Cyberinsurance Claims to Cover Data Security Risks

Reprinted from Aderant Expert, October 8, 2007

The harms that can result from computer security breaches are largely uncovered by the types of insurance policies most law firms maintain. Combined with the inadequate security most law firms provide for client data, the resultant risk exposure arguably violates legal professional ethics. A firm's failure to adequately protect computer-based master files, time-and-billing records, court filings, wills, powers of attorney, corporate records and other client-related materials is a violation of bar association requirements to preserve client files and more generally a failure in the firm's overall duty to act competently in the best interests of its clients.

Types of Exposure

Computer security breaches can have a first-party impact (on the firm itself) and a third-party impact (on clients). For example, an unauthorized system access that damages data or online services may render the firm itself inoperable. (Even this scenario may also lead to a third-party loss to clients if they rely on the firm's extranet for aspects of their own business operations.)

Typical examples of third-party harms are identity theft and invasion of clients' privacy. Yet another area of exposure is Web site content and the infringement of a third party's intellectual property. A hacker could access the system to grab control of an e-mail database or client mailing list. The hacker could also hijack the firm's system to send out damaging malicious code such as computer viruses or worms.

When a third party is harmed and the firm is allegedly responsible, of course, a lawsuit will likely be filed.

Many insurers simply don't provide coverage for these unique exposures, or they take a band-aid approach by providing endorsements to their traditional property, fidelity or professional liability insurance policies.


The most effective way to provide relatively comprehensive coverage for computer disasters is through cyberinsurance, a specialized form of computer insurance that organizations such as American International Group, Chubb, and Lloyd's of London have offered since the late 1990s.

An effective cyberinsurance policy can handle both first-party losses and any third-party liabilities that a firm faces in a computer security disaster. Typical coverages include the following:

  • First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, however, similar to standard exclusions for floods or other "acts of God."

  • First-party electronic data damage covers recovery costs associated with compromised data such as those caused by virus infections.

  • First-party extortion covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm.

  • Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud.

  • Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over the firm's system.

  • Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyberinsurance usually costs more than conventional liability or business interruption insurance. Unlike traditional insurance policies, cyberinsurance has no standard "scoring system" or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers provide a cyberinsurance policy quote, they usually require potential purchasers to fill out a questionnaire detailing the steps already implemented to ensure computer security -- firewalls, laptop computer encryption, anti-virus protection and similar common-sense steps that all firms should take.

A desire to buy cyberinsurance is no guarantee that a carrier will sell coverage. Industry estimates are that about 10 percent of applicants are turned down, and around 25 percent pay higher premiums or have coverage restrictions because they don't have adequate data security procedures in place. Some insurers require verification of safeguards by an outside data security firm, much as they require a doctor's physical before granting a life insurance policy.

The costs of cyberinsurance vary substantially. A June 2007 Computerworld assessment by Lamont Wood (see quotes two insurance executives as saying that policies could cost anywhere from $7500 to $20,000 per million dollars of coverage. An insurance broker noted that costs for his company's network-risk policies ($10,000 to $20,000 per million dollars of coverage) would double if coverage were added for professional services Errors & Omissions. Wood further quotes an exasperated customer who asked five insurers to bid on the identical coverage and received quotes ranging from $16,000 per year to $70,000.

Purchase Strategies

Any firm interested in cyberinsurance should first review current liability coverage. Ask if there is too much being spent on the traditional plans like property, and errors and omissions, when more of the firm's worth resides in unprotected data.

Itemize those aspects of firm operations that would be affected by a data security disaster and attempt to quantify how much loss could result -- particularly in third-party litigation.

Be sure that data security policies and procedures will pass scrutiny before attempting to purchase a policy.

Get multiple cyberinsurance policy quotes. It's estimated that up to 20 companies now offer some kind of coverage. Compare policies carefully to determine what they cover and exclude.

This Article is listed under the following categories: