Sign In
    Wisconsin Lawyer
    November 01, 2013

    Managing Risk: A New Cost of Doing Business: Protecting Against Cyber Risk

    Electronic technology can save money by reducing the cost of storing and transmitting information and documents, but it also exposes lawyers to a new ethical and financial hazard: the danger that electronic information will be lost or stolen and the attendant expenses to notify victims.

    Thomas J. Watson

    electronic theftThe daily pressures and responsibilities of practicing law might make it difficult for you to find the time to deal with practice-related financial issues. However, taking control of your finances is one of the most important keys to building a successful law practice or keeping an established one successful.

    When you went out on your own, chances are your primary objectives were to provide great legal services to your clients and feel the satisfaction and fulfillment of having your own law practice. But you cannot lose sight of the need to also take care of the business side of the practice. That means you not only have to watch the bottom line; you need to know how to get there.

    Losing control of the business side of your practice can also result in making mistakes that could lead to malpractice and ethics-violation claims. With good business planning, those mistakes can be avoided. Lawyers must be aware of where the business-related hazards lie and how to minimize the risk of them occurring.

    Cyber Liability Risk

    A new kind of risk has appeared recently: cyber liability. Lawyers always have had an obligation to keep client information confidential. The nature of fulfilling that obligation has evolved with the move to storing much, if not most, information electronically. Two developments, one technological and one legal, are particularly significant to cyber liability. The first is that storage of client information has become much more portable, for example, on laptops and smartphones. The second is the increase in statutes that mandate protecting personally identifiable information (PII) for more than just clients. Wisconsin privacy laws for businesses include those found in Wis. Stat. chapters 100, 134, 137, 146, 214, 301, 895, 943, and 947.

    What would you do if you lost sensitive client information? Whether because of a data breach caused by hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers need to consider threats to client and employee information. Experts say law firms have become prime targets because of all the sensitive and confidential PII stored in law firm databases.

    The consequences of a breach or lost data can be monumental, especially for solo practitioners. Sandy Hauserman, a lawyer from Vermont who is a founder and managing member of Digital Risk Resources (DRe), an insurance-product-development company, recently spoke at a seminar put on by Wisconsin Lawyers Mutual Insurance Co. (WILMIC).

    Thomas J. WatsonThomas J. Watson, Marquette 2002, is senior vice president and director of communications at Wisconsin Lawyers Mutual Insurance Co., Madison.

    Hauserman described how cyber exposures affect law firms – what those exposures are and how he expects they will grow. “Every law firm is now dependent on technology and the Internet,” he says. “This dependency creates business risk not covered in standard errors and omissions or property/casualty policies.”

    Client records and credit and debit card processing make up a significant portion of the overall risk profile. Law firms gather and transmit PII of clients, employees, vendors, and other individuals. Hauserman says, “This information is the currency of the 21st century. It has value to criminals who sell it or use it to commit identity theft. Just as a business wouldn’t leave cash sitting around, PII has to be safeguarded. Law firms collect a lot of very sensitive information [the release of which] could severely damage a client’s reputation.”

    In addition, cyber criminals often want to steal data or damage information technology systems. They often plant harmful software (viruses, malware, and so on) on a computer with the hope it will be transmitted to other devices.

    Sensitive client information also can be accidently compromised. What if you mistakenly leave a device (such as your laptop, tablet, or smartphone) that contains client information at the courthouse, airport, or coffee shop? Some lawyers have done so. There are numerous other ways, accidental or intentional, that private client or employee information can be compromised:

    • An attorney checks his personal email and unwittingly downloads malware onto the company network.
    • A company laptop containing PII is stolen from an attorney’s car.
    • Customers’ credit card, bank, or health information is stolen by someone hacking into the law firm’s system.
    • Paper records containing PII are not shredded before disposal and are retrieved by criminals (dumpster diving).
    • An attorney doing research online is directed to a website that automatically downloads a worm that turns the computer into a spamming machine.

    How Big Is the Risk?

    Hauserman estimates that roughly 22 percent of a law firm’s risk profile is cyber risk. That compares to 32 percent for errors and omissions and 16 percent for property risk.

    Why is cyber risk something to which lawyers should pay attention? First, Wisconsin is one of many states that have enacted laws that require a business suffering a security breach or losing PII to notify victims so they can act to protect themselves from identity theft. In addition, any law firm storing medical information is subject to HIPAA’s notification rules.

