Cyberinsurance could save you from an IT disaster

Published on: 
Published on 8/28/06

"Disaster" for any law firm is not a question of "if," but rather of "when." The only unknowns are the type of disaster, when it will occur and how bad it will be.

That's particularly the case when disaster jeopardizes confidential client records and work product. Such documentation includes master files, time and billing records, court filings, wills, powers of attorney, corporate records, and any other materials that law firms are required to keep.

What about the active files of these records on your computer today? If they were compromised by a hacker, or otherwise threatened by criminal activity, it would certainly qualify as a disaster for any firm - one that happens far more often than most firms want to admit.

An annual survey of businesses and professional organizations conducted jointly by the FBI and the Computer Security Institute found that 90 percent of survey participants suffered a computer security breach with average losses from that breach running in the hundreds of thousands of dollars.

Most law firms have some form of liability insurance to protect premises and their contents against losses from fire or other disasters. Computer security risks, and the disaster that can result from them, are fundamentally different - and fundamentally unprotected by most insurance.

Several years ago, the Ernst & Young accounting firm surveyed several thousand organizations about whether they had insurance coverage for losses related to computer security. More than one-third of respondents thought they had coverage through their general liability policies - and in fact didn't. More than half either knew that they lacked coverage and had done nothing about it, or simply didn't know what their coverage was.

It makes no sense to take a band-aid approach by seeking endorsements to traditional policies, such as property, fidelity and professional liability insurance. The only really effective way to assure that your firm and your clients will not suffer loss through a computer disaster is a form of specialized computer insurance coverage called cyberinsurance.

An effective cyberinsurance policy can handle the first-party and third-party liabilities that your firm faces in a computer security disaster.

First-party liabilities include revenue lost during system downtime caused by accidents and security breaches, the cost of recovering data compromised by a virus infection, and even the ransom demands of hackers who claim to control systems or data and threaten to do harm with them.

Third-party liabilities involve client losses from compromised or misused data (for example, as in identity theft) and lawsuit judgments for those harmed by denial-of-service attacks and viruses sent out over your system.

If you are interested in cyberinsurance, you should first review your current coverage. Are you spending too much on the traditional plans like property, and errors and omissions, when more of your firm's worth resides in unprotected data?

If so, you need to understand what your data is worth to you and how much you could lose from a computer disaster. Insurance costs money, so calculate the potential income loss so you can make more informed decisions.

Ultimately, the greatest loss may be in client confidence and resulting disciplinary action by your bar association.

This Coach’s Corner Article is listed under the following categories: