Written by: Lauren E. Godshall, Morris Bart LLC
Technology Law Committee Chair
Have you the victim of a cyber data breach? Odds are, if you’ve logged onto LinkedIn, picked up an Uber, filled a prescription at CVS, or just generally lived and worked in the computer age, you’ve been hacked, had data exposed or stolen, or operated under those threats constantly. So what can lawyers and businesses do to protect themselves (and their clients or customers) from the threats inherent in the internet age?
Enter cyber risk insurance.
The NOBA Technology Committee spoke with Adrejia Boutte Swafford, an experience insurance defense attorney from Christovich & Kearney, LLP, in New Orleans, who advises clients on cyber risk issues, about what everyone needs to understand about cyber risk insurance:
What does cyber risk insurance protect against?
In short, it protects against unrecoverable financial loss after a cybercrime has occurred involving your personal data, an entity, or your home. According to the National Association of Insurance Commissioners, “[c]ybercrime is a criminal act involving a computer and a network.” In general, we purchase insurance to transfer risk from a person or entity-- to the insurance company. In layman’s terms people want to protect their assets and be reimbursed for their losses. Cyber risk insurance, also called “cyber coverage,” offers a way to become whole again after a data breaches of companies and breaches of personal internet networks.
According to the The International Risk Management Institute, Inc.’s The Betterly Report, “[c]overage can be triggered by the following [:] Failure to secure data[;] Loss caused by an employee[;] Acts by persons other than insureds[;] and/or Loss resulting from the theft or disappearance of private property (such as data that resides on a stolen laptop or missing data storage media)[.]”
Overall, a cyber risk insurance policy will cover first party damages (i.e. the cost to notify clients/customers, direct cost of losses from interruption of business or identity monitoring/protection for an individual) and third party damages (i.e. the cost of defending lawsuits brought by clients). In addressing these damages, there are three main areas of coverage types offered under a cyber risk insurance policy: (1) liability for loss or breach of the data; (2) remediation costs to respond to the breach; and (3) coverage for fines and/or penalties imposed by law or regulation. Some insurers also offer things like: a breach coach, reimbursement for ransoms paid, and so on.
What kinds of companies need it?
All types of companies, big and small, including law firms! Statistically, smaller entities are targeted more often than larger because the likelihood of poor cybersecurity is higher. But individuals should consider purchasing it through their homeowner’s insurers too! As our society continues to purchase more and more programmable devices for our homes, the risk of someone committing a cybercrime against us at home rapidly increases.
Do lawyers and lawyers need to get this?
Yes!! We handle sensitive data all the time and because we do, we are often targeted by “evil doers!”
If I have a cyber risk policy and we get a ransom ware attack, what happens?
It depends on what variant of virus is distributed. Some variants, like the SamSam ransomware, usually target hospitals, and is only deployed into a computer network to freeze access. However, other variants might allow the hacker to create accounts, steal information, use the entity’s reputation to set up shell entities or social media accounts, and etc. The list goes on and on. If the case is a SamSam ransomware, then the hacker only wants to prevent access, or give the illusion of no access, by the entity to its network.
What should you do if this happens? In short--First, get your IT department involved and shut down the computers in the network. Second, access isolate computer that is not connected to network. Third, contact your cyber risk insurer. Generally, the insurer will require the insured to employ an IT forensic firm and counsel from its list of approved vendors. Fourth, report attack to state’s Attorney General’s office and the FBI. Make sure you contact the cyber risk counsel first and let the law firm hire the IT forensics firm. This will create a privilege that will protect any reports, findings about your system from easy discovery. Finally, follow the directives from the IT forensic firm and attorney. The FBI will advise victims not to pay a ransom demand but the decision whether to pay a hacker to release your data is ultimately made by you.
Why isn’t having an IT department enough to protect you from attack?
A few reasons: the IT department does not always understand the full scope of your cyber risk. Thus, it should be a collaboration of your IT department, your HR department/risk management, and your clients’ requirements for compliance.
Why won’t our standard policy protecting against business interruption suffice?
When we talk about “business interruption” under a traditional commercial general liability (CGL) policy, the covered action is caused by direct physical property damage like the physical destruction of the commercial property which prohibits regular business to be conducted. However, when there is a cyber event, or cyber incident, the coverage under a traditional CGL is 9.9 out of 10 times not triggered because there was no “physical property damage” incurred. (There was a recent case on this issue where the court ruled in favor of coverage. However, this is generally denied because coverage under a cyber risk policy is not generally triggered by a physical disruption.)
Thanks to Adrejia for speaking with the NOBA Technology Committee!
Adrejia L. A. Boutté Swafford is an insurance defense attorney at Christovich & Kearney, LLP in New Orleans, Louisiana. She has practiced commercial defense litigation for over 12 years, focused on: insurance coverage disputes, homeowners’ insurance policies, automobile insurance policies, toxic torts, premises liability claims, assisted living facility issues, construction law claims, and workers’ compensation; among other areas. Adrejia also offers services on compliance related matters, including but not limited to, corporate consultation (regarding organizational/business ethics, state, federal, and industry standards) and litigation work based on general compliance issues and cyber risk insurance policy issues. Adrejia can be reached online at: firstname.lastname@example.org, linkedin.com/in/Adrejia-bswaffordcyberriskno1, and at www.christovich.com.
Lauren Godshall, Chair of the NOBA Technology Committee, can be reached at email@example.com.