From one lawyer to others: cyber, privacy and technology best practices (Part III)

By Richard Bortnick on June 4, 2014

This is the last of a three-part series by Richard Bortnick, a senior counsel at Traub Lieberman Straus & Shrewsberry, who litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

Read the first part HERE. Follow that up with PART II.

The Economics of “Best Practices”

richard-bortnick-200x2002

Richard Bortnick

Risk Based Security, a cyber risk consulting firm, reports that 2012 broke the previous record of reported data loss incidents with 3,126 breaches. This represented a 150% increase over the previous high recorded in 2011. According to Jake Kouns of Risk Based Security, in 2012:

  • Hacking accounted for 72.5 percent of cyber incidents and remained the leading cause for the second consecutive year;
  • Hacking accounted for 21.9 percent of exposed records;
  • Insiders accounted for 17.1 percent of reported incidents and 67.6 percent of exposed records, with insider wrong-doing accounting for 6.2 percent of reported incidents and 57.5 percent of exposed records and insider errors accounting for 7.8 percent of reported incidents and 5.2 percent of exposed records;
  • Individuals’ names, passwords, email addresses, and other miscellaneous data were exposed in over 43 percent of the reported incidents; and
  • 12.4 percent of the reported breaches included a Social Security Number or Non-US equivalent.

While the first six months of 2013 have seen an improvement over the comparable period in 2012, Risk Based Security’s statistics show that as of June 20, 2013:

  • There have been 1,129 reported incidents exposing 344 million records;
  • The Business sector accounted for 55.5 percent of reported incidents, followed by Government (20.9 percent), Medical (10.1 percent), Education (7.4 percent), and Unknown (6.1 percent);
  • 58.0 percent of reported incidents were the result of hacking, which accounted for 79 percent of exposed record;
  • Breaches involving U.S. entities accounted for 45.5 percent of the incidents and 49.9 percent of the exposed records; and
  • Four 2013 incidents have secured a place on the Top 10 All Time Breach List.

A series of reports published by other consulting and forensics firms further emphasize the magnitude of the problem:

  • A June 2013 report published by NetDiligence evaluated 140 paid insurance claims from 2012 and found the average cost per breach was $1 million. 11 percent of these claims involved companies in the professional services sector. Overall, the cost of a cyber incident ranged from a low of $13,000 to a high of $10.5 million with a typical claim costing between $25,000 and $400,000. The mean for crisis management services (forensics, notification, call center, credit monitoring and legal guidance) was $346,000 per incident while legal costs alone averaged $258,000.
  • A July 2013 McAfee modeling study, entitled “Estimating the Cost of Cybercrime and Cyber-Espionage,” projects that “[c]ybercrime costs the global economy between $100 billion and $500 billion annually.” According to McAfee, the U.S. economy alone loses “some $100 billion to cybercrime and cyber espionage, including loss of key business data and intellectual property.” The report emphasizes that cybercrime leads to reduced trust for online activities and that the mere threat of cybercrime affects spending by consumers;
  • Verizon’s 2013 data breach investigation report analyzed over “47,000 reported security incidents and 621 confirmed data breaches from [2012]. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records”;
  • A 2011 UK government report estimated that cybercrime cost the UK as much as £27 billion a year, £21 billion of which is estimated as costs to businesses.The NetDiligence report also pegs the average cost per compromised record at $5.22. Multiply that figure by the number of compromised records and one can reasonably ascertain their own crisis management response costs. In doing so, assume all of your past and present clients’ records are compromised. Then compare these figures to the cost of best practices planning, training and implementation together with a CPT policy with limits of $1 million or even $5 million and you will find that the crisis management response costs could dwarf the price of a loss control and remediation plan, inclusive of insurance.The magnitude of the problem cannot be taken lightly, especially by attorneys who possess third-party records. Verizon found that 20 percent of network intrusions hit information and professional services firms, the same percentage as the manufacturing, transportation and utilities sectors combined. Which, as we all know, are the classes of paramount concern to the government.If it was not clear before, this fact was made clear in President Obama’s Executive Order 13636 (Feb. 12, 2013). The Executive Order mandates the development of a national “Cybersecurity Framework” for entities involved with critical infrastructure. It also recommends collaborative efforts between the private and public sectors designed to encourage the voluntary sharing of information under the auspices of the Secretary of Homeland Security.

