experience working for policyholders to obtain recoveries from insurance companies and helping businesses understand their coverage. As a business owner, it is your responsibility to know what you are getting when you sign up for coverage or renew a policy, and an attorney can help you make sure that you do.
*Disclosure: Michael J Faul, Jr., Herold Law PA and its attorneys make no representation or warranty as to the above information which is being provided for informational purposes only and not to be relied upon.