Jump to Navigation | Jump to Content
American Bar Association


Protecting Against Cyber-Attacks

By Matthew J. Hafey and Allen G. Haroutounian – March 27, 2014

Whether you own a mom-and-pop pizza shop in your neighborhood or run a business with hundreds of employees, the threat of a cyber-security breach is very real. Data breaches and cyber-attacks have increased 42 percent in 2012, making the occurrence of a cyber-incident increasingly more common. For example, in December 2013, Target suffered a security breach in which up to about 110 million of its customers’ credit- and debit-card information was stolen. The motives behind these types of attacks vary, from selling customer data for money, to exposing information to the public, to conducting espionage.

Cyber-security breaches are not specific to large retail corporations. In fact, any type of business, regardless of size, is susceptible to a cyber-attack. Of the 855 data breaches analyzed by Verizon Communications Inc. in 2012, about 72 percent of those breaches occurred at companies with 100 employees or less. Law firms that are in possession of client data, including Social Security numbers, medical records, financial statements, and more, face the same types of cyber-threats as any other business.

What is Cyber-Liability Insurance and Does My Firm Need It?
With every new technological advancement, individuals and businesses are increasingly becoming dependent on the Internet and cloud computing to interact and to conduct financial transactions. For example, some banks now make it possible for individuals to deposit personal checks into their bank account through a smartphone. Hospitals upload a patient’s latest medical-test results online for the patient to view. A typical law firm is in possession of a client’s personal data, including his or her Social Security number, medical records, financial statements, and tax records, not to mention attorney-client privileged materials and matter protected by the attorney-work-product doctrine, all of which an attorney is legally and ethically bound to maintain securely. A natural consequence of the progression of technology toward cloud computing and online transactions is that people’s personal data are stored on a company’s servers. This information therefore becomes highly susceptible to attack by hackers. According to a recent survey, the average cost of a data breach is $5.4 million, and the cost associated with such a breach is $188 per compromised record. One way to protect an organization from these costs is to purchase cyber-liability insurance.

Typically, a cyber-liability insurance policy can provide coverage for different types of cyber-attacks and data breaches. Because each type of business faces unique cyber-threats, it is important to identify the most common threats your organization faces and tailor your cyber-liability policy to your organization’s specific needs. The ISO standard security-breach-liability insurance form offers coverage for an organization’s liability arising from a data-security breach and the costs incurred in responding to that breach. Other types of coverage offered under ISO standard forms include programming errors and omissions liability, restoration of electronic data, and public-relations expenses. Importantly, none of these coverages is typically afforded under a generic commercial general liability insurance policy, and many (if not most) law firms do not recognize the magnitude of their potential exposure without it.

An organization can also obtain coverage for damages related to the cost of recovering destroyed or damaged data. For example, if a virus destroys files on your organization’s servers, the cost of recovery of such files may be covered. Coverage is also available for general breaches to your organization’s network that cause, for example, your organization’s website to shut down, resulting in business interruption or other lost revenue. A cyber-liability policy can also offer coverage in the event that a cyber-attack or security breach results in a privacy tort or violation of a privacy statute or other statute. For example, California Code of Civil Procedure section 1798.29(b) requires an organization, upon learning of a cyber-attack, to notify an individual that his or her personal information has been compromised. A cyber-liability policy may provide coverage for the costs associated with providing such notice to a consumer, as well as coverage for the unauthorized disclosure or dissemination of private information. Lastly, it is important to know that most cyber-liability insurance policies are written on a “claims made and reported” basis, meaning that a cyber-attack or data-breach-type claim must be reported in writing to the insurer during the insured’s policy period. Additionally, the claim must be made subsequent to the retroactive date on the policy.

A law firm interested in obtaining cyber-liability coverage should obtain coverage for a breach associated with the firm’s servers or internal network. This is because, typically, an individual interacting with a law firm’s website cannot enter into a financial transaction on the website. Instead, the amount of information exchanged between an individual and a firm’s website is limited usually to the person’s name, address, telephone number, and a brief statement of the person’s questions or concerns. More sensitive information, such as a person’s Social Security number, is typically obtained through a personal exchange with the client. Additionally, with the advent of email as a preferred method of communication comes a greater risk of a third party intercepting such communications, especially if an attorney or client works remotely from home or at a public location (e.g., at an Internet cafe, airport, or coffee shop, all of which typically are “unsecured” and can easily be hacked). This type of information is later stored on the law firm’s network and servers. Thus, it is important to obtain a cyber-liability policy that provides coverage for these types of breaches. As always, a firm purchasing a cyber-liability policy should review the policy and any applicable exclusions and endorsements carefully, to ensure that its cyber-liability needs are met.

Developments in the Law Regarding Cyber-Attacks and Data Breaches
Today, about 46 states in the United States have passed legislation requiring notification to the individual when his or her personal data are exposed through a cyber-attack or data breach. In California, the legislature passed S.B. 1386, which amended three sections of the California Code of Procedure that address personal data and privacy. Specifically, section 1798.29 requires that where an individual’s personal data are breached, the agency that owns or licenses such personal information must immediately, upon notification or discovery of the breach, notify the individual whose personal information was compromised. In Europe, while data-protection laws are in place through the EU Data Protection Directive 95/46/EC, the European Union has proposed regulations streamlining the data-protection laws throughout the European Union. The proposal would make it easier for companies to comply with a single set of regulations, instead of having to worry about complying with varying data-protection laws in each country.

Organizations that suffer a cyber-attack or security breach may face lawsuits from individuals whose personal information was stolen. Such lawsuits have, in the past, met with mixed success, mainly because plaintiffs are unable to establish cognizable damages resulting from a breach. However, it appears that some courts have trended away from this rule. For example, in Anderson v. Hannaford Brothers Co., 659 F.3d 151, 167 (1st Cir. 2011), the First Circuit held that financial losses arising out of the plaintiffs’ claims for identity theft such as insurance and replacement-card fees are recoverable as mitigation damages, as long as they are reasonable. According to the court, it is foreseeable that when a customer’s credit- or debit-card information is stolen, he or she will replace the card to mitigate the misuse of the data associated with the card. There is no doubt that Anderson and its progeny will have a profound effect on recent class-action lawsuits against Target arising out of its data breach. See, e.g.,Kirk v. Target Corp. et al., No. 13CV05885 (N.D. Cal. Dec. 19, 2013); “Hagens Berman Reminds Consumers of Its Class-Action Lawsuit against Target for Data Breach Affecting Up to 110 Million Consumers,” Wall St. J. (Jan. 28, 2014).

As technology progresses and more and more of our information is stored online, cyber-attacks and data breaches will no doubt continue. An organization must keep in mind the balance between providing technology to help people improve their lives and make things more efficient with the need to protect an individual’s personal information. While many lawyers and law firms would not automatically consider themselves vulnerable to a cyber-attack, the Target case illustrates that hackers (or perhaps unscrupulous opposing parties) can pose a real threat to any business. Because cyber-attacks are unpredictable in scope and damage, a cyber-liability insurance policy should be seriously considered as it offers protection to organizations such as law firms that face such attacks every day.

Keywords: professional liability litigation, cyber-attack, security, insurance, data breaches

Matthew J. Hafey and Allen G. Haroutounian are members of Nemecek & Cole in Sherman Oaks, California.

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).