CyberSecurity
for Law Firms
A Discussion of the Cyber
Exposure, Coverage and
Loss Prevention
Matthew Magner
October 25, 2012
Agenda
•
•
•
•
•
•
•
•
What is the Cyber Exposure?
Ripped from the Headlines
Loss Scenarios
Federal and State Regulation
Breach Related Expenses and Costs
Risk Management
Coverage Gaps and Overlaps
Questions
DISCLAIMER….
Chubb refers to the insurers of the Chubb Group of Insurance Companies.
This presentation is for informational purposes only. The information
provided should not be relied on as legal advice or a definitive statement of
the law in any jurisdiction. For such advice, an applicant, insured, listener
or reader should consult their own legal counsel. Actual coverage is subject
to the language of the policies issued. Chubb, Box 1615, Warren, NJ
07061-1615
The Cyber Exposure and
Law Firms
The technology and amount of confidential
data that a law firm relies upon to conduct
its business can also significantly increase
its vulnerability to cyber security threats –
any of which can result in significant outof-pocket and reputational costs that can
devastate the bottom line.
The Cyber Exposure and Law Firms
• A lawyer has duty of privacy and
confidentiality to his or her client.
• While the Lawyers Professional
Liability policy may address some
risk regarding this duty, there are
additional risks – and costs – firms
may face today.
• This presentation reviews those
risks, costs, risk mitigation and
potential insurance protection.
What Is A Data Breach
• Unauthorized
access to
protected
information
– Hacking
– Rogue Employees
– Negligence
– 3rd Party Vendors
What Information is at Risk of a
Breach?
• Personally Identifiable Information (“PII”)
– Generally, a person’s name in combination
with their social security number, driver’s
license number, financial account number,
credit/debit card or other payment card
number, information related to their
employment or individually identifiable health
information pursuant to HIPAA.
• An organization’s non-public information
Where are the threats?
•
•
•
•
•
•
•
•
Lost or stolen laptops and computers
Lost or stolen mobile devices
Poor passwords
Disposal of obsolete data
Hackers
Employees/Vendors stealing information
Social Engineering
The “Cloud” or data aggregators
“Lawyers Get Vigilant on Cybersecurity.”
Wall Street Journal, June 24, 2012.
• “… current and former law enforcement
officials say cyberattacks against law firms
are on the rise…”
• “… many law firms may not be aware that
they were hacked until [an] agent shows
up on their doorstep…”
• “… the weakest links at law firms of any
size are often their own employees…”
“China-Based Hackers Target Law
Firms to Get Secret Deal Data.”
Bloomberg, Jan. 31, 2012.
• Seven law firms cyber-attacked in 2010 in an attempt to
derail large acquisition and acquire trade secrets .
• Law firms increasingly threatened with loss of client
business if they can’t show improved security as such
attacks continue to increase.
• 200 law firms met with the FBI to discuss rising number
of law firm intrusions.
• FBI: “Hackers see law firms as back door to the
valuable data of their corporate clients.
• Mandiant: 80 major U.S. law firms hacked in 2011.
“Law Firm, Police Hit By Hack Attacks; Lawyer Cell
Phone Records Reportedly Accessed.” ABA
Journal Law News Now, Feb. 7, 2012.
• VA law firm’s (Puckett & Faraj) network hacked
through it’s web site and sensitive client data
was published on YouTube.com.
• Firm’s web-site replaced with hip-hop video.
• Network off-line for days (Update: Operations
ceased).
• Awaiting direction from state bar regarding
notifications to current and former clients.
• Many hacked e-mails had documents attached.
“Elliott Greenleaf Sues Ex-Partner,
Stevens & Lee Over Client Files.”
The Legal Intelligencer, Feb. 10, 2012.
• Former partner allegedly installed software without
authorization on Elliott Greenleaf’s network that allowed
the partner to have continued access to the firm’s files
through the “cloud.”
• Software allegedly enabled continued, secret access to
the confidential and proprietary information and trade
secrets of Elliott Greenleaf and its clients. This data
could then be monitored or altered remotely on an
ongoing basis.
• Complaint further alleges that up to 5% of Elliott
Greenleaf’s back up tapes were deleted.
“Malicious Phishing Scheme Targets
WilmerHale.” ABA Journal Daily
Newsletter, January 5, 2011.
• “E-mail from a fictitious ‘Brian Willmer’ is
being sent, purportedly from the firm,
urging recipients to click on a link to
determine how to respond to a commercial
litigation subpoena, the firm says in a
warning note prominently displayed on its
website.”
“Cameras May Open Up the Board Room to
Hackers.” The New York Times, Jan. 22, 2012.
