Despite the risk-averse nature generally associated with the legal industry, many law firms do not view themselves as at risk for a data breach and, therefore, have not purchased what is known as cyberinsurance. The lawyers in firms whose practice is concentrated in data security see this as a mistake given what they say is the “if, not when” likelihood of a firm being breached.
There is a bit of a rift in the legal marketplace between law firm leaders who remain somewhat skeptical of the need for insurance to protect them in the event of a data breach, and the attorneys and insurance companies who practice in this space and see a gap in law firms’ coverage of what they perceive as a very real threat.
Judi Flournoy, chief information officer of Kelley Drye & Warren and head of the International Legal Technology Association’s security initiative, LegalSEC, said there is a lot of discussion in the industry around cyberinsurance.
“I don’t know what the outcome will be,” Ms. Flournoy said. “Even though cyberinsurance has been around for a while, no one has ever really felt the pain.”
Cyberinsurance has been around for more than a decade but has only reached, on the high end, about 25 percent of the potential market share, those who spoke to The Legal estimated.
Mark Greisiger is president of NetDiligence, a company that is called in by cyberinsurers to handle the overall response when an insured is breached. NetDiligence also does audits for companies, whether they have cyberinsurance, to determine the soundness of their security protocols.
Mr. Greisiger said cyberinsurance has become more popular in the last two to three years, particularly with the health care and retail sectors. He doesn't think many law firms have it and those that do typically are the largest of firms and whose clients are often requiring they have cyberinsurance, he said.
“So far, I haven’t seen a big uptick in the legal community, which is surprising because I think we all know they have a tremendous amount of information in their possession,” Mr. Greisiger said.
He said law firms are probably being breached as much as any other type of company in corporate America.
The debate about the need for cyberinsurance often comes down to the fact that law firms feel they are covered under their professional liability policies. But attorneys and insurers alike have said that could be a false sense of security.
“If there is a question of coverage under a traditional professional liability policy, you could spend years arguing and litigating the issue with your carrier,” said Cozen O’Connor partner Matthew J. Siegel, who focuses his practice on cybersecurity risks and the insurance industry. “But if you have a dedicated cyberpolicy, you avoid that risk altogether.”
Mr. Greisiger said the issue comes down to whether a data breach event is part of a lawyer’s job that would be covered under an errors and omissions policy. He said a firm might be able to argue that a lost laptop falls under such a policy, but it would be harder to argue that protecting against a hacker from Russia is part of a lawyer’s duties, he said.
Fox Rothschild partner Scott Vernick focuses his practice on privacy and data security. He said he thinks cyberinsurance is a “very good idea to consider” for law firms that don’t think their general liability policy will cover them. He said case law is coming down on the side of the insurer when it comes to whether a commercial general liability policy would cover a data breach.
Richard Bortnick of Christie Pabarue and Young, and author of blog CyberInquirer, said the average data breach could cost around $70 per piece of data stolen. A panel discussion held by the American Bar Association’s Standing Committee on Lawyers’ Professional Liability in January cited data from Mr. Greisiger’s company that placed the average cost of a breach at $3.7 million.
Mr. Greisiger said a cyberinsurance policy also gives the added value of a firm being able to tell its clients that it has that protection in place.
“The cost is relatively low, and lower than people may think,” Mr. Siegel said. “But the benefit you get from it is absolutely worth the cost.”
Gina Passarella can be contacted at 215-557-2494 or at firstname.lastname@example.org. Follow her on Twitter @GPassarellaTLI. To read more articles like this, visit www.thelegalintelligencer.com.