The Rhode Island Bar Guide to Cyber Insurance for Attorneys
Fulfilling your ethical responsibility to protect confidential client data
by Holly R. Rao, Esq., RI Bar Insurance Committee Chairperson
The American Bar Association makes it clear that, “The potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”1
Attorneys can fulfill their ethical responsibilities when it comes to cyberattack by following these two steps:
- All 50 states have enacted some form of cybersecurity legislation. Most require businesses that hold confidential client data to have a plan for protecting it. Put your plan in writing.
- After a privacy data breach, most state cybersecurity laws require affected businesses to pay certain expenses. Though not required by law, the easiest way to pay for these expenses is through cyber insurance. Do your due diligence and secure an appropriate cyber policy.
The focus of this article is on step two—educating bar members on the cyber coverage needed to be in compliance with Formal Opinion 483. Unfortunately, cyber insurance is not standardized across the industry. There are probably as many different cyber policies available as there are insurance carriers.
Cyber insurance is not something you want to shop for by price. This is a classic case of “you get what you pay for.” You don’t want a policy that is short on coverage and long on exclusions after something like a ransomware attack. Shop looking for the most comprehensive protection.
With so much variation existing among the cyber policies on the market, finding the appropriate coverage can appear daunting. In this article, we explain the primary coverages that exist today, so you can make an informed decision. Coverages marked with an ‘★' are new to the industry.
★ Cyber Threat Monitoring
This new cyber coverage has only recently become available to law firms. Policies with this feature act like personal identity theft protection by providing constant threat monitoring that detect cyber intrusions. If your login credentials or data show up on the dark web, you’ll know instantly via an alert on your mobile phone.
The platform covers your entire office system, providing continuous scanning for vulnerabilities, out-of-date software, and protection against 99% of known ransomware. If your cyber insurance includes Cyber Threat Monitoring it’s a clear sign that you’ve got the most cutting-edge coverage available today.
Should a data breach result in a lawsuit against your firm by clients, vendors or other affected third parties, cyber liability pays any resulting court settlements and judgements along with the associated legal expenses.
This is a standard coverage found on all cyber policies. The most important detail here is the coverage limits. What are they offering? $1 million, $5 million, $15 million? The limits you select depends on how many potential clients could have their data stolen. Larger firms will want higher limits.
Data Privacy Expenses
As mentioned above, state cybersecurity laws require businesses affected by a data breach to incur certain expenses. This is the coverage that will pay for them. Pay careful attention to the limits for this coverage. If your cyber coverage is an endorsement, rather than a standalone policy, the limits may be inadequate.
Data privacy expenses include:
- Notification Costs: State cybersecurity laws will require you to notify your clients of the breach either by phone, email or regular mail. How much time you have to alert them varies by state.
- Credit Monitoring: Most state cybersecurity laws will also require you to provide your clients with free credit monitoring. Whether the monitoring last 1 or 2 years depends on your state.
- Forensics: After a breach you will need to hire a forensics team to determine what data has been compromised, how they got in, and how to close the breach.
- Public Relations: If the attack ends up in the press, this coverage enables you to hire a PR firm to minimize the damage to your firm’s reputation
★ Fund Transfer Fraud
One of the most common attacks run by cybercriminals is known as social engineering. It occurs when a hacker breaks into your network, monitors your correspondence, and impersonates a high-ranking member of your firm to get the person with banking privileges to transfer funds to their account.
Crime insurance typically includes coverage for Fund Transfer Fraud, but recent court cases have denied coverage on these policies if the transfer was the result of a social engineering scam.2
Some cyber policies may only cover the breach expenses associated with the fraud, but not the actual funds lost.
Fund Transfer Fraud is becoming commonplace. Lawyers dealing with real estate transactions are particularly vulnerable. Typically, the fraud scheme impersonates a trusted business partner providing new wiring instructions for the real estate closing. Once the money is wired, it is nearly impossible to recover.