    Notification costs can grow rapidly. Hauserman says, “If a law firm inadvertently released 100 personal records, the average amount the business would have to pay to notify the individuals would be more than $10,000. The average cost is between $50 and $214 for each affected person. Even a modest sized breach can result in a huge legal liability that could potentially bankrupt a small law firm. At the very least, notification of a security breach is expensive and disruptive to your practice.”

    Second, if an individual who has been notified actually suffers a monetary loss or more important, if financial or medical information collected by the law firm gets in the wrong hands, the law firm might be sued.

    That’s where cyber liability insurance coverage can help a law firm. Hauserman says, “Buying liability insurance coverage for law suits involving an information breach, whether they have merit or not, is the easiest and most efficient way to arrange for legal help and other assistance and to help pay for damages inflicted on others.”

    Cyber Liability Insurance Coverage

    WILMIC now offers cyber liability insurance coverage to lawyers and firms. According to Katja Kunzke, WILMIC president and CEO, “Law firms are dependent on technology and the Internet. This dependency creates a business risk not covered in standard business owners policies and only partially covered in professional liability policies. Law firms gather and transmit personally identifiable information from their clients such as names, addresses, birth dates, Social Security numbers, credit card information, and medical information. Inadvertent disclosure of this information creates the possibility of identity theft.”

    Kunzke says the type of policy WILMIC now offers includes three types of coverages:

    1. Breach-notice coverage, which provides coverage for costs incurred by a lawyer or law firm to comply with Wisconsin’s privacy-breach notice law, as well as notice fulfillment services and credit and fraud monitoring for clients whose confidential information has been lost or stolen;
    2. Privacy liability coverage, which covers third-party liability for loss of PII; and
    3. Security breach liability coverage, which covers third-party liability and damages from computer security breaches such as viruses and hacker attacks if those breaches were within the law firm’s information system. Other professional liability insurance carriers have started offering similar coverage as well. Some include the coverage as endorsements to a lawyer’s existing insurance policy; others, such as WILMIC, are offering separate policies to cover cyber risk.

    Kunzke adds that the need for security breach notification and remediation is readily apparent, and WILMIC wants to be proactive in addressing these needs. “We believe it is only a matter of time before third-party breach claims will be made against lawyers. If our policyholders and all Wisconsin lawyers are better educated about how to prevent security breaches, this risk can be better managed.”

    Eight Things Lawyers Can Do to Prevent Cyber Risk

    Hauserman says every law firm has liability in handling personal information, and at the seminar he identified eight precautions lawyers and law firms can take to protect this personal information:

    1. Train employees. Criminals are experts in exploiting people who do not know how to adequately protect PII.
    2. Have a plan to secure PII. Adopt and implement a written information security plan outlining the security controls and business practices for handling PII.
    3. Encrypt the law firm network and any mobile devices, thus making PII only accessible by the authorized user.
    4. Store paper records in a locked file cabinet or room and back up electronic data and store it off site (or in the cloud).
    5. Maintain firewalls on all computer devices connected to the Internet.
    6. Use anti-virus software and update it at least every 30 days.
    7. Use strong passwords (combinations of numbers, upper and lower case letters, and symbols).
    8. Dispose of unnecessary or outdated paper and electronic PII. Erase data from printers, cell phones, copiers, and computers, and shred paper documents.


    Every law firm has liability in handling personal information. Many Internet users, whether at a law firm or not, do not implement good practices. Hauserman says training and education can help manage the risk. As a solo practitioner or someone who runs a law office, you should know who has access to the personal information you handle

    If you do a good job protecting your clients’ and employees’ data, you can focus on not only being a good lawyer but also running a business well. That means preparing a business plan, monthly budgeting, good internal controls and billing procedures, and having a disaster recovery plan ready in the event of a business interruption.

    A good deal of financial management and planning requires nonbillable work. Some lawyers take short cuts with their business, thinking this maximizes their billable time. They reason that as long as they are good lawyers and work hard for their clients, their practice will be a success. Unfortunately, this isn’t always the case. Proactively managing your finances strengthens your practice and ultimately makes you a better lawyer. Well-managed practices experience fewer malpractice and ethics-related claims. In addition, a well-run practice improves your chances of having satisfied clients. Protecting all the personal client and employee information that you handle on a regular basis must become part of your practice planning and management.

Join the conversation! Log in to comment.

News & Pubs Search

Format: MM/DD/YYYY