If you’re like most lawyers around the country, chances are you do not have cyber liability insurance. A technology survey recently released by the ABA indicated that only 11 percent of lawyers said their firms had cyber liability insurance, although significant numbers reported their firms had fallen victim to computer viruses or hacking.
The ABA’s Legal Technology Resource Center conducted the 2015 survey. Many of the 880 lawyers responding to questions about technology security, however, did not know whether their firms had cyber liability insurance. More than 80 percent of respondents from firms of more than 100 lawyers did not know if their firms had such insurance.
Wisconsin Lawyers Mutual Insurance Co. (WILMIC) has made cyber liability insurance coverage accessible to lawyers since 2013. Many lawyers have inquired about it, but only a small percentage of them actually purchase it.
Cyber hacking is something we are all aware of, but mostly because we see it in the news headlines; Target, the Pentagon, the credit agency Experian, NASA, and the list goes on. It seems there is a cyber hacking story in the news every couple of weeks, if not more frequently. I personally know two people who were victims of credit card fraud, resulting in them needing to take time to do repair work on their credit and their financial records.
The bigger law firms in the national ABA survey appear to be most susceptible. Firms with more than 100 lawyers had the largest increase in reported security breaches. Twenty-three percent of surveyed lawyers from firms of that size reported security breaches such as computer hacking, or a lost or stolen computer or smartphone, up from 10 percent last year.
Overall, 15 percent of the surveyed lawyers said their firms had experienced security breaches, while 23 percent did not know if their firms had experienced such breaches. Sixty percent of those who reported a security breach said there was no significant business interruption or loss.
Meanwhile, approximately 42 percent of the surveyed lawyers said their law firm’s computers have previously been infected with a virus, spyware, or malware, while 23 percent did not know. Among those who reported such infections, 57 percent said there was no significant business disruption or loss.
Most law firms in Wisconsin, of course, are either solo practitioners or firms of five or fewer lawyers. But even those firms can get hit by a hacker, a virus, or another kind of security breach.
What Is the Risk?
You always had an obligation to keep client information confidential. In addition to information being stored electronically more than ever before, storage of client information is much more portable, for example, on laptops and smartphones. Furthermore, there is a statutory obligation to protect personally identifiable information (PII) for more than just clients. Wisconsin privacy laws for businesses include those found in Wis. Stat. chapters 100, 134, 137, 146, 214, 301, 895, 943, and 947.
Whether because of a data breach due to hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers need to consider how they are protecting client and employee information. Experts say law firms have become a prime target because of all the sensitive and confidential PII stored in law firm databases.
Law firms have become a prime target because of all the sensitive and confidential personally identifiable information stored in law firm databases.
The consequences of a breach or lost data can be monumental, especially for solo practitioners. Sandy Hauserman, a Vermont lawyer and a founder and managing member of Digital Risk Resources (DRe), an insurance product development company, recently spoke at the State Bar’s Solo & Small Firm Conference in Wisconsin Dells.
Hauserman says client records and credit and debit card processing make up a significant portion of the overall risk profile. Law firms gather and transmit PII of clients, employees, vendors, and others. “This information has value to criminals who sell it or use it to commit identity theft. Just as a business wouldn’t leave cash sitting around, PII has to be safeguarded. Law firms collect a lot of very sensitive information which could severely damage a client’s reputation.”
In addition, cyber criminals want to steal data or damage information technology (IT) systems. They often plant harmful software (viruses, malware, and so on) on one computer and hope it is accidently transmitted to others.
Real Estate Transactions are the Latest Target
Earlier this year, we learned of incidents involving fraudulent activity related to wired funds in real estate transactions. The scam described in those alerts involved communications from a purported seller or realtor asking the attorney to modify the way closing proceeds should be delivered – either changing from a check to a wire, or changing the wire instructions from one bank account to another. When the lawyer follows the false instructions, funds are delivered to the scammer’s bank account and cannot be retrieved.
