IS YOUR FIRM’S SENSITIVE DATA SECURE? REALLY? Data Breach/Cyber Liability Issues for Law Firms

Every law firm, regardless of size, holds a tremendous amount of sensitive and confidential data. Information about clients, partners, employees, indeed even adversaries. If any of this data is lost or stolen, the firm may be held liable for notification costs, possibly credit monitoring costs – and this is true even if there is no evidence that the compromised information has been used illegally! Add to this the impact on the firm’s reputation, and the cost of IT forensics to locate and correct the problem, and the potential costs are clearly staggering.

Of course lawyers are required to maintain client confidentiality. If any of the compromised information is priviledged, it could put the outcome of pending matters at risk, or even draw the attention of courts and disciplinary committees.

So, what about the firm’s professional liability policy; won’t this provide coverage? Under certain, narrow circumstances, it could, but only if the data breach arose from the firm’s “professional services” as defined in the policy. Much of the data held by firms is unrelated to any “professional services” such as employee/payroll data, or any other information not directly related to the practice of law. And, what about claims brought against the firm by third parties, who are not now, nor have they ever been clients? Lawyers professional liability insurance is designed to protect against claims of legal malpractice, not data breach. Any lawyer or law firm that is depending upon their LPL coverage for this rapidly growing, and rapidly evolving exposure is taking a huge gamble!

Another common misconception is that the risk of a cyber attack or data breach lies outside of the firm; whether from professional or amateur “hackers”. While it is true that such individuals do exist, the fact is that a law firm is far more likely to have their IT systems or the paper data files compromised by someone inside the firm. It could be malicious, such as a disgruntled current or former employee, or maybe a self-appointed “whistleblower”. It is just as likely to be due to human error or carelessness. A computer virus introduced via an infected email, or paper files improperly disposed of, or even a laptop or smartphone left in a restaurant or in the back of a taxi.

The exposure is real, and it is growing – fast!

OF COUNSEL ATTORNEYS: The pros, the cons, and the pitfalls

First of all, let’s define what we mean by “Of Counsel”. A-HA! Trick question . . . there is no consistent definition of the term. It can mean a whole bunch of different things, which is both good and bad. Sometimes an OC relationship reflects a retired or semi-retired partner, who is no longer participating in the firm’s overall profits, but my still be practicing some or maintaining client relationships; sometimes with an office and sometimes not.

An OC relationship is often used for a “honeymoon” period when a prospective partner is brought onboard. This gives everyone some time to see if there is a good fit with the firm’s culture and business style before the new attorney formally becomes a member or shareholder of the firm.

A very common reason for an OC relationship is when two or more attorneys, with separate practices, share each others’ expertise. As an example let’s say that attorney “A” is a trust & estates lawyer, but when he or she needs very technical tax advise, he or she turns to attorney “B” who is an expert in taxation. In a situation such as this, both “A” and “B” may be shown on each others’ letterheads as OC to each firm.

Problems can arise, however, when the number of OC’s is too high, relative to the number of firm principals and associates. I have dealt on several occasions with small firms that have letterhead showing only 1 or 2 attorneys, but 4, 5 or more OC’s. Understandably, the objective here is to make it appear that the small firm is bigger than it really is. Unfortunately, this also gets the attention of underwriters – and not in a good way! If an underwriter is being asked to underwrite and price a solo or 2-attorney firm, but there are a total of 5, 6, 7 or more attorney names on the letterhead, the underwriter is going to start asking questions, specifically:

  1. What is the precise nature of the OC relationship(s)?
  2. Does each OC have their own practice?
  3. Does each OC carry their own malpractice insurance?
  4. How many hours per year does each OC practice through and on behalf of the applicant firm?
  5. Does the OC’s areas-of-practice differ from that of the applicant firm?

As a general rule – keeping in mind that every carrier’s policy form is different, and you must read your policy to be sure what it says – most LPL insurance policies automatically cover an OC attorney, but only for work done through and on behalf of the insured firm.  Anything that the OC does on his or her own, and under his or her own name or that of a different firm is rarely, if ever, covered.  So, the greater the number of hours, the higher the exposure to a malpractice claim.  In fact, it’s not what a firm calls an attorney (Of Counsel, Associate, Member, Partner, Staff Attorney, or whatever) that drives pricing, but rather the number of hours practiced for the firm.

The concern when an OC attorney does not maintain his or her own LPL insurance coverage is that in the event that this attorney handles a matter on their own, and as a result a malpractice claim is made, that they may be an attempt to reach the firm’s coverage if the OC attorney has none.  Essentially, a hunt for deep pockets.  It probably will not be successful, since a retainer agreement and other correspondence should make it clear where privity lies, but in successfully disclaiming coverage the insurance carrier will end up spending money to litigate the issue.  This isn’t some abstract idea – I have had to deal with this exact scenario.

So, the greater the number of OC attorneys, particularly in a small firm, the greater the potential exposure to malpractice claims.  The small firm wants to be rated and priced as a small firm, but the underwriter must be sure that this pricing is both accurate and adequate.

