FBI’s look at electronic espionage uncovers law firms lack of data security
Investigation into the rise in electronic economic espionage against U.S. corporations has recently shined a spotlight on law firms’ data security. The Federal Bureau of Investigation (FBI) found that many law firms are targeted by hackers seeking to gather information not on the firm itself, but the firm’s clients. FBI officials say that law firms’ systems and controls were much less secure than those of their clients, meaning hackers accessed proprietary, confidential and sensitive client information stored on the firms’ servers.
Data security varies dramatically from one firm to the next, but with the recent affirmation that cyber-attacks targeting law firms are on the rise, security should be at the forefront of discussions amongst firms’ management teams. Managing partners and executive committees need to drive a culture of security from the top down by instituting controls, much like their corporate clients. They also should move away from open, less secure networks and instead opt for more controls and access restrictions in order to improve security.
Stroz Friedberg, a digital risk consultancy firm in New York, offers several suggestions for protecting client information, including: securing email, using complex passwords, log access to client data, restricting access to data and conducting training of the firm employees to recognize phishing.
Many firms feel that if their systems are compromised, they will have protections from their malpractice insurance coverage, since data that is breached is data that was acquired in the course of providing professional services to their clients and should therefore be covered. But most insurers’ policy forms are silent when it comes to coverage for data breaches. Consequently, with the rise of hacking incidents the question becomes one of limit management: Do you want to take the chance that such a loss will not be covered and thereby expose the firm to financial loss? Alternatively, if the loss is covered, is that a “good” thing? Any claim paid under the malpractice policy reduces the sum (limit) available should a complaint arise for actual negligence.
Cost is another reason to consider securing specific coverage for data breaches. Cyber coverage, which is less expensive than malpractice insurance, allows the firm to allocate their available resources and maximize the value for their money. If you would like to learn more about coverage for data breaches, please contact our Professional Services Practice.
About the Author
Lynne Ahearn is Senior Vice President at WGA, working with clients to provide innovative risk management and insurance advice to the Professional Services sector.