Many articles have been written about cyber liability. Industry experts agree that the question is not if your firm will get hacked, it is when your firm gets hacked. Law firms are being targeted almost as much as financial institutions.
Some law firm leaders are under the impression that their professional liability insurance policy will protect them. It may in some cases, but not all. Cyber liability insurance should be considered and investigated. Just completing the application will help a law firm leader uncover the weak links in their firm. If an insured firm’s network is hacked, an expert will be assigned by the insurance carrier to help the firm comply with regulatory requirements and notifications, which differ from state to state, as well as how to stop the current and future breaches. Notifications are dependent on who was hacked, so if you have clients throughout the country or the world, this task is daunting. The cyber liability insurance premium does not seem too expensive when considered against the ramifications.
Many corporate clients are asking for certificates of insurance from their outside law firms regarding cybersecurity insurance. Corporate clients may perform a site audit and will make demands about how data is stored and processed.
When obtaining cyber liability insurance, confirm that it is written on a claims-made basis, and be sure it does not exclude pre-existing events. It is not uncommon for a law firm’s network to be hacked, but not uncovered until months later.
Law firm leaders should make it a priority to educate every member of the firm. You don’t know what you don’t know. Start with educating your people. KnowBe4 is one of many education applications that each member of the firm can take at his or her own convenience This is a reasonable expense, and cyber liability insurance premiums may be reduced for firms that have taken this step. A firm may apply for CLE credit to entice attorneys to participate. Rules of Professional Conduct in many states now include a reference to technology. Ignorance is no longer a defense. Insurance carriers have a vested interest in properly educating employees and business partners. Many times, they will present to the firm. The American Bar Association also regularly offers CLEs to help educate attorneys.
Organizations are being formed specifically to deal with educating people about cyber-attacks. ThreatAdvice is such a company specializing in the unique challenges facing the legal industry. ThreatAdvice provides CLE credit as well.
Ask for certificates of insurance of cyber liability insurance from your trusted business partners who process your payroll, maintain your data, have access to your network, or work with you on e-discovery or document management. Be sure you are sharing this risk with your business partners.
Routinely run a security test to ensure that your network is protected. These tests include sending emails to end users to determine who opens a suspicious email and then educating those people.
Ensure that email attachments are scrubbed and encrypted. Do not send confidential information to public email addresses like Yahoo and Gmail. They are not secure.
You may want to include your procedures or expectations from a client in your engagement letter. If you have cyber liability insurance, you may want to indicate it in the letter as well.
If your firm takes credit cards, you may want to consider a third party to do this for you. LawPay works exclusively with law firms. You can even allow a client to pay a bill on your firm’s website. They assume the risk. The law firm keeps no client credit card information.
When sharing files with individuals outside of the firm, be sure you are using a secure document sharing application like ShareFile. Dropbox is a well-known document sharing platform, but it is not secure. Check with and listen to your IT professionals.
It is inconvenient to change passwords frequently. Remember them or put them in a secure place that only you can easily access. Learn to password-protect documents and spreadsheets as well.
If you receive an email and you do not recognize the sender, do not open it. Cyber liability insurance carriers may occasionally send such an email that should not be opened. They will then report to management who opened the suspicious email.
About the Author
Gail Ruopp is the executive director of Panitch Schwarze Belisario & Nadel, an intellectual property law firm based in Philadelphia. Contact Gail at gruopp@panitchlaw.com or 215-965-1233.