Every law firm, regardless of size, holds a tremendous amount of sensitive and confidential data. Information about clients, partners, employees, indeed even adversaries. If any of this data is lost or stolen, the firm may be held liable for notification costs, possibly credit monitoring costs – and this is true even if there is no evidence that the compromised information has been used illegally! Add to this the impact on the firm’s reputation, and the cost of IT forensics to locate and correct the problem, and the potential costs are clearly staggering.
Of course lawyers are required to maintain client confidentiality. If any of the compromised information is priviledged, it could put the outcome of pending matters at risk, or even draw the attention of courts and disciplinary committees.
So, what about the firm’s professional liability policy; won’t this provide coverage? Under certain, narrow circumstances, it could, but only if the data breach arose from the firm’s “professional services” as defined in the policy. Much of the data held by firms is unrelated to any “professional services” such as employee/payroll data, or any other information not directly related to the practice of law. And, what about claims brought against the firm by third parties, who are not now, nor have they ever been clients? Lawyers professional liability insurance is designed to protect against claims of legal malpractice, not data breach. Any lawyer or law firm that is depending upon their LPL coverage for this rapidly growing, and rapidly evolving exposure is taking a huge gamble!
Another common misconception is that the risk of a cyber attack or data breach lies outside of the firm; whether from professional or amateur “hackers”. While it is true that such individuals do exist, the fact is that a law firm is far more likely to have their IT systems or the paper data files compromised by someone inside the firm. It could be malicious, such as a disgruntled current or former employee, or maybe a self-appointed “whistleblower”. It is just as likely to be due to human error or carelessness. A computer virus introduced via an infected email, or paper files improperly disposed of, or even a laptop or smartphone left in a restaurant or in the back of a taxi.
The exposure is real, and it is growing – fast!