Several weeks of negotiations and hard work were about to pay off for a sole practitioner representing a millionaire client in a residential real estate deal. The accepted offer required the client to place $30,000 earnest money into escrow within five business days. The client owed the lawyer $2,000 for services rendered and cut a check for $32,000. The check was made payable to the lawyer’s trust account and hand-delivered on a Friday morning.

After receiving the check, the lawyer exchanged emails with the seller’s agent to confirm wiring instructions for the earnest money. Out of an abundance of caution and given the large sum that was to be deposited, emails were also exchanged with the institution managing the lawyer’s trust account. The check was deposited into the lawyer’s trust account on the Friday it was received. The lawyer planned to release the funds from the trust account, minus attorney fees, the following week after the funds cleared. Everything seemed to be working perfectly, until Monday.

On Monday, the lawyer arrived at the office to discover that the firm’s email account could not be accessed. The lawyer had recently changed passwords and credited the problem to forgetting the password. The lawyer sent an email to the IT professional the firm uses and received an out-of-office message in response. The IT professional would be out until Wednesday but would respond to urgent situations. Urgent responses incurred an extra charge, and because the lawyer did not have anything pressing other than the real estate transaction, the lawyer decided to put off work until hearing from the IT professional.

On Wednesday afternoon, the IT professional called the lawyer to relay that the firm’s email account was hacked. The IT professional explained that the passwords had been reset to lock out the hackers from future access, but that all the lawyer’s emails had been accessed and then deleted. Adding to the bad news, the hackers were able to install malware on the firm’s networks and systems. The IT professional recommended that the law firm systems be scrubbed or replaced.

Shocked and confused, the lawyer began damage control. First, the lawyer determined that it would be more cost effective to replace systems than pay the IT professional to scrub the malware. Next, the lawyer completed an assessment of risk concerning the emails and confidential information that was accessed.

In the middle of the assessment, the lawyer quickly realized that the most urgent issue was the information regarding the residential real estate closing. It was already after the close of business on Wednesday, and the lawyer did not have access to online trust account login credentials that were previously stored in the lawyer’s email account. The lawyer resolved to make sure everything was in order the following day.

On Thursday, the lawyer was greeted with more bad news. The funds had cleared on Wednesday morning, and shortly thereafter, the bank received an email from the lawyer’s email account with wiring withdrawal instructions for the funds. All the money in the lawyer’s trust account was first wire transferred into the lawyer’s business account and then transferred to a different institution. The bank was unable to recall the wire transfer and recommended that the lawyer contact the FBI and the firm’s malpractice insurance provider.

The lawyer immediately informed the client of the disappearance of the funds. The client fired the lawyer and promptly filed a grievance. Thereafter, the lawyer contacted the malpractice insurance provider to determine coverage for potential proceedings initiated by the Office of Lawyer Regulation (OLR), a malpractice lawsuit, coverage for replacing or restoring computer systems, notifying other clients of the security breach, repairing potential loss of reputation, and covering the money stolen from the lawyer’s trust account.

Determining Whether Malpractice Insurance Covers a Claim

According to Tom Watson, senior vice president and director of communications at Wisconsin Lawyers Mutual Insurance Co., “The first step in determining whether a claim will be covered by malpractice insurance is to determine whether it’s a first-party or third-party claim. The introductory hypothetical involves first-party damages (lawyer’s computer systems, $2,000 loss of earned fees, and damage to reputation) and third-party damages (client’s loss of $30,000 and exposure of information protected by attorney-client privilege).”

Stated differently, first-party claims are damages that the policyholder incurs (the lawyer is the first party), whereas third-party claims are damages that are incurred by someone other than the first party (the client is the third party). Malpractice insurance coverage generally extends to third-party claims.

The next step in determining whether damages will be covered under malpractice insurance is to determine if a claim has been made. “Malpractice insurance provides coverage on a claims-made basis. Meaning, although there are damages, the policy does not kick in until a claim that is covered under the policy is made and reported in writing to the legal malpractice insurance carrier,” says Watson.

Watson continues, “The wrinkle in the introductory hypothetical is the fact that the client did not file a lawsuit against the attorney, but rather filed a grievance with the Office of Lawyer Regulation. WILMIC provides $5,000 of coverage for legal representation in OLR grievance proceedings, which are not as a result of intentional or criminal acts, during the policy period in which the grievance is reported. WILMIC’s grievance coverage does not require payment of a deductible and does not impact policy limits. However, that’s the approach WILMIC takes; lawyers need to review their malpractice insurance policy to determine how or if grievance defense coverage is available.”

“If a malpractice insurance claim were to be filed by the client in this situation, then it would go through the typical negligence analysis. Was there in fact negligence, did that negligence cause damages, and what are those damages?” says Watson.

“It’s also important to note that we, at WILMIC, take the approach that if a lawsuit were to be filed in the hypothetical situation, malpractice insurance coverage would likely extend to cover the client’s loss of funds. Other malpractice insurance providers might take the approach that such claims are cyber in nature, and must be covered under a cyber policy,” Watson adds.

Watson advises that after a cyber breach occurs, lawyers should address the underlying issue that caused the problem. Often, lawyers must undergo additional training to help identify instances of cybercrimes and must practice avoidance techniques. Identifying, understanding, and taking steps to counteract cyber threats are vital factors in outmaneuvering cybercriminals.

“A common misconception by attorneys with malpractice insurance is that they will be covered no matter what type of damages are incurred. However, as illustrated in the hypothetical situation, the attorney would not be covered for damages incurred by the client, unless it can be established that the attorney was negligent, and even then, the first-party damages suffered by the attorney may not be covered,” says Watson.

“Part of the problem is the technology culture in which we operate. Although information is constantly published about data breaches and cybercrimes, attorneys still do not think it could happen to them. Then, when it does happen to them, they are sometimes under the mistaken belief that malpractice insurance coverage will take care of all the damages. Unfortunately, that may not be the case.”

Watson recommends, “Attorneys should review their current malpractice insurance policies and have discussions with their providers to determine their coverage for damages. A better understanding of the limits of malpractice insurance will allow the lawyer to make informed decisions regarding whether to supplement their malpractice insurance coverage with additional insurance, such as property, cyber, or crime policies. We strive to educate attorneys on this topic and also provide supplemental policies, because we want attorneys and our insured to have the right coverage in any situation.”

Determining Whether Cyber Insurance Covers a Claim

Michael Harty, director of program business at M3 Insurance, says, “My first step in determining whether a claim would be covered under cyber insurance coverage is to determine the specific details of the situation that arose. Next, I begin with a coverage analysis of which insurance policy should be primarily responsible. I’ll start with directors’ and officers’ insurance, then work my way through property, casualty, malpractice, cyber, and crime coverages. The primary goal is to determine what events took place and then determine which insurance policy should provide the appropriate coverage.”

Unlike malpractice insurance, cyber insurance covers the insured for both first-party and third-party claims. According to Harty, “The first-party claims that would typically be covered in the introductory hypothetical are first and foremost, a forensic investigation. We’d quickly see what needs to be done to avoid further exposure and loss. Network business interruption and data reconstruction losses would likely be covered beyond the deductible. If sensitive personal data was exposed, legal and breach coach consultations would help orchestrate breach-response notifications going out, which in turn, include identity theft benefits of having credit and identity monitoring. Public relations expenses may also be covered to mitigate damage to the brand or reputation.”

“If the malware also came with a ransom note, cyber extortion payments would be covered. Regulatory defense and penalties can be covered if and when the regulators come calling. Separately, this incident can quite clearly result in a lawsuit, which would trigger the third-party liability coverage section and if negligence exists, damages. Finally, separate lawsuits might be filed depending on whether private information was exposed and caused damages,” says Harty.

As with malpractice insurance, cyber insurance only provides coverage for certain claims. “For instance, cyber insurance would not necessarily cover the first-party cost of replacing computer systems, replacing the $32,000 of funds stolen from the attorney’s trust account, or replacing other hardware that was damaged as a result of the cyber intrusion. For computer or other hardware malfunctions, attorneys should look to their property or business insurance policies. An attorney should look for coverage under a crime policy for fees stolen from trust accounts,” adds Harty.

The introductory hypothetical and typical coverage analysis provide for payment of cyber claims, even though a lawsuit was not filed. In fact, most cyber claims do not trigger the liability-coverage section in malpractice insurance. This is an important advantage for lawyers who are victims of cybercrimes and need immediate action to restore data, notify clients, restore reputations, and refocus available resources on practicing law.

Determining Whether Crime Coverage Covers a Claim

Crime coverage, like cyber insurance, provides coverage for claims even when lawsuits are not filed. If a lawsuit were to be filed in the introductory hypothetical, a supplemental policy like crime coverage adds additional layers of protection. “Not all malpractice insurance providers take the position that malpractice insurance should cover a claim in a lawsuit based on the $30,000 stolen out of the hypothetical attorney’s trust account. That’s because the invented facts do not illustrate any negligent breach on behalf of the attorney. Without a breach, some malpractice insurance providers will not provide coverage in the event of a lawsuit,” Harty says.

Another helpful component of crime coverage is specifically for coverage of funds stolen out of the trust account. Harty explains, “Malpractice insurance would not provide coverage for the $30,000 stolen from the trust account, unless a written claim was made and reported in writing to the malpractice insurance carrier, and even that depends on the breach analysis. Malpractice will not cover the $2,000 of the attorney fees that were stolen. Cyber coverage will not provide first-party coverage of the money stolen out of the trust account. However, crime coverage would typically provide coverage for the $30,000 of the client’s money stolen and $2,000 of the attorney fees that were stolen, even if a lawsuit were not filed.”

Conclusion

The introductory hypothetical situation and typical coverages were simplified for the purpose of illustration. Coverage under any insurance policy depends on the specific facts and circumstances of each incident, the terms and exclusions of the specific policy, policy limits, and whether any other party can be held responsible for damages. For instance, financial institutions have their own responsibilities and insurance coverages. Although rare, the perpetrators of crime may be caught and restitution awarded. The underlying theme, though, is to ensure you have the appropriate coverages to protect your law firm when or after an incident occurs.

One type of insurance will not cover your law firm for all occurrences. The introductory hypothetical illustrates the need for multiple layers of insurance coverage. Take the time to have discussions with your current insurance providers to examine hypothetical situations and determine the scope of your insurance coverages. Without proper coverage, law firms face the possibility of having to cover damages out of pocket, and for some that may not be possible. If you need assistance, the Practice411^™ program is available to provide confidential consultations.