Law Times

Page 8 January 26, 2015 • Law Times www.lawtimesnews.com New insurance options Lawyers advised to get coverage for privacy breaches By Judy van rhiJn For Law Times t's a sign of the times that professional liability insur- ers have started tailoring products to address privacy breaches and other costs of cybercrime. "As a lawyer in private prac- tice, it does scare me that if I'm holding onto information that is breached or lost, I could be sued," admits Daniel Strigberg- er, a partner in the insurance and litigation group of Miller Thomson LLP in Waterloo, Ont. "It is a growing trend for law firms to realize that we are targets. We've all seen cyber liability affect the big entities like Home Depot, Target, and Sony. Cyber criminals can go after the individual store- fronts or a larger body that con- tains the information of lots of en- tities. If they go to a law firm, they can get access to all their individ- ual clients, their trade secrets, and business strategies." Strigberger notes that would apply to any company with several clients. "It does lots of damage to the firm, not just the clients, and then the clients turn around and sue the firm." In 2014, LawPRO responded to the issue by introducing new limited cybercrime coverage into its mandatory policy. Vic- toria Crewe-Nelson, assistant vice president of underwriting at LawPRO, explains that eve- ryone in the insurance and legal worlds had been talking about the risks. "It is a huge issue for the insurance industry as a whole," she says. "At one point, it was rumoured that seven Bay Street firms may have had intrusions. It was something on the horizon, so we came up with a specifically Ontario-made solution." Dan Pinnington, vice president of claims preven- tion and stakeholder rela- tions at LawPRO, describes the $250,000 offered as a modest amount of cover- age given that the costs of a breach can be substantial. LawPRO first inserted a gen- eral exclusion for cybercrime into its main policy and then added limited coverage by way of an endorsement. "There are so many forms it could take," says Crewe- Nelson. "We tried to address what they are most likely to be. There are two scenarios. There is lawyer liability be- cause of cybercrime where an intrusion causes the loss of confidential client infor- mation, such as a hacker in- filtrating the firm data, or the loss of something held in trust. This could occur when someone uses malware to break into the online banking system." An incident of this nature occurred in 2012 when a highly sophisticated attack allowed for direct access to a firm's trust ac- count. Crewe-Nelson is adamant that law firms should obtain ex- tra cyber coverage that works alongside the LawPRO policy. "As part of the exercise of coming up with our own policy, we looked at what the commercial market offers. There is communication and media liability which covers someone infringing your trade- mark or plagiarizing your work. It will also cover the expenses involved in regulatory offences, such as providing defence funds. There is insurance for crisis event management where a PR firm might come in to manage a repu- tation crisis or costs to improve and repair the system." She also lists extortion of electronic commerce and business interruptions as events not naturally covered by the LawPRO policy. Strigberger is familiar with some commercial insurance policies that work in conjunc- tion with LawPRO. "If a breach happens on Day 0, on Day 1 they come in and do the clean-up, protecting the first-party property and dealing with the business interruption. Notifications are required to all the people whose information might have been breached, and they will clean up internal com- munications and vandalism. If the lawyer is sued, the private policy deals with the excess costs over and above the Law- PRO coverage. They work hand in hand." Pinnington warns that while traditional insurance policies may offer a limited amount of coverage for cyber-related exposures, specifically de- signed products are preferable. "Property policies may not cover the loss of data because it may not be considered real or personal property. General li- ability policies are intended to cover bodily injury and proper- ty damage scenarios and would not cover network implications." He has seen the creation of spe- cific coverage for the spread of computer viruses, the use of sys- tems to hack a third party, and the outsourcing of data storage to third-party cloud providers. LawPRO still considers in- surance to be a remedy of last resort and is attempting to edu- cate the bar about cyber risks. "If businesses insure themselves without taking active steps to secure their computers and net- works, cyber criminals will con- tinue their efforts undeterred," says Pinnington. "Insurance is there if all else fails," says Strigberger. "If a law firm doesn't have that protection and it sustains a serious breach, it's likely it will never open its doors again. We need a proactive risk-management approach, organizing not just financial backing but an IT system to protect the infrastructure, and education to prevent incidents happening. We should be training staff not to be careless with infor- mation, such as losing hard drives or laptops. Insurance is more of a way to mitigate the loss if an attack happens." Another issue Strigberger believes needs attention is the fact that a lot of breach- es go undetected for a long time. "You need the technol- ogy, the infrastructure, and the people to find the breach- es and plug the leak sooner," he says. He repeats this advice for his clients as well: "Privacy is definitely at the forefront in cas- es and legislation now. Courts and lawmakers recognize pri- vacy as a right and do what they can to protect people from pri- vacy breaches and punish busi- nesses that fail to comply. If they don't have the resources to deal with the ramifications of a breach, the costs can be astro- nomical. The safest companies are the ones that try and pre- vent it from happening, protect themselves from attack, and more so, respond if it happens." Ironically, he doesn't see law firms taking their own advice. "It seems kind of odd that law- yers are so quick to advise their clients on how to clean up their business practices, comply with their obligations, and avoid legal risks. When it comes to our own firms, I'm not sure how many of us could respond to a cyber at- tack and the aftermath. We need to change our thinking." LT 'When it comes to our own firms, I'm not sure how many of us could respond to a cyber attack and the aftermath,' says Daniel Strigberger. Focus on Privacy Law Lexpert DealsWire is a new way to keep abreast of the significant M&A deals that are making news right now. It will examine and analyze key developments and trends as they happen and will report on the key players as deals are announced and closed both in Canada and around the world. Sign up today for bi-weekly email alerts at www.CarswellMedia.com/newswire/Dealswire GET THE LATEST NEWS AND VIEWS ON M&A Untitled-1 1 2014-09-11 1:13 PM I

• Cover