In the late 1980’s the world began to change dramatically. Businesses start to realize the potential and efficiencies in moving customer information from hard copy to digital data.
By the 1990’s most industries had either begun to switch or already switched to digital storage of company and customer data.
By the early 2000’s personal computing became cheaper and small businesses could handle storing their data on small servers or big personal computers.
With the wealth of data and personal information being stored locally at small businesses with little to no security, hackers began their “treasure hunt”. They search for unprotected and unsecured data on any computer attached to the internet. With advancement in technology and rising costs incurred to maintain security systems many small businesses decided that they were safe because they were small and insignificant targets for would be data thieves.
In the end, these small sized businesses became prime targets and as a result, victims of data breaches. Ransomware and computer hijacking are the biggest threats facing today’s small and medium sized law firms.
Much of what data thieves target is personal information. A consumer’s/customer’s data is valuable because it can be used in fraudulent financial transactions for monetary gain or to use deceptively acquired credit cards to make big purchases without being able to be traced. Technology can be used to stop the data thieves but this protection is often very expensive and very hard to maintain, thus leaving law firms vulnerable to data breaches.
Depending on the type of business, a data breach can have long reaching effects. Cyber insurance is intended to cover costs of a data breach as well as provide general guidelines and information for cyber-incident prevention.
So, if every law office has the potential for a cyber security issue, why isn’t it covered in a standard professional liability policy? There are two main reasons.
First, cyber policies cover insured for more than the actions performed as an attorney. Most cyber policies cover attorneys for ransomware which would not be covered under a Professional Liability policy because it is not part of the service provided as an attorney. Cyber policies also cover data breaches and instances of fraud that may have to do with vendor relations not client relations.
The second reason cyber is not included in a professional liability policy is that cyber security challenges evolve and change over time. New defensive technologies come and go and yet the cyber threat always remains. Cyber Insurance Policies are meant to grow and change with the technology landscape and to provide the insured with the ease of mind that they have coverage that can adjust to fit their needs as the digital age grows.
Many factors go into determining the correct cyber insurance policy. These variations keep the cyber policy from being integrated into a professional liability policy. Factors such as implemented loss prevention measures, regulations, number of customers and type customer data (credit card numbers, social security numbers, etc.) and location of data are three factors that can affect cyber policy needs.
Most cyber insurance carriers will perform an analysis of a firm's implemented loss prevention measures before issuing a cyber insurance policy. For most small to medium sized law firms this evaluation can be completed by answering questions on an application but some may be asked to provide results of a security audit. Below are the primary elements of a cyber analysis an insurance carrier may perform.
Regulations regarding cyber crimes are far and wide. There are local, state and federal regulations pertaining to industry, loss/incident prevention, incident reporting and post-incident responsibilities. All regulations must be considered in developing a cyber policy.
Industries such as healthcare, have very strict policies on data storage and access control to this data. Incident reporting guidelines (i.e., the amount of time mandated to report and incident and to whom the incident is to be reported) can also be regulated at all three levels of government.
To ensure all regulations are being met, a cyber policy and the insurance carrier’s risk management assessment needs to be evaluated to ensure all regulatory levels have been considered. This assists the insured by ensuring that the correct preventive and corrective actions are covered in their cyber policy and carrier risk management.
Customer information stored for a business is also considered when writing a cyber policy. Business requirements and customer service initiatives create the need to store sensitive data. Credit card numbers and social security numbers are required for many financial transactions as well as purchases via the internet or an application. Customer data is invaluable to would be cyber criminals. Use of website logins and potentially saved payment methods are the number one target of hackers and cyber criminals and as a result become higher value targets. Carriers must do comprehensive business evaluations to determine what type of policy meets the needs of the potentially insured.
Cloud data storage has revolutionized the IT industry. Moving data farms into a cloud solution has become the most secure and cost-effective solution for most enterprises. The adjustable amount of space needed and ability to have another party maintain the security on these servers make cloud solutions very desirable. Many companies have not had the time or money to move to a cloud-based solution. The maintenance for server updates and ensuring the most recent security protocols can be a daunting task. This overhead may also create a variance in cyber insurance coverage. The type of data being stored and where it is physically located could have a dramatic effect on the cost of a cyber insurance policy. However, even cloud solutions can be compromised by a sophisticated hacker.
The intent of the cyber policy is to first assist in prevention of a cyber incident. Then assist in remediation should an incident occur and lastly cover a professional entity should there be a breach or loss of data.
The cyber policy insures more than professional actions covered by a normal professional liability policy. Cyber policies can cover incidents that occur while using business computers or email for personal or non-legal-related communications via email. Obtaining Cyber Insurance Policy in addition to your professional liability policy is a critical component of protecting your law firm from cyber crimes.