One last point when it comes to OC attorneys, I recently reviewed the coverage for a solo attorney, who told me that she was practicing as OC to a larger firm, and that she was therefore covered under the firm’s policy (for which she was paying the firm a considerable sum each year).  As it turned out, for the past 5 years, this attorney had been retained by clients under her own name, she was using her own letterhead, and nowhere did the name of the firm ever appear.  A very quick read of the policy confirmed what I feared – that this solo attorney had been paying for non-existent coverage for 5 years.  The policy language was very clear on this point.  When the attorney inquired about this with the firm, she was apparently told that this could not possibly be the case, and besides if the firm agrees to cover her, then she is covered.  Wrong.  The firm had no ability to unilaterally change or expand the scope of coverage provided by their insurance policy.  Had a claim arisen, the policy would have responded exactly as it was written.  Unless the OC’s work was done through and on behalf of the firm, there is no coverage.  Regrettably, the solo and the firm are now engaged in a dispute over the thousands of dollars that the solo paid to the firm over the 5 year period, for coverage that never existed.  Read your policy, folks, read your policy!

The bottom line here is the OC relationships can be useful, but care should be taken when agreeing to such relationships so that all parties are fully aware of what each is gaining from the relationship, as well as the potential problems that can arise.

If you’d prefer, you can call me directly by dialing my toll-free contact number, 877-B-SWICKER (877-279-4253).

LET’S START WITH THE BASICS: Claims Made vs. Occurrence Form Coverage

Most professional liability insurance policies – whether for lawyers or anyone else – are written on a claims-made policy form. Thus it is critically important that the policyholder understands what this means and how it affects coverage.

First of all, let’s discuss the difference between claims-made and occurrence coverage. Your homeowners’ insurance policy is almost certainly written on an occurrence form basis. Let us say that your homeowners’ coverage is with State Mutual Insurance Co. and you invite me over for dinner tonight. On my way out, I trip on some loose bricks in your front walkway, and I fall and break my wrist. Naturally, you offer to drive me to the emergency room, but I assure you that I am OK, and that I can drive myself, which I do. Regardless of what may or may not happen; whether I decide to sue you or not, it is clear that something potentially bad has occurred tonight.

Let us now say that a month from now your State Mutual policy is up for renewal. You shop around and find a better deal with County Indemnity Co., and you switch your coverage to County Indemnity. Two months after that, however, I decide to retain an attorney and you get a demand letter advising you to put your homeowners insurance carrier on-notice. The carrier who must be put on-notice is State Mutual, since they provided coverage at the time of the incident. Even if you had decided to renew your State Mutual coverage, it would technically be the policy period during which the incident took place that would respond to the claim. Even if you had sold the home in the interim and cancelled coverage, you would still be entitled to defense & indemnification under the State Mutual policy, since it was in force when the incident occurred.

With claims-made coverage, it is 180 degrees different. Let us say that your firm – insured against malpractice by LPL Indemnity Co. – handles a real estate closing today. Unbeknownst to anyone at the closing table there is a defect in the title. The transaction closes, and everyone goes their separate ways, apparently happy. A couple of months later, your firm’s professional liability policy is up for renewal and a decision is made to switch coverage to Legal Malpractice Insurance Co. A year after that the property owner tries to refinance and during the course of running title, the defect is discovered, which prevents the refinance. A claim is now made against both the title company and your firm as the closing agent, and maybe the title agent as well. Here is where the critical difference between claims-made coverage and occurrence coverage comes into play.

Your firm was first formed in September of 2007, and the malpractice insurance was first bound on 12/15/2007. This date is the firm’s “retroactive coverage” or “prior acts” date. Each year, upon renewal, this date must be maintained in order to preserve continuous coverage. Thus, when you moved your coverage from LPL Indemnity to Legal Malpractice Insurance, you and your broker took care to ensure that the new policy reflected the 12/15/2007 date. So, in this case, since you were unaware of the problem from last year’s closing, you would report the claim to your present insurance company, Legal Malpractice Insurance, even though LPL Indemnity’s policy was in force when the closing took place. Thus with a claims-made policy, you report a claim to the policy in force when a claim is made.

Now, while the basic concept is relatively simple to understand, claims-made coverage presents a number of potential pitfalls that can result in an unintended – and potentially very serious – gap in coverage. In simple terms, claims-made coverage must be in force at two separate points along the timeline. First, coverage must be in force when the events or circumstances that ultimately give rise to the claim take place and, second, coverage must be in force when the insured becomes aware of the claim or the potential for a claim. If coverage is not in force on either or both dates, there is no coverage. Thus, it is very important that an insured law firm and their broker take care to properly preserve the retroactive coverage date for the firm, as well as for any individual attorney that subsequently joins the firm. This is true when renewing coverage with the incumbent carrier as well as when moving coverage to a new carrier.

If you’d prefer, you can call me directly by dialing my toll-free contact number, 877-B-SWICKER (877-279-4253).


Get every new post delivered to your Inbox.