There were multiple reports earlier in 2015 of a variation on this scheme in which the hacker intercepts and alters the law firm’s wiring instructions. In this scam, the closing attorney sends an email to the buyer or buyer’s agent with instructions to wire purchase money into the lawyer’s trust account. That email is intercepted by a scammer (who has hacked the sender’s or recipient’s email account) and is replaced with false instructions. The false instructions are received by the buyer, who then unknowingly wires money to the scammer’s bank account.
Wisconsin lawyers must be vigilant when communicating by email to avoid these scams. In its most recent newsletter, Lawyers Mutual Insurance Co. in North Carolina offered the following suggestions to North Carolina lawyers to prevent losses from fraudulent wire instructions. The tips are equally prudent for Wisconsin lawyers:
Obtain verified contact information from all parties at the beginning of the representation and use only those phone numbers and email addresses.
Consider using encrypted email or a secure client portal when sending wiring instructions.
If you have concerns about the recipient’s email security, send wiring instructions by fax.
Implement a two-level process by which wiring instructions (to and from the law firm) are confirmed by phone using a previously verified number.
If you receive last-minute changes from a seller or an agent requesting that funds be sent by a new method or to a new account, treat this as a red flag. Do not follow the new instructions without contacting the sender using previously verified contact information.
Carefully check email addresses to make sure that they exactly match the addresses you have on file. Hackers will often use an email address that differs from the true sender’s address by one letter or symbol.
Address wiring instructions in your engagement letter. Your engagement letter can inform the parties of the name of your bank and last digits of your account number. Have the parties acknowledge in writing that they should call your office before initiating a wire to any other account.
Warn your staff about these scams and make sure they are taking precautions to detect and prevent fraud. Nonattorneys are frequently the point of contact for the parties to a closing, and they will often be the ones to receive or act on compromised communications.
How Big Is the Risk?
Why is cyber risk something to which lawyers should pay attention? First, Wisconsin is one of many states that have breach-notice laws that require a business suffering a security breach or losing PII to notify victims so they can take action to protect themselves from identity theft. In addition, any law firm storing medical information is subject to the notification rules of HIPAA.
Notification costs can grow rapidly. Hauserman says, “If a law firm inadvertently released 100 personal records, the average amount the business would have to pay to notify the individuals would be over $10,000. The average cost is between $50 and $214 for each affected person. Even a modest-sized breach can result in a huge legal liability that could potentially bankrupt a small law firm. At the very least, notification of a security breach is expensive and disruptive to your practice.”
Even a modest-sized breach can result in a huge legal liability that could potentially bankrupt a small law firm.
Second, if an individual who has been notified actually suffers a monetary loss or more important, if financial or medical information collected by the law firm gets in the wrong hands, the law firm might be sued.
That’s why cyber liability insurance coverage can help a law firm. Hauserman says, “Buying liability insurance coverage for law suits involving an information breach, whether they have merit or not, is the easiest and most efficient way to arrange for legal help and other assistance and to help pay for damages inflicted on others.”
Cyber Liability Insurance Coverage
Joe McCarthy, vice president of underwriting at WILMIC, says cyber risk for lawyers is a growing concern. “Law firms are dependent on technology and the Internet. This dependency creates a business risk not covered in standard business owners policies and only partially covered in professional liability policies. Law firms gather and transmit personally identifiable information from their clients such as names, addresses, birth dates, Social Security numbers, credit card information, and medical information. Inadvertent disclosure of this information creates the possibility of identity theft.”
McCarthy says the type of policy WILMIC now offers includes three types of coverage:
Breach notice coverage, which provides coverage for costs incurred by a lawyer or law firm to comply with Wisconsin’s privacy-breach-notice law, as well as notice fulfillment services and credit and fraud monitoring for clients whose confidential information has been lost or stolen;
Privacy liability coverage, which covers third-party liability for loss of PII; and
Security breach liability coverage, which covers third-party liability and damages from computer security breaches such as virus and hacker attacks if those breaches were within the law firm’s information system.
McCarthy says at the very least, lawyers should make sure they know what’s at risk. “If our policyholders and all Wisconsin lawyers are better educated about how to prevent security breaches, this risk can be better managed.”