    Consider the impact of the Executive Order on an attorney whose clients are in the critical infrastructure sector. Then account for the visceral impact of this representation on clients who are not in this space.  The perception (rightly or wrongly) could be that the attorney is more likely to suffer a breach than one that does not work with clients in this sector.  Imagine too if the attorney does not employ best practices (beyond the obvious fact that they probably wouldn’t be hired if they didn’t).  Its lose/lose, with the likelihood of a CPT incident, resulting loss (both tangibly and reputationally) and, most importantly, loss of clients dramatically enhanced.

    In short, although it may be cost-effective in the immediate term not to create and implement best practices, the expense of remediating a CPT event could be staggering.  If your reputation is your or your firm’s lifeblood (and your economic support system), why on Earth would you be penny wise when the alternative is pound foolish.  A loss could be a 10,000 pound gorilla on an attorney’s back.  It could mean the end of a career. Or worse.

    Although some attorneys might push back that they do not represent Fortune 500 or critical infrastructure companies and thereby do not need to be as concerned, that is a fallacy. Everyone is at risk. Sadly, in many cases, the treat of a CPT incident is an underappreciated reality for all professionals, including attorneys.

    How Does CPT Insurance Factor Into Best Practices?

    Attorneys and other professionals should not be dismayed by the obvious need to allocate resources (financial, human and technical) for the implementation of risk management and risk transfer strategies. It’s prudent, cost-effective in the long run, and, quite simply, a question of relativities. An attorney can pay four or five figures now or risk not being able to afford six or seven figures later.

    As discussed above, attorneys are required by state law to purchase errors and omissions insurance. In many cases, however, they assume that their E&O policies, together with their commercial general liability (“CGL”) forms, cover CPT risks. This is a critical mistake.

    Indeed, more than a few insurance brokers and policyholders misunderstand the extent and limitations of professional and general liability insurance. In particular, many mistakenly believe that advertising and personal injury coverage (typically Part B or Part II of a CGL policy) covers a cyber breach. Others are of the view that an E&O policy will respond. In most situations, these views are wrong.

    Although limited CPT-related insurance may be provided by a CGL or E&O insurance policy, the lion’s share of fees, expenses, and other loss incurred following a CPT incident would not be covered. CGL policies cover damage to a third party’s tangible property (or person) as well as, in certain situations, advertising and personal injury (if purchased).

    In turn, E&O forms apply to professional negligence. Hence, if information from a closed matter still rests on a law firm’s server, it would be difficult for the firm to credibly argue that the mere storage of such information constitutes a professional service.  And, in any event, neither applies to either first-party loss or crisis management expenses.

    In stark contrast, CPT insurance (depending on the coverage purchased) will cover not only third-party liability claims, but also will extend to first-party loss (i.e., business interruption, extra expense, extortion threats and the like) as well as the frequently large (and unanticipated) crisis management fees and expenses.

    Moreover, the desire to purchase cyber insurance should play a significant positive role in incentivizing the adoption of best practices which, if handled correctly, will reduce the risk of a CPT incident – as well as the premium associated with the purchase of CPT insurance.  The more robust your protections, the lower your premiums. It’s a significant and critical risk/benefit analysis.

    In its Fortune 500 Cyber Disclosure Report, 2013, Willis tracked public company disclosures post-publication of the Cyber Guidance. Willis found that the top risks identified by the cohort are:  (1) loss or theft of confidential information (65 percent), (2) loss of reputation (52 percent), (3) direct loss from malicious acts (hackers, viruses, etc.) (50 percent), (4) system breaches or failures (40 percent), and (5) loss of intellectual property (13 percent). Willis also identifies the professional services sector as having the second highest risk exposure per classification, surpassed only by financial institutions/banks.

