Last week’s article on cybersecurity threats faced by the legal profession did not examine one risk mitigation strategy that is increasingly finding favor among law firms: the purchase of cyber liability insurance policies.
The authors of the American Bar Association’s 2020 survey of technology use among law firms recently noted that, at a time when law firm adoption of technologies to fight cyber threats is lagging, the purchase of insurance to cover cyber losses is growing. According to the ABA, 36% of U.S. law firms obtained cyber insurance policies in 2020, up from 33% in 2019. Surprisingly, small firms have been particularly good customers for cyber loss insurers: 36% of firms with two to nine attorneys purchased cyber insurance in 2020, up from 27% in 2017.
The ABA warned that although insurance is a wise risk mitigation tool, as a general matter it’s not a substitute for an actual strategy to prevent cybersecurity threats in the first place. “Certainly, firms are wise to have policies in place, but a policy is only one component of an appropriate comprehensive, risk-based security program and itself offers no protection from attack nor any guarantee of actual coverage,” the survey authors wrote.
So what is cyber insurance coverage, what sorts of losses do cyber insurance policies cover, and how is this form of insurance different from legal professional liability coverage?
In a nutshell, legal malpractice policies protect the law firm against financial losses arising from malpractice claims following a data breach. For all other types of losses the law firm might suffer, some other form of insurance is needed. These forms of insurance are known generically as “cyber insurance.”
Legal Malpractice Policies Protect the Client
Much has been written lately regarding a lawyer’s ethical duty to make reasonable efforts to prevent the unauthorized disclosure of client information (ABA Model Rule 1.6: Confidentiality of Information) and the emerging ethical duty of technological competence (ABA Model Rule 1.8, Comment 8: Competence). Together, these ethical duties oblige lawyers to understand the growing threats to their clients’ confidential, electronic information, and to put in place safeguards to prevent unauthorized disclosures.
With increased awareness of cybersecurity threats comes a heightened standard of care that escalates a law firm’s professional malpractice liability exposure when client information is carelessly disclosed or destroyed. For example, a data breach may give rise to a malpractice claim arising from:
- failure to safeguard personal or proprietary information
- failure to supervise lawyers, staff, or technology vendors
- heightened exposure of clients to legal claims and reputational injuries
- fraud arising from law firm’s misrepresentation of data security practices
The Wengui Rulings: Law Firm Cracked Open to Public View
The specter of malpractice liability arising from theft of a client’s information due to a data breach is real. For an example of how one law firm’s data breach gave rise to cognizable legal claims for misrepresentation, malpractice, and breach of contract, consider Wengui v. Clark Hill PLC, No. 19-3195 (D.D.C., Feb. 20, 2020).
The Wengui court’s opinion, rejecting the law firm’s motion to dismiss the case, summarized the facts as follows:
The plaintiff, a Chinese billionaire and political dissident, retained the Clark Hill law firm to handle his application for political asylum in the United States. The hacker — believed to be working for the Chinese government — gained access to the firm’s computer network and stole Wengui’s personal information, then published that information on the Internet.
Wengui sued the firm for professional malpractice, misrepresentation, and breach of the retainer agreement. Wengui’s misrepresentation claim arose from his allegation that he warned the law firm it should expect cyberattacks seeking information about him, and that the firm represented it would “take special precautions” to prevent unauthorized disclosure of Wengui’s personal information.
The Wengui case is in the discovery stage. No finding has been made that the firm is liable on any of the plaintiff’s claims. Very recently, however, on Jan. 12, the trial court ruled that forensic reports generated by the law firm’s consultants were neither attorney work product nor privileged and must be turned over to the plaintiff. The court also granted the plaintiff’s request for documents “regarding the cyberattack’s effect on other firm clients, subject to appropriate redactions.” Ouch.
Cyber Insurance Policies Protect the Firm
Legal professional liability coverage will protect law firms against data breaches that result in malpractice claims by injured clients, but they provide no protection for cybersecurity lapses that do not trigger malpractice claims.
Every insurer’s cyber insurance product is different, and many are customized to the needs of the insured. That being said, generally speaking, losses covered by a typical cyber insurance policy might include:
- Losses not related to client legal services, such as those involving the breach of employee information
- Expenses incurred for privacy breach response, remediation, and notification of appropriate legal authorities
- Losses caused by ransomware
- Business interruption losses in the event of a data breach
- Reputational damage to the law firm due to data breach
- Losses suffered by nonclients, such as employees and third-party fraud victims
Additionally, some cyber insurers offer consulting-type services that can help minimize the risk of a data breach.
Cybersecurity: An Ounce of Prevention …
Regardless of how the Wengui litigation is ultimately resolved, the case already demonstrates the devastating fallout that can follow a cyberattack on a law firm’s network. At the risk of stating the obvious: Firms should carefully consider what might happen if their computer networks were breached and client information disclosed to third parties. Then plan accordingly. Cyber insurance policies may be part of the firm’s cyber-risk mitigation strategy, but, as the ABA notes, they are no substitute for the deployment of technological safeguards that do, in fact, protect the client against unauthorized disclosure of confidential information in the first place.