This is the last of a three-part series by Richard Bortnick, a senior counsel at Traub Lieberman Straus & Shrewsberry, who litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
Risk Based Security, a cyber risk consulting firm, reports that 2012 broke the previous record of reported data loss incidents with 3,126 breaches. This represented a 150% increase over the previous high recorded in 2011. According to Jake Kouns of Risk Based Security, in 2012:
While the first six months of 2013 have seen an improvement over the comparable period in 2012, Risk Based Security’s statistics show that as of June 20, 2013:
A series of reports published by other consulting and forensics firms further emphasize the magnitude of the problem:
Consider the impact of the Executive Order on an attorney whose clients are in the critical infrastructure sector. Then account for the visceral impact of this representation on clients who are not in this space. The perception (rightly or wrongly) could be that the attorney is more likely to suffer a breach than one that does not work with clients in this sector. Imagine too if the attorney does not employ best practices (beyond the obvious fact that they probably wouldn’t be hired if they didn’t). Its lose/lose, with the likelihood of a CPT incident, resulting loss (both tangibly and reputationally) and, most importantly, loss of clients dramatically enhanced.
In short, although it may be cost-effective in the immediate term not to create and implement best practices, the expense of remediating a CPT event could be staggering. If your reputation is your or your firm’s lifeblood (and your economic support system), why on Earth would you be penny wise when the alternative is pound foolish. A loss could be a 10,000 pound gorilla on an attorney’s back. It could mean the end of a career. Or worse.
Although some attorneys might push back that they do not represent Fortune 500 or critical infrastructure companies and thereby do not need to be as concerned, that is a fallacy. Everyone is at risk. Sadly, in many cases, the treat of a CPT incident is an underappreciated reality for all professionals, including attorneys.
Attorneys and other professionals should not be dismayed by the obvious need to allocate resources (financial, human and technical) for the implementation of risk management and risk transfer strategies. It’s prudent, cost-effective in the long run, and, quite simply, a question of relativities. An attorney can pay four or five figures now or risk not being able to afford six or seven figures later.
As discussed above, attorneys are required by state law to purchase errors and omissions insurance. In many cases, however, they assume that their E&O policies, together with their commercial general liability (“CGL”) forms, cover CPT risks. This is a critical mistake.
Indeed, more than a few insurance brokers and policyholders misunderstand the extent and limitations of professional and general liability insurance. In particular, many mistakenly believe that advertising and personal injury coverage (typically Part B or Part II of a CGL policy) covers a cyber breach. Others are of the view that an E&O policy will respond. In most situations, these views are wrong.
Although limited CPT-related insurance may be provided by a CGL or E&O insurance policy, the lion’s share of fees, expenses, and other loss incurred following a CPT incident would not be covered. CGL policies cover damage to a third party’s tangible property (or person) as well as, in certain situations, advertising and personal injury (if purchased).
In turn, E&O forms apply to professional negligence. Hence, if information from a closed matter still rests on a law firm’s server, it would be difficult for the firm to credibly argue that the mere storage of such information constitutes a professional service. And, in any event, neither applies to either first-party loss or crisis management expenses.
In stark contrast, CPT insurance (depending on the coverage purchased) will cover not only third-party liability claims, but also will extend to first-party loss (i.e., business interruption, extra expense, extortion threats and the like) as well as the frequently large (and unanticipated) crisis management fees and expenses.
Moreover, the desire to purchase cyber insurance should play a significant positive role in incentivizing the adoption of best practices which, if handled correctly, will reduce the risk of a CPT incident – as well as the premium associated with the purchase of CPT insurance. The more robust your protections, the lower your premiums. It’s a significant and critical risk/benefit analysis.
In its Fortune 500 Cyber Disclosure Report, 2013, Willis tracked public company disclosures post-publication of the Cyber Guidance. Willis found that the top risks identified by the cohort are: (1) loss or theft of confidential information (65 percent), (2) loss of reputation (52 percent), (3) direct loss from malicious acts (hackers, viruses, etc.) (50 percent), (4) system breaches or failures (40 percent), and (5) loss of intellectual property (13 percent). Willis also identifies the professional services sector as having the second highest risk exposure per classification, surpassed only by financial institutions/banks.
Put differently, those who discount the need for CPT best practices and CPT insurance should consider this thought: do you want to risk having your E&O coverage exhausted by a cyber breach? Or would you rather preserve the limits of liability for legitimate E&O claims?
After reading the foregoing, if you were considering increasing the limits of your E&O policy to account for CPT risks, why not just use the added premium to buy dedicated and tailored CPT coverage and add the available first-party and crisis management protections? Although it may be more expensive than excess E&O coverage (although it’s still modest by comparison to other insurance products), the additional coverages available are worth it. Think of it as sleep insurance. Many corporate executives and risk managers do. Why shouldn’t attorneys?
Many professionals are taking cyber risks and exposure seriously. Marsh’s March 2013 Benchmarking Trends report identifies the services industry – including professionals, business, legal, accounting and personal services firms – as the sector that experienced the largest uptick in the purchase of CPT insurance between 2011 and 2012, a 76 percent jump. To put this growth into perspective, this exceeded the percentage increase in both the education (72 percent) and financial services (32 percent) sectors.
This is not surprising. According to an August 2013 study published by Experian Data Breach Resolution and the Ponemon Institute, companies now rank cyber security threats as greater than those of natural disasters and other major commercial risks.
So too, Lloyds (London) cites to executives’ concerns over cybersecurity, stating in its third annual Risk Index (published in July 2013) that cyber security threats jumped from 12th place to 3rd place among the overall business risks identified by the over 500 C-Level executives queried.
A July 2013 survey published by ACE Group confirms the concern accorded to reputational harm. The study, which was conducted across 14 countries within ACE’s Europe, Middle East and Africa regions, reveals that 81 percent of the companies surveyed view reputation as their most significant asset. Among these companies, ACE found that:
And no one should forget that a CPT event averages $346,000 per incident in crisis management costs whereas, in most cases, the premium for a CPT policy is in the low- to mid-four or five figures.
We have even seen policies with premiums in the hundreds of dollars, depending on the size of the company and the associated CPT risks (as impacted by the deployment of CPT best practices). And this doesn’t account for business interruption coverage, which is not available as part of an E&O or CGL policy.
So, with these facts, statistics and warnings in mind, the solution is easy. Protect yourself, your business, your reputation and goodwill, and your financial future. It’s no longer prudent to say that a CPT event won’t happen to you. It can and likely will.
Legal training on best practices is a practical place to start. An attorney wielding privileges can assist a professional in formulating and implementing practical and reasonable steps to protect their clients’ personally identifiable information, personal health information and confidential commercial information. And, by extension, the professional’s reputation and, perhaps, financial future – all while maximizing protection against that advice being discoverable through the course of litigation.
To the point, the litigation discovery process is one of the key drivers of the rising costs of discovery. At the same time, many cases are won and lost in the discovery stage. When used appropriately, a legitimate privilege can shield troublesome documents and evidence from having to be produced to your opponent. And oftentimes, the proper assertion of privilege and the applicable protections afforded can be outcome determinative.
In the long-run, an experienced, knowledgeable cyber attorney’s fees will be markedly cheaper than the cost of having to remediate a CPT incident, litigate through discovery with an angry client or third party who claims to have been harmed, and, perhaps, lose at trial because documents that otherwise might have been protected from discovery had to be produced.
Indeed, the alternative to receiving advice and counsel from a trusted cyber lawyer could be career threatening, especially for a professional who trades on his or her reputation and goodwill. Some attorneys already have made the mistake of not doing so. Our readers should not be among them.