z

In brief

As the custodian of client's intellectual property and commercially sensitive information, as well as personal information, law firms represent a particularly attractive target for hackers.

A news release from the Information Commissioner's Office (ICO) in Aug 2014 warms lawyers that the ICO is 'sounding the alarm' on data breaches within the legal profession, so law firms need to be particularly alert: not only do all law firms hold significant quantities of confidential client data (even seemingly 'low-risk' files can hold valuable data), the SRA and ICO are both focussing on information security and data breaches in law firms.

Your PII policy and Office Policies may provide some cover, but are unlikely to cover:

  • losses of the firm's (or employees') own information
  • investigation costs
  • costs incurred in defending any regulatory breach action
  • client claims other than PII (eg where their loss is not directly financial, but may relate to emotional distress on exposure of sensitive information)

It is important to review your exposures, in light of the terms of your existing policies, and your risk appetite. 

15 legal profession breaches reported in 3 months

It is difficult to provide an accurate estimate of the number of breaches in the UK because there are no mandatory notification requirements as yet, and only significant breaches which attract the attention of the ICO tend to get reported. The ICO statistics are instructive nonetheless.

A recent report from the ICO states that there have been 15 recorded incidents involving members of the legal profession in the past three months. No doubt many more have gone unreported and, even with the best of security practices adopted by a firm, it is a matter of “when” and “how serious” rather than “if” a data breach will occur.

Cause of breaches

While most of us think in terms of external threats, the evidence suggests that, more often than not , it is internal breaches (accidental or malicious) which are the most common cause of information security breaches (for more information and guidance on this, see our Information Security posting)

Information Security Scenarios

What cover does the MTC afford if you're hacked or if data (in electronic or hard copy) is simply misplaced?

Let's consider a few examples:

Loss of Personal Information

You're preparing for a court case and the papers (containing a large amount of personal information) are being transported to Chambers – an Associate drops a file in the taxi or an unencrypted disc containing client names, addresses and other personal information are lost or stolen en-route.

At this stage, there's no financial loss to you or to the client, but under the ICO rules you should consider notifying them and the affected individuals that the papers have gone astray. This could also be a breach of the SRA rules and therefore reportable.

If it is a large data set, the direct costs and disruption to the firm in relation to forensic investigations, specialist data breach advice, public relations, call handling for concerned clients and credit monitoring can be significant. That's before we consider the costs and disruption of notifying the affected individuals and, what's likely to be the most costly item of all, loss of revenue from customer churn due to reputational harm.

Corporate Confidentiality Breach

In another example, a Corporate Associate working on a large, soon to be listed FTSE 250 company, allows access to the data room to a person they shouldn't. Perhaps they thought the individual had clearance and allowed them access when they were followed.

The IPO is jeopardised and/or allows some insider trading to take place post flotation.

The potential implications are significant:

  • The potential financial impact to the clients of a failed flotation and/or insider trading.  Highly confidential financial details could also be sold on to criminal gangs, exposing the client to significant financial risks in the future.
  • The reputational fall out from adverse publicity
  • The time and cost incurred in rectifying the situation

Loss of Partner and Employee Information

A temporary employee within your HR department has access to and downloads sensitive personal information in relation to your employees, partners or members. It's unclear whether or not the information has been used for criminal activity, but sensitive information is being leaked via social media .

As well as damaging the employee / partner relationships within the firm, such disclosure constitute public knowledge - impacting the reputation of the firm - and resulting in regulatory investigations, significant costs to the firm and loss of customer confidence.

What is missing from the your MTC Professional Indemnity policy?

The process that has to be followed following a privacy and security breach is very different to that of a professional indemnity claim. Speed and quality of response is crucial following a breach and must include engagement with experienced breach vendor services if you are to minimise the impact of reputational damage, civil suits and regulatory actions.

Professional Indemnity insurers will often have very limited experience in this critical area, but specialist privacy and security insurers will have these relationships in place to complement your own data breach response plans.

Not covered by your PII

The first party exposure (i.e. the cost incurred in investigating the breach, notifying the affected individuals and mitigating damage to your reputation) is clearly not covered by your PII policy. Nor are breaches in relation to employee or partner information included under your Professional Indemnity policy.

The costs of defending a regulatory investigation by the ICO or SRA and any insurable fines and penalties imposed will have very limited cover.

Emotional distress and mental anguish claims arising from a privacy breach and consequential loss of revenue arising from customer churn will not be covered under a professional indemnity policy.

Doesn't my office insurance policy cover us?

The majority of office policies only respond when there has been a physical event such as a break in or physical damage to property. Office policies are typically not designed to cater for the 'digital' exposures so whilst your IT system may have been damaged and compromised it's unlikely it will be covered unless there's a special cyber extension.

So what is the answer?

At Lockton we will review any existing covers ( for example: your Professional Indemnity and/or Office Policies), and identify any gaps. We will then discuss your options with you, based on your risk appetite. In many cases a dedicated privacy and security liability policy tailored to work alongside your existing covers will be the ideal solution.

Reputational harm

All risks threaten a business's ongoing reputation – it take years to build a reputation and only seconds to destroy.

Acknowledging this, Lockton, working with a specialist Lloyd's syndicate, has created a reputational product which pays the loss of revenue or profit following the triggering of insured peril.

The scope of the Insured perils can be very wide and range from disgrace of a key partner to failure to secure regulatory approval.

These are highly bespoke policies and need to be crafted carefully to ensure they truly capture the loss of profit, revenue of shareholder value should a reputational risk occur.

Conclusion

Every day there is a new cyber threat or hack that makes the press. These threats are very real, and can affect the best-run firms. It is important to be prepared for such eventualities. Contact your Lockton broker or Account Manager to ensure you're adequately covered.