Cyber Security for Law Firms


Cyber attacks are not just for the large corporations anymore – 43% of cyber attacks target small business , including Law Firms. With less that 15% of this population rating itself as “prepared”, cybercriminals are shifting their focus to here. Symantec’s 2016 Internet Security Threat Report highlighted that phishing campaigns launched by cyber criminals this year specifically targeted small businesses with less than 250 workers 43 percent of the time.

60% of small businesses, including law firms, go out of business within six months of a cyber attack

For smaller law firms recovery may be near to impossible if you are a data breach victim. Last year alone, cyber criminals launched 430 million new types of malware software out into the world. These attacks increased to 31% in 2016 from mere 18% in 2014. With the cost of recovery from SMB data breaches ranging between $36,000 - $50,000. , most cases lead to the shutdown of businesses.

Law Firms Often Easy Picking for Hackers

Law firms are currently under siege from clever cybercriminals on the hunt for a wide variety of enticing and lucrative data, including:

  • Sensitive information about the finances of all clients, including corporate clients.
  • Documents providing details about confidential corporate agreements.
  • Information related to patented intellectual property.
  • Key evidence in large-scale litigation.
  • Emails describing private details of the personal and professional lives of clients.

What’s more, this highly confidential and private data is readily available on the devices and computer networks of virtually all law firms, usually conveniently labeled in folders and directories, all ripe for the picking.

I Know I Need It, But How Much Do I Need?

How much coverage does your firm really need? The answer to this question - like many asked in the legal industry – is, “it depends.”

The amount of cyber liability coverage that is necessary varies from firm to firm, and is typically based upon:
  • Firm size, in relation to the number of employees and clients
  • The type and the amount of client “confidential information” the firm has care, custody and control of
  • Any contractual requirements requesting the firm to have Cyber Liability coverage in place
  • Practice areas

Law firms spend a large amount of time, effort, and money protecting their clients’ interests, but one often-overlooked area involves protecting their clients’ confidential or proprietary electronic data subject to cyber breach.

Here are 5 exposures that should be considered by law firms seeking to purchase or renew a cyber security policy:

  1. First party and third party coverage. There are generally two categories of risk and potential liability for data breaches:
    • First party risks - potential costs for loss of or damage to the firm’s own data due to a cyber attack.
    • Third party risks - the policyholder’s potential liability to clients, government, or regulatory entities resulting from a data breach.
    Optimal cyber liability insurance contains coverage for both first and third party claims.
  2. Unencrypted device protection. Contemporary lawyers do most of their work on computers, much of the time outside of the office. This creates a significant potential for cyber security claims from the theft or loss of unencrypted devices such as laptops or flash drives that contain confidential or proprietary client information.
  3. Information in the control of third parties. Although law firms may take every precaution possible to protect data in the firm’s own electronic system, some policies do not provide protection for data breaches that occur when confidential information is in the hands of third parties like copy vendors or litigation support companies.
  4. Data restoration costs. Many cyber security policies do not cover costs to replace, upgrade, update, improve, or maintain a computer system that was breached. Data restoration costs can be extremely prohibitive, and any law firm that runs the risk of a data breach should ensure that its cyber liability coverage would reimburse the firm for data recovery costs.
  5. Payment card industry liability. A growing number of law firms now accept payments by credit card, making them more of a target for hackers. If a data breach is tracked back to your law firm, you may face liability for a breach imposed via the payment card industry, but some cyber liability insurance policies provide coverage for such liability.

Now is The Time to Get Covered

Lack of knowledge and awareness about the cyber risks they face and the potential impact of an attack have kept many law firms from purchasing cyber liability insurance policies. Some believe they have adequate coverage for cyber risks under their firm’s current insurance policies, but other types of insurance policies with add-on endorsements often offer only a minimal amount of cyber coverage as compared to a dedicated cyber liability insurance policy.

While LPL insurance affords some coverage for cyber liability risks, there are limitations to the coverage provided by a law firm’s LPL policy. However, to trigger coverage under the law firm’s LPL policy, there must be an alleged "wrongful act" in the conduct of legal services (usually a negligence trigger). Law firms could, however, be liable for data or network security breaches even in the absence of a wrongful act, and the incident will not always be in connection with the provision of legal services for others (a breach of employee information, for instance).

Shifting your coverage to a dedicated Cyber Liability insurance policy offers several distinct advantages. Additionally, a dedicated Cyber Liability Insurance Policy helps, not only in response to a breach, but in prevention of one as well.

To learn more about data breach and our cyber liability coverage offerings, for additional information you can visit or contact Sal Johnson at USI Affinity today - 610-537-1361 -

Allegheny County Bar Foundation Lawyer Referral Service