Breach Response Team
With cybersecurity laws varying by state, having an expert breach response team managing your claim is critical. They will guide you through the process, letting you know what you need to do—and how much time you have to do it—to remain in compliance.
Failure to respond within your state’s mandated time frames can result in costly regulatory fines and penalties. Does the policy even include a breach response team? It may not. The claim may be handled by in-house insurance adjusters with no specialized expertise.
Last year, 18% of cyberattacks on U.S. businesses involved ransomware. You unknowingly click on something you shouldn’t, and your system is infected with malware that encrypts your data, blocking access until a ransom is paid in bitcoins. The average ransom paid in 2019: $84,116.3
Not all policies include Extortion Expenses. With these attacks on the rise during the coronavirus pandemic, and not all firms backing up their data on a separate drive daily, this is an important coverage to secure.
Business Interruption and Extra Expenses
If your ability to conduct business comes to a grinding halt due to a cyberattack, Business Interruption pays your lost income till your firm is back up and running. Extra Expenses include any costs you incur to stay open, such as the purchase of new computers.
A 2017 ransomware attack against a Rhode Island law firm shut it down for three months, resulting in $700,000 of lost billings.4
When the firm submitted the claim to their businessowner’s carrier, the loss was denied. Most BOP policies exclude business interruption coverage unless the firm is closed due to physical damage such as a fire. If the firm had cyber insurance, this would not have been an issue.
Regulatory Fines & Penalties
After a breach, should you fail to comply with state cybersecurity laws, the resulting fines and penalties can be substantial. States like Illinois may impose fines up to a $50,000, while states like California can go up to $250,000, and Florida up to $500,000.
With the help of a good breach response team, this should never happen. If the policy does not include such a team and doesn’t include Regulatory Fines & Penalties coverage with limits that match your state’s maximum penalty, your firm will be taking on a substantial risk.
Additional cyber coverages to look for:
★ Worldwide coverage: With so many attorneys working from home, the last thing you want is a policy that only provides coverage at your office ‘named location.’
★ Computer Replacement: Pays the cost to replace your computer systems that are destroyed.
★ Bodily Injury & Property Damage: Pays for defense ad damages when a security failure results in physical harm.
Technology Errors & Omissions: Liability protection when your technology is the cause of a client or vendor’s loss.
Digital Asset Restoration: Replaces, restores, or recreates damaged or lost digital assets.
Internet of Things: Coverage for all of your IoT devices, such as desktops, laptops, tablets and smartphones.
Social Media: Coverage for your social media accounts is included.
Preparation is Everything
Even law firms that specialize in cybersecurity practice can use help when finding the appropriate cyber Insurance. It is inherently difficult for firms of any size to achieve this objective on their own.
Uncertain where to start? Contact the Rhode Island Bar’s endorsed insurance provider, Aon, who arranges for a free cyber risk assessment that provides a vulnerability scan of a firm’s web presence.
To learn more, please visit www.aoncyberAA.com
1”Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483, October 17, 2018.
2”Computer Fraud and Funds Transfer Fraud Coverages Not Triggered by Social Engineering Phishing Scam,” Hinshaw Law,
March 2, 2020.
3Nathaniel Popper, “Ransomware Attacks Grow, Crippling Cities and Businesses,” New York Times, February 9, 2020.
4Debra Cassens Weiss, “Victimized by ransomware, law firm sues insurer for $700K in lost billings,” ABA Journal, May 2, 2017.
Aon CyberBusinessProSM is a service mark of Aon Corporation. Coalition, Inc. is the exclusive administrator.
This document provides summary information only. Insurance coverage is subject to specific terms, limitations and exclusions, and may not be available in all states.
Aon Affinity is a licensed insurance producer in all states (TX 13695), (AR 100106022); operating in CA & MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services Inc.; in CA, Aon Affinity Insurance Services, Inc. (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency; and in NY, AIS Affinity Insurance Agency.