All law firms should consider getting cyber security insurance. In 2016, a law firm was the victim of a ransomware attack. Not only were key documents inaccessible, but the firm’s billing system was frozen, so clients couldn’t pay.

These key files remained tight for over three months as the firm negotiated a settlement. Up to $700,000 in client billing was lost as a direct result of the attack, which doesn’t include the undisclosed ransom paid.

Work completed across industries is being conducted primarily online. Companies are opting for cloud-based solutions to increase productivity while allowing employees more freedom than ever before to work when, how, and wherever they want to.

Making sure your law firm is protected

This freedom made possible by technology was a godsend for many companies during the pandemic. Remote tools allowed employees to work effectively from home during the global COVID-19 pandemic. Many companies that may not have otherwise survived not only did so but thrived.

Employees responded strongly to the change, to the point that the workplace has now changed at a fundamental level.

Along with the unprecedented demand to facilitate whole companies working remotely, IT departments everywhere face challenges in allowing workers to do their jobs effectively while protecting critical data.

Remote, cloud-based setups are certainly convenient, but they also present a brand new set of challenges.

The target of con people and hackers

Which profession or industry has emerged as a particularly attractive target to scam artists and cybercriminals?

Law firms.

Cyber security insurance is a worthwhile investment for any business that collects and stores sensitive data – law firms among them. It should also be noted that many general liabilities and malpractice policies don’t cover cyber security. Make sure to read the fine print and seek out special coverage if necessary.

What is cyber security insurance?

Cybersecurity insurance can help smaller law firms and individual lawyers minimize the risk of a data breach. This type of insurance is designed to offer financial coverage if your firm or client’s data is compromised. 

Data breaches and ransomware attacks can be hugely expensive and insurance can help provide a welcome piece of mind should the worst happen.

Smaller law firms and individual lawyers are particularly at risk of cybercrime as they are less likely to have the capital necessary to guard their data properly and fully against criminals. 

Nothing should replace taking basic precautions to keep sensitive data safe and secure, but cyber security insurance can provide a welcome layer of financial protection.

What does cyber security insurance typically cover?

There are two primary types of cybersecurity insurance a law firm may want to consider:

• First-party cyber liability insurance
• Third-party cyber liability insurance

First-party liability insurance is designed to assist firms with direct business impacts. These can include losses due to downtime, crisis management, and costs related to restoring data.

Third-party liability insurance offers protection from liability claims from outside the firm. It might also cover payments to clients affected by data breaches and fines from regulatory bodies.

Law firms aren’t restricted to picking one type of insurance or the other. Depending on the kind of law firm, one or the other or even a combination of the two types might be best.

The best strategy to decide what type of insurance your firm needs is to complete an internal audit. You’ll want to have a full understanding of the type of data you are storing and what your most outstanding liabilities are. Then you can make educated decisions accordingly.

What makes law firms such a good target of cybercrime?

Law firms are particularly good targets for cybercriminals for several reasons. While they tend to have access to a large amount of valuable and sensitive data for their clients, their devotion to cyber security tends to be lacking. 

Lawyers, not information technology professionals primarily staff law firms.

Depending on the types of cases a particular law firm handles for a client, they might have privileged access to a great deal of sensitive information.

Hackers could gain access to that information in several different ways, such as accessing servers remotely, intercepting email communications, or using phishing schemes.

Cyber crimes against law firms

Instances of cyber crimes against law firms are also on the rise. Some figures show as many as 26% of law firms in the United States have experienced data breaches of one kind or another. 

It’s a big deal. 

Some estimates put the total losses due to data breaches at $5 trillion by 2024.

The way lawyers work also makes them especially susceptible to cyber crimes. Studies have shown that upwards of 75% of lawyers regularly or always do some work outside business hours. While many convenient remote office tools have made life easier, they also open companies to new vulnerabilities in the attack.

What are cybercriminals after?

Cybercriminals have different motivations too. They want access to sensitive data to sell, hold for ransom or even use for insider trading.

Lawyers potentially have access to plenty of sensitive and highly valuable corporate data, from trade secrets to secret formulas. This information could be incredibly valuable when sold to competitors.

Ransom may also be the goal. Although rarer, some cybercriminals may be looking for important information. Hackers can use ransomware technology to lock up essential data until a fee is paid.

What are the benefits of investing in cyber security measures and insurance?

As pointed out, law firms are prime targets of cybercrime because of the data they readily access and the comparative lack of investment in protecting that data. It should also be noted that the consequences of a data breach can be pretty dire and cost a firm a considerable amount of profit for several reasons.

Losing valuable client data isn’t going to make you look very good. A loss of your reputation will be damaging not only to the client whose data was exposed but also to future potential clients. 

Lose your client’s money

A data breach can easily lose your client’s money and damage their reputation. Depending on the data’s contents, you could open up your clients to costly lawsuits, not to mention losing them to future business.

You’ll open your firm up to malpractice suits from those same clients. No doubt, if you cause your clients to take a hit to their reputation or their business’s bottom line, they’ll be looking to recoup those losses any way they can.

What should you do if your law firm has a data breach?

Law firms in the United States have a clear duty to be open and honest when reporting a data breach, both ethically and legally.

The American Bar Association passed Formal Opinion 483 in 2018, which lays out a law firm’s responsibilities before, during, and after a breach. If it’s likely their data is involved, law firms need to immediately and fully inform clients that a breach has occurred.

Lawyers also need to act “reasonably and promptly” to close any breach and mitigate any damage caused by the breach. It’s recommended that all firms, big or small, have an action plan that includes steps to take in case of a breach. 

This is not the kind of thing that should be handled on the fly. Careful preparation and ensuring employees are trained on what to do can greatly reduce the damage caused by a data breach. 

The ADA’s formal opinion 483 states that lawyers have an ethical responsibility to monitor their systems for incursions actively have an action plan in place, and train staff to implement the strategy effectively.

Cyber Security Insurance Conclusion

Incidences of cyber security attacks continue to rise across the United States. In a 2021 survey conducted by the American Bar Association, 25% of respondents reported that their firms had been victims of some form of cyber attack at some point in their history.

While this percentage decreases with firm size, smaller companies and individual practitioners are some of the most at risk, as noted above.

Despite the rising threat, only 47% of respondents to the ABA survey reported investing in cyber security insurance. Cyber security insurance is the most surefire way to provide some financial peace of mind, especially for smaller firms that can’t fully afford the sizable investment to protect their data. 

The threat of cybercrime and data breaches is undoubtedly not going anywhere, especially as remote work becomes more the norm, stretching the demands of cyber security to their limits.

See other legal blogs to learn more about corporate law.