This is a guest post by Brian Focht, an attorney at Stiles Byrum & Horne in Charlotte and author of the highly regarded blog, The Cyber Advocate. Brian posts about important cybersecurity issues on which lawyers and other legal professionals should be focused. He can be reached firstname.lastname@example.org.
If you’ve been conscious for at least 15 consecutive minutes at any point over the past five years, you’ve no doubt heard news about a major hack. Hell, one happened today. Cybercrime is everywhere, extending even to the presidential election campaign. Your business is at risk, your clients’ data is at risk, and you need to be involved.
But even the best laid plans can suffer the same fate of the great city of Constantinople – one unlocked door and your city has fallen! Fortunately, you’ve actually got the opportunity to protect your business in a way that the Byzantine Empire couldn’t – insurance. Specifically cyber liability insurance.
There’s a lot to cyber liability insurance, so we’ll take this in several parts. Here we’ll be talking about the expenses you’ll likely run into in the event of a cyber attack, and therefore need to ensure your cyber liability policy covers.
The 5 Major Expenses Your Cyber Liability Policy Better Cover!
1) Parachuting Professionals
You need an emergency response team. Think of them as a really nerdy version of Seal Team Six. Think I’m being overly-dramatic? Well, you’re right. However, you should be aware that most cyber liability claims that exhaust the policy limits do so covering the costs in this category!
Forensic IT Specialists
You need immediate and effective analysis of your system to determine the size and scope of any breach, and professionals with the experience and training to eliminate any active threats to your system, limit the damage being caused by existing penetrations, and shore up your short-term defenses.
Legal Advisors (immediate)
One of the most critical (and coming soon, most litigated) roles you play when your law firm has been the victim of a cyber-attack is to be a "Paul Revere" to your clients. No, not an over-hyped historical footnote who we only know today because his name was easier to rhyme than any of the important people involved with the American Revolution (touché, by the way). You need to warn your clients and anyone whose personal information may have been stolen.
In fact, in 47 states (soon to be 50, so just deal with it), you have a legal obligation to notify those people within a specified period of time!
Your emergency response legal team will handle all of the immediate legal hurdles for you (or at least give you a plan). Listen to them. They know that you're an attorney, and you might even know something about this whole cyber security thing. Remember, an attorney who represents him or herself has a fool for a client - even Clarence Darrow hired a criminal defense attorney. They're here for a reason. Let them do their jobs.
Yes, we all know that you're a law firm, and therefore probably not on speaking terms with the general public. Doesn't matter. One of the most important tools you have is your reputation. How did Steve Jobs convince Apple to bring him back, despite his actual track record of miserable failures? Everyone thought he was a genius - and because he was so good at managing his own press, he got the opportunity to prove that, after 25 years of failed products, he could re-package an MP3 player and use it to make Apple the most profitable company in the world.
Your reputation matters, and the information that gets put into the media WILL impact that reputation, especially in the local press.
Most importantly, the experience of being the victim of a cyber-attack is extremely stressful. While you're stressed out dealing with the ramifications of a breach, let a professional handle all media contacts and set up a plan and a script for responding to angry clients or other inquiries. You're in a bad spot. No reason to make it worse.
2) Compliance with Notification Laws
So your team of professionals have parachuted into your office and gotten your dumpster fire under control. They've also informed you that your state has a requirement for notifying people that their personal data may have been stolen. Your forensics experts pull all the information they can on what data was exposed, and give you a list. You then…
That's right, it's not as easy as it sounds. Your state (and possibly federal statutes or regulations) will provide a time by which you have to notify people that their data may have been exposed. This isn't easy, nor is it free. Aside from paying for the method of notification itself, you're likely going to need continuing legal advice on the course of your notification process.
And in case you didn’t know, continuing legal advice ain’t free!
3) Business Interruption Costs
This is one category of costs that's a little bit different than the others, because it's not a true expense. The other items on this list require you to pull out the firm's checkbook or credit card, taking money directly out of your account, but also providing an easily quantified loss.
Business interruption, on the other hand, is the revenue you DON’T earn because your office is effectively shut down. Law firms are particularly susceptible, too -- our business model requires us to be able to perform services. Without performance, we have no revenue.
Business Interruption coverage can help you recover revenue lost due to network downtime, recovery of lost/deleted data, and all those other wonderful things that prevent you from doing your job. Remember, even the most basic ransomware attack is likely to shut down your ENTIRE NETWORK for two days. Can you afford to just lose that revenue?
4) Client/Customer Response
One item that a lot of small businesses fail to appreciate is the need to establish a dedicated line of communication for people to contact your law firm with any questions or concerns related to the breach. Your regular business communication system is not going to be sufficient. You'll need a dedicated communications system (website, phone, social media) to respond to frequently asked questions - immediate responses can save you money, and maybe even save your clients!
Working in conjunction with a PR professional, come up with a scripted response to frequently asked questions. An experienced PR person will likely be able to tell you exactly what questions you're likely to get - there's nothing new under the sun - and can help you craft responses to those questions before they're even asked. Taking this part of your response seriously requires spending some time and money, so your insurance policy needs to take this aspect seriously as well.
Oh, and those continuing PR services are just as free as the legal ones: they're not.
In the event that personally identifiable information may have been stolen, it has also become customary to offer at least 12 months of free credit monitoring services for every person whose information was potentially taken. Also, not free. Make ABSOLUTELY CERTAIN that your cyber liability insurance policy provides coverage for this type of service.
5) Petty (and not so Petty) Cash
Lastly, there are those items that require nothing more of you than throwing a pile of cash at someone. Which is fine, I guess, if you have the cash. Catastrophic if you don’t.
Ransomware and extortion
You've heard that movie trope about "we don't negotiate with [insert movie villain]," but here in the real world, you're going to have to. Even the FBI advises victims of ransomware to pay the ransom if data can't be restored from backups. Your cyber liability insurance policy needs to provide coverage for these types of payments if you have no real option other than to pay them.
Litigation expenses related to loss/theft of data
Yeah, this is the one most people are afraid of, even though the fear isn't really based in current reality. There isn't much precedent at this point for large judgments against companies that have been hacked, but my general read of the landscape is that those judgments are coming. They'll be even worse for companies that are found to have failed to take adequate steps to secure data (and potentially catastrophic for companies that were aware of the risk and STILL failed to improve security).
So even though there’s no current support for anticipating large judgments, pretty much everyone in the insurance industry seems to be expecting them any day now. So be ready.
Regulatory fines and other governmental penalties
One final area you need to ensure you're covered is for regulatory or other governmental fines related to a hack. Most law firms probably don't have to worry too much about this, but it's still nice to have.
No cyber liability insurance policy can possibly provide adequate protection for your business unless it covers the items I've listed above. Next month, I'll break down the important policy terms you need to look out for, and may need to clarify or modify, when you're shopping for your cyber liability insurance.