    Put differently, those who discount the need for CPT best practices and CPT insurance should consider this thought:  do you want to risk having your E&O coverage exhausted by a cyber breach? Or would you rather preserve the limits of liability for legitimate E&O claims?

    After reading the foregoing, if you were considering increasing the limits of your E&O policy to account for CPT risks, why not just use the added premium to buy dedicated and tailored CPT coverage and add the available first-party and crisis management protections?  Although it may be more expensive than excess E&O coverage (although it’s still modest by comparison to other insurance products), the additional coverages available are worth it. Think of it as sleep insurance. Many corporate executives and risk managers do. Why shouldn’t attorneys?

    Conclusion

    Many professionals are taking cyber risks and exposure seriously. Marsh’s March 2013 Benchmarking Trends report identifies the services industry – including professionals, business, legal, accounting and personal services firms – as the sector that experienced the largest uptick in the purchase of CPT insurance between 2011 and 2012, a 76 percent jump. To put this growth into perspective, this exceeded the percentage increase in both the education (72 percent) and financial services (32 percent) sectors.

    This is not surprising. According to an August 2013 study published by Experian Data Breach Resolution and the Ponemon Institute, companies now rank cyber security threats as greater than those of natural disasters and other major commercial risks.

    So too, Lloyds (London) cites to executives’ concerns over cybersecurity, stating in its third annual Risk Index (published in July 2013) that cyber security threats jumped from 12th place to 3rd place among the overall business risks identified by the over 500 C-Level executives queried.

    A July 2013 survey published by ACE Group confirms the concern accorded to reputational harm. The study, which was conducted across 14 countries within ACE’s Europe, Middle East and Africa regions, reveals that 81 percent of the companies surveyed view reputation as their most significant asset. Among these companies, ACE found that:

    • 77 percent find it difficult to quantify the financial impact of reputational risk on their business, making it harder to measure than traditional, more tangible, risks;
    • 68 percent of companies believe information and advice about how to manage reputational risk is hard to find, compounding the sense of uncertainty and confusion about how best to manage it;
    • 66 percent of companies feel inadequately covered for reputational risk from an insurance perspective; and
    • 56 percent of companies say social media has greatly exacerbated the potential for reputational risk to affect their business.

    And no one should forget that a CPT event averages $346,000 per incident in crisis management costs whereas, in most cases, the premium for a CPT policy is in the low- to mid-four or five figures.

    We have even seen policies with premiums in the hundreds of dollars, depending on the size of the company and the associated CPT risks (as impacted by the deployment of CPT best practices). And this doesn’t account for business interruption coverage, which is not available as part of an E&O or CGL policy.

    So, with these facts, statistics and warnings in mind, the solution is easy. Protect yourself, your business, your reputation and goodwill, and your financial future. It’s no longer prudent to say that a CPT event won’t happen to you. It can and likely will.

    Legal training on best practices is a practical place to start. An attorney wielding privileges can assist a professional in formulating and implementing practical and reasonable steps to protect their clients’ personally identifiable information, personal health information and confidential commercial information. And, by extension, the professional’s reputation and, perhaps, financial future – all while maximizing protection against that advice being discoverable through the course of litigation.

    To the point, the litigation discovery process is one of the key drivers of the rising costs of discovery. At the same time, many cases are won and lost in the discovery stage. When used appropriately, a legitimate privilege can shield troublesome documents and evidence from having to be produced to your opponent. And oftentimes, the proper assertion of privilege and the applicable protections afforded can be outcome determinative.

    In the long-run, an experienced, knowledgeable cyber attorney’s fees will be markedly cheaper than the cost of having to remediate a CPT incident, litigate through discovery with an angry client or third party who claims to have been harmed, and, perhaps, lose at trial because documents that otherwise might have been protected from discovery had to be produced.

    Indeed, the alternative to receiving advice and counsel from a trusted cyber lawyer could be career threatening, especially for a professional who trades on his or her reputation and goodwill. Some attorneys already have made the mistake of not doing so.  Our readers should not be among them.

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.