The prevalence of cyber-related crime has been steadily increasing for a number of years. Many businesses invest heavily in the necessary IT infrastructure to protect their data, but despite best efforts and intentions, the frequent news stories in the press should serve as confirmation that breaches do occur.
The cost implications of having personal or financial information stolen are significant, especially for law firms, because the information they hold can be confidential and even privileged, and is often very sensitive. When you consider all the potential first- and third-party liabilities a major breach could place on a law firm, the extreme cost could put a financial burden on a firm that could destroy it.
Thus, from an insurance standpoint, it is paramount to consider whether your coverage is adequate. Ontario lawyers should keep in mind that the coverage afforded under the LAWPRO policy is subject to eligibility criteria and to a modest sublimit of coverage. Lawyers outside Ontario should consult their own policies.
The evolution of the cyber insurance policy has made significant strides in recent years. The most common element of coverage found within cyber and privacy liability policies is for claims brought against you arising as a result of a breach. This would include legal defence costs and indemnity payments, and is provided on an “all risks basis.” Some current extensions of coverage include protection against the spread of computer viruses, or in the event that your systems are used to hack a third party. Many policies have been extended to include first-party costs to comply with breach notification laws in different jurisdictions. Finally, cover can also be included for voluntary security breach notification which will help mitigate an impact upon the company’s brand or reputation.
Coverage has also evolved to take into consideration the outsourcing of data storage to third-party cloud providers. While this endorsed coverage is still in its infancy, there are some insurers that are able to consider this type of risk.
Canadian Underwriter Magazine recently reported on a 2011 research study from NetDiligence, which found that the average cost of a data breach was $3.7M. The study found that the largest component of the costs related to the legal damages, with the average defence costs being $582,000, and the average cost of settlement being $2.1M. The implications of not handling a breach properly, measured by way of reputational harm to your organization, are costly. If that client trust is lost, it will certainly impact the gross revenue of your firm in terms of lost clients. With client acquisition being far more costly than client retention, having a plan in place to mitigate that reputational risk is very important.
Cyber and network liability policies have built in a solution for these types of situations. Many policies commonly offer limits of coverage for crisis management. The costs associated with hiring public relations consultants and costs to conduct advertising or PR activities are all things that can be built into a cyber policy.
Traditional insurance policies may offer a limited amount of coverage for cyber-related exposures, but it is important to understand the implications of relying on coverage that is not necessarily designed for a specific exposure. Property policies may not cover the loss of “data” because it may not be considered real or personal property.
General liability policies are intended to cover bodily injury and property damage scenarios, and would not extend to cover network implications. Finally, in addressing these exposures, you should take into consideration liabilities that will fall outside the coverage offered by your E&O policy.
As legislation changes and the breach notification requirements in Canada evolve, so too will the costs associated with damage from hackers, breaches, cyber extortion, and other cyber-related crimes. Don’t underestimate the costs your firm might incur in the event of a data breach. Reinforce the long-term security of your firm by ensuring it has taken adequate precautionary measures, has contingency plans in the event that something does occur, and has appropriate insurance in place to transfer and avoid the financial risks of a data breach.