• “Two months ago, [HD] Moore wrote a computer
program that scanned the internet for videoconference
systems that were outside [a] firewall and configured
automatically to answer calls. In less than two hours, he
scanned 3 percent of the internet.” In that sliver, he
discovered 5,000 wide-open conference rooms
[including] law firms…”
• “Any reasonably computer-literate 6-year-old can try this
at home.”
“How Secure are Law Firm Networks?”
Corporate Counsel, Feb 21. 2012.
• Rich with client information, law firms are often
much less equipped to fend off cyberattacks
than the corporations they represent. Ergo, “…a
hacker can hit a law firm and it’s a much, much
easier quarry.” Mary Galligan, FBI.
• Article offers a dozen questions for corporations
to ask law firms regarding information security.
Cyber and Law Firms: More Headlines
• “Employee at a Palo Alto law firm steals 90 laptops and
120 desktop computers and sells them.”
• “Eighteen laptops stolen from the Orlando office of a
major law firm.”
• “Paralegal at a New York law firm downloads a 400 page
trial plan in a major case and offers to sell it to the
adverse party.”
• “Employee of a vendor at the Los Angeles office of a
major law firm steals a client’s highly confidential
encryption data and posts it on hacker websites.”
Source: “Law Firms Feel the Data Breach Heat and Start Buying [Cyber Liability]
Insurance.” (Management Liability Update, May 13, 2010).
Loss Scenario 1: Blackberry Lost!
A medical malpractice defense attorney forgets
an unencrypted Blackberry in an airport
restaurant. It is never recovered. It is late at
night on a weekend and the Blackberry is not
remotely wiped for 2 days. The attorney has
8,000 emails and some contain protected
health information.
Loss Scenario 2: “The Cyber ID Thief”
On a “black hat” website, Myra learns how
to write an SQL Injection script that allows
her to gain access to a law firm’s databases
through their website.
She is able to access and download over the
Internet names, addresses and Social
Security numbers of 1,500 of the firm’s
clients.
As required under State breach notification
laws, the firm notifies their affected clients,
incurring $250,000 in notification and
related crisis management expenses.
Loss Scenario 3: “The Oops
Factor”
Rodney, in Personnel is rushing to get a
spreadsheet containing the names, addresses and
Social Security numbers of 250 job applicants to
a background screening firm.
Attaching the sheet to an e-mail, he then inserts
the name of his contact in “To:”, not realizing
that what he has inserted is his bowling league
contact list.
He hits Enter – and sends the list of prospective
employees to the correct contact – and 30 other
people outside the organization.
Loss Scenario 4: “The Inside Job”
Prior to dismissal for cause, a disgruntled system
administrator installed a logic bomb into the firm’s computer
system. Some time after departure, the logic bomb began
systematically corrupting critical data.
The firm identified the root
cause and quickly quarantined
the corrupted data. However,
it took several months to
restore the data and resume
normal business operations.
20.
Laws and Regulations are Developing
When a data breach occurs, there are many US
Federal/State and regulatory laws to consider:
Financial Services Modernization Act of 1999 /
Gramm Leach Bliley Act (GLBA)
Federal Trade Commission’s Fair Credit Reporting
Act (FCRA) - Federal “Red Flag” Rules (16 CFR
681.2)
Health Insurance Portability & Accountability Act
(HIPAA) and 2009 HITECH Act
State Data Breach Notification Laws
Massachusetts Security Regulations (201 CMR
17.00)
State Statutes
• California first state to enact “security breach
notification” legislation – July 1, 2003 [SB 1386].
• Currently, 46 other states have enacted some type
of security breach notification legislation, including:
– Connecticut, Delaware, Florida, Georgia, Idaho, Illinois,
Indiana, Maine, Massachusetts, Minnesota, Mississippi,
Montana, New Hampshire, New Jersey, New York,
Ohio, Oregon, Pennsylvania, Rhode Island, Texas,
Vermont, Washington and Wyoming; plus
– District of Columbia, Puerto Rico and U.S. Virgin
Islands.
The Reach Of The Laws
Breach Related Expenses
Notification
Public Relations
Forensics
Legal
 Crafting letter or
 Advertising &
 Legal expenses
 Response to
 Printing or design
 Call Center
Operations
 Cost of forensic
examination
 Payment of
judgments or
settlements
other notification
 Mailing or other
transmission
Press Releases
 Other Services for
Affected Persons:
Credit Monitoring
for outside
attorney
 Cost to remediate
discovered
vulnerabilities
claims or suits
Breach Costs By Activity (Ponemon, 2010)
Activity
Investigation & Forensics
Audit & Consulting Services
Outbound Contact
Inbound Contact
PR/Communications
Legal Services - Defense
Legal Services - Compliance
Free or Discounted Services
Identity Protection Services
Lost Customer Business
Customer Acquisition Cost
Total
Percent
11%
10%
5%
6%
1%
14%
2%
1%
2%
39%
9%
100%
Dollar
$23
$21
$10
$13
$2
$30
$4
$2
$4
$83
$19___
$214
25
For internal use only. Not to be distributed outside of Chubb.
