Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Cyber Insurance – Are You Really Covered?

Written by: Cameron G. Shilling

Published in NH Bar News (2/19/2020) and NEHRA News (3/19/2020)

Information security breaches and cyber crimes are traumatic experiences for any business, and most acutely for law firms, since confidentiality is critical for us and our clients entrust us with their money. These incidents are even more disastrous if you discover that you never obtained insurance to cover the losses, or that the insurance you paid for is not the right type of policy or the coverage is inadequate.

Common insurance – like a malpractice or commercial general liability policy – does not routinely cover an information security breach or cyber crime, and frequently excludes such coverage. Insurance for those losses must be secured through separate policies or endorsements. Moreover, breach insurance often contains no coverage for cyber financial crimes, which must be insured through a different type of policy or endorsement.

Additionally, not all cyber insurance is the same, but rather can differ meaningfully, and many generalist insurance agents are not familiar with the terms of these policies.  Lawyers and law firms should work with an agent who has cyber insurance expertise (or with an experienced information security attorney) to review the actual policy forms, and ensure that the scope of the coverage and the policy limits and sub-limits are appropriate.

Breach insurance should cover at least the following: (1) legal, forensic, public relations, and expert expenses; (2) costs to notify affected individuals and regulators; (3) expenses to operate a phone and email response center; (4) fees for identity and credit monitoring and restoration services for affected individuals; (5) payment of cyber extortion and ransom; (6) costs to defend regulatory audits and pay fines and penalties; (7) liability for claims, lawsuits, settlements, etc. resulting from a breach; (8) losses from damaged data and networks, and costs to restore them; and (9) liability for privacy violations.  Such insurance also should have an appropriate policy limit.  For most lawyers and law firms in New Hampshire, the policy limit should be between $500,000 and $3 million.  It also should have proper sub-limits (for example, coverage for regulatory matters should be the full policy limit, whereas coverage for notification expenses can be lower), and proper structuring of the sub-limits and deductible can reduce the premium.

Insurance for cyber financial crime typically comes as an endorsement to a standard malpractice, commercial general liability, or crime policy.  While some standard policies have limited coverage for some cyber crime, the coverage is frequently insufficient (for example, it is often limited to $25,000), whereas most New Hampshire lawyers and law firms should have cyber financial crime coverage between $250,000 and $1 million.  Such insurance also should cover all types of cyber crime, without unreasonable exclusions, including phishing and spear phishing, social engineering, embezzlement, computer fraud, and fraudulent funds transfers.

Insurance is no substitute for implementing measures to avoid information security breaches and cyber crime.  Indeed, one purpose of this reoccurring column in the Bar News is to inform lawyers and law firms about the safeguards we should adopt to do so. For example, dual authentication and dual authorization are key measures to avoid cyber financial crime – a topic to be addressed in a future column.  Nevertheless, just like we buy auto insurance and still take precautions to avoid an accident, we all should obtain appropriate cyber insurance and simultaneously implement safeguards to avoid breaches and cyber crime.  Indeed, in light of the reliance we place on technology and the risks we face from online attackers, cyber is likely one of our largest potential liabilities. We can and should properly insure it.

Cam Shilling chairs, and Bill Cheng is a member of, McLane Middleton’s Information Privacy and Security Practice Group.  Founded in 2009, the firm’s team of three attorneys and a technology paralegal assist businesses and private clients to improve their information privacy and security compliance, and address any security breach or incident that may arise.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.