As the custodian of clients' intellectual property, commercially sensitive and personal information, law firms represent a particularly attractive target for hackers.

A news release from the Information Commissioner's Office (ICO) in August 2014 warned lawyers that the ICO is 'sounding the alarm' on data breaches within the legal profession, so firms need to be particularly alert.

Your PII policy and office policies will provide some insurance cover in the event of a cyber-breach, but there may be significant gaps, including:

• Cover for loss of employee and partner information
• Breach investigation expenses, including specialist independent legal advice, forensic's and IT security expertise
• Costs incurred by the firm to notify affected individuals, to offer appropriate credit and ID monitoring services and to hire appropriate public relations expertise
• Cyber extortion expenses incurred to end a credible extortion threat
• Reimbursement of data and computer programme restoration expenses
• Consequential loss of revenue resulting from a network interruption

ICO reports 15 legal profession breaches reported in 3 months

It is difficult to provide an accurate estimate of the number of breaches in the UK because there are no mandatory notification requirements as yet, and only significant breaches which attract the attention of the ICO tend to be reported. The ICO statistics are helpful nonetheless.

They state that there had been 15 recorded incidents involving members of the legal profession in the three months to August 2014.

Without doubt many more have gone unreported and, even with the best of security practices adopted by a firm, it is a matter of “when” and “how serious” rather than “if” a data breach will occur.

Causes and relative costs of breaches

Whilst it's reported* that, of the three primary root causes of data breaches in the UK, 40% are caused by negligence or human error, 38% by malicious or criminal attacks and 22% by system glitches, including IT and operational failures, it is the malicious or criminal attacks which generate the highest per capita cost (£119) being 56% more costly per capita than those caused by negligence or human error (£76).

*Ponemon Institute - 2014 Cost of Data Breach Study: United Kingdom

If a data breach occurs

As a 'data controller' under the Data Protection Act, a law firm will be liable for data breaches of its staff, and also of any third party suppliers.

Even if there is no direct/immediate financial loss to you or to the client (for example where personal data is lost or stolen), ICO rules suggest you should consider notifying them and the affected individuals that the papers have gone astray.

This could also be a breach of the SRA rules and therefore reportable by your COLP.

Insurance Protection

Subsequent liability arising from the wrongful act committed in the course of your professional business should be covered under the PII policy.

There are likely to be direct costs and disruption to the firm in relation to: forensic investigations, specialist data breach advice, public relations, call handling for concerned clients and credit/ID monitoring. That's before we consider the costs and disruption of notifying the affected individuals and, what's likely to be the most costly item of all, loss of revenue from customer churn due to reputational harm.

Where a breach is caused by a third party supplier, your clients and regulators will look to you to respond to the breach, incurring the costs of client notification (mandatory or voluntary), and other first party expenses. These may not be recoverable from your vendor, depending upon contractual indemnities, and will not be covered by your PII.

Doesn't my office insurance policy cover us?

The majority of office policies only respond when there has been a physical event such as a break in or physical damage to property. Office policies are typically not designed to cater for the 'digital' exposures which may include hacking events, administrative/operational errors or losses caused at the premises of your service providers. So, whilst your IT system may have been damaged and compromised with critical data lost, this is unlikely to be covered under an office policy, unless there's a special cyber extension.

Conclusion

It is clear that Solicitors' PII policies do afford elements of coverage for third party cyber exposures, but there are also a number of grey areas, as well as specific areas where there is clearly no cyber coverage at all.

A key point to remember, particularly with regard to the grey areas where cover may/may not be granted under the PII, is that all Solicitors' PII policies were originally designed to cover wrongful acts arising from the provision of professional services as solicitors and that is the underwriter's specialism. They were not created with cyber risks in mind and, as such, are fundamentally limited by:

1. Triggers relating to the provision of professional services
2. The structure and ability of an insurer's claims handling team to be able to respond quickly and appropriately to a data breach event
3. A lack of pre-existing relationships with post breach vendors such as forensics, IT specialists, credit/ID monitoring, PR firms and call centre companies
4. An absence of coverage for any first party exposures to the firm

When a breach event occurs, such limitations may give rise to a denial or dispute over coverage, or remove the insurer's ability to assist in the mitigation or indemnification of consequential losses including regulatory investigations, liability claims and losses of revenue due to reputational harm.

How Lockton can help

If you want to discuss your practice's exposure to data security risks, contact your Lockton Acccount Executive in the first instance. We have a market-leading cyber liability team who advise coprorations worldwide on their risks and liabilities, and can provide you with expert advice on any gaps in your existing cover.

You may also wish to view our recent Information Security article, or our  webinar on Information Security, or download our Information Security posters (see link below) which provide a useful aide memoire for staff in your office.

You may also want to review the SRA guidance on cyber risks, which includes some useful case-studies.