Risk Management Misconceptions
• IT is on top of it, so there is little to no
exposure.
• We are too small a firm to be in a hacker’s
cross-hairs.
• Our data is stored off-site with a third-party
vendor, so any breach is their problem.
• Our mobile devices are secure because they
are password protected.
Risk Mitigation
• Information Security Policy (ISP)
• Virus Prevention / Intrusion Detection /
Penetration Testing
• Mobile Device Security
• Incident Response Plan (IRP)
• Expert Security Assessments
Information Security Policy
• First measure that must be taken to reduce
the risk of unacceptable use of the
company’s information resources.
• Development & implementation of a security
policy
turns
employees
into
active
participants towards securing company
information.
• Helps reduce risk of security breach through
‘human factor’ mistakes.
Incident Response Plan
• Essential for a company to have in place in
order to effectively respond to a security
breach.
• IRP’s typically include:
– Members of the IRP Team (i.e., Managing Partner,
head of IT, etc.)
– Notification process
– Guidelines for getting 3rd Parties involved (e.g., legal
counsel, public relations, printers, forensic experts)
with pre-negotiated rates.
• IRP’s should be tested at least annually using
various breach scenarios.
Cyber Liability Insurance
Offered as a stand alone product.
 One single policy with combined third
party liability and first party coverages.
 Designed
to provide coverage to
Insureds
who
transmit
or
store
confidential customer information.

CyberSecurity By Chubb
SM
Insuring Clauses
• Cyber Liability
•
Privacy Notification
Expenses
•
Crisis Management &
Reward Expenses
•
E-Business Interruption &
Extra Expenses
•
E-Threat Expenses
•
E-Vandalism Expenses
 Disclosure Injury
 Reputational Injury
 Content Injury
 Conduit Injury
 Impaired Access
Injury
Don’t I Have Cyber Coverage
Already?
•
•
•
•
•
1st Party Exposures? Post-breach expenses?
Regulatory prosecution?
Breach of employee information?
Website/Social Media?
Breaches that do not arise from “Professional
Services?” System-to-System injury?
• Rogue insider?
• Low LPL limits?
Traditional Insurance Approach
ISO Commercial Property?
Computer Crime ?
General Liability Policy?
Professional Liability Policy?
ISO Commercial Property “Electronic Data”
Covered Causes of Loss
extended to include a
“virus”.
But –
Coverage is limited
because data must be
“destroyed or corrupted”.
Surety And Fidelity Association
Computer Crime
Computer Crime Policy has three major exclusions:
What about CGL or LPL
Coverage?
General Liability
Insurance
Professional
Liability Insurance
Addresses only physical injury to
persons or tangible property, as
well as the Insured’s liability
arising from the publication of
material that violates a person’s
right to privacy. May be further
restricted by several exclusions.
May be limited by the description
of “Professional Services” or by
Exclusions for “Invasion of
Privacy.” LPL is only a liability
contract.
Notification & Crisis Management
CyberSecurity Policy
Privacy Notification &
Cyber Liability –
Crisis Management
Privacy Injury
Expense
Lawyers Professional
Liability Policy
Data Breach Notification &
Crisis Management Expense
Liability – Cyber Excess of LPL
CyberSecurity Policy
Privacy Notification &
Cyber Liability –
Crisis Management
Privacy Injury
Expense
Lawyers Professional
Liability Policy
Defense Expense &
Possible Damages
What About a Breach of Employee
Data?
CyberSecurity Policy
Privacy Notification &
Cyber Liability –
Crisis Management
Privacy Injury
Expense
Lawyers Professional
Liability Policy
Breach of Employee Data
CyberSecurity For Law Firms
Lawyers
Professional
Liability Policy
Cyber Liability –
Privacy Injury
Privacy Notification &
Crisis Management
Expense
One Breach
E-Business Interruption
&
Extra Expense
E-Threat Expense
E-Vandalism
Expense
Final Thought on Cyber
“Even if law firms manage to take heroic
measures to secure their computer
systems, experts say they … must accept
the reality that cyberspace will never be
entirely safe. As a result, experts say
systems should be constructed so they are
resilient enough to adapt to and recover
from attacks rather than avoid them
altogether.”
Source: “Cyberspace Under Siege: Law Firms are Likely Targets
for Attacks Seeking to Steal Information Off Computer Systems.”
(ABA Journal Magazine, November 1, 2010).
Questions?
?