As seems to be happening more and more frequently, my credit card company recently cancelled my current card and sent me one with a new number because the old one had been compromised in a data breach. Hackers had gained access to the computer system of one of the merchants I charged something with and, suddenly, my account number was out in the wild and available for sale to the highest bidder.
In this case, it’s just an annoyance; I’ll have to update my information with a couple of online vendors and memorize a new set of numbers, but at the rate I charge things that won’t take long. I’m not out anything and neither is the credit card company. The merchant, on the other hand, has, to put it politely, more than a little egg on its face. I’ll have to think twice before I buy anything there again.
This incident, the second one I’ve experienced in three years, points up how prevalent hacking into what are supposed to be secure computer networks has become. Law firms should not assume that they and the confidential information their networks house are not already targets, too. In some instances confidential legal information can be equally as valuable, to the right purchaser, as a large block of credit card numbers.
Although Alabama currently remains one of only 4 states which does not have a law requiring notification in the event of a loss or theft of personal information, there are lots of good reasons why lawyers in Alabama should tighten up security for their computer networks and consider obtaining cybersecurity insurance to protect themselves in the event that their computers are lost or stolen or their computer networks are breached.
While Alabama law does not currently require that business owners who suffer a security breach inform their customers, and the Alabama Rules of Professional Conduct don’t specifically address the subject, anytime a lawyer suffers a loss or theft of confidential client information, particularly personally identifiable information such as social security numbers, credit card information or other information that could leave the client exposed to potential financial loss, he or she must act to protect the client. And firms that work in the health care industry may also be subject to the provisions of HIPPA and HITEC. This is where cybersecurity insurance can save the day.
Here are some of the things that cybersecurity insurance can help you with, but you will need to read your policy carefully to make sure that you understand it and that it covers all of the potential risks that you wish to ensure against:
- Coverage of lost data, IT forensics and disaster recovery. While property insurance may cover your hardware, it often does not reimburse you for the value of any data that you may lose or the expenses necessary to restore your system to working order.
- Coverage for the cost of notifying clients of a data breach. Most lawyers hardly have time to get all of their paying work done. It would be a shame to lose valuable staff hours, in addition to the actual mailing costs, to send all of your clients certified letters notifying them of the breach and advising them of the measures they now need to take to protect themselves from identity theft. Firms which are considered “business associates” of an entity covered by HIPPA can be required to meet its notification requirements, including paying penalties for breach.
- Coverage for the cost of credit monitoring services. Often, given the nature of a data breach, the only reasonable solution to protect your client from identity theft is to provide a year or more of credit monitoring service. At around $10 to $15 per month per client, the cost can add up quickly.
- Coverage of defense costs. Professional liability insurance usually will not cover defense costs that do not directly involve the delivery of professional services. Would your policy cover you if you were sued by a client for losses associated with a data breach?
- Coverage for losses due to business interruption. A truly devastating data breach or episode of cyber-extortion could wipe out data necessary for you to work or otherwise leave you so tied up dealing with the problem that you are unable to get your work done in a timely manner, too. Some policies will cover lost income associated with a cyber-breach.
As you review your insurance coverage prior to yearly renewal, consider looking into whether cybersecurity insurance might be an affordable, and necessary, addition to your present coverage. For a wider discussion of cybersecurity insurance see the Cybersecurity Insurance Read Out Report from the Department of Homeland Security. The American Bar Association offers a cybersecurity insurance benefit, but you must be an ABA member to access information about it.