Bar News - August 20, 2014
Does Your Professional Liability Policy Cover Security Breaches?
By: Christopher D. Hawkins
Information security has become a hot topic in the business and legal communities. Attorneys frequently handle confidential and proprietary client information, and are subject to a variety of federal, state, and ethical obligations to keep that information secure from unauthorized access and dissemination.
|Christopher D. Hawkins
Professional liability carriers recognize this evolving risk and have developed policy provisions to provide some protection against security breach claims, as well as limit their own risk.
Common Data Security Risks
Data security risks spring from many different sources. One of the most common sources is insufficient file disposal (both paper and electronic). Stories have appeared in the media of client medical and financial records being retrieved from dumpsters or landfills, and law firm computers containing client social security numbers turning up in pawn shops.
Another common source is loss of electronic devices containing sensitive client information. For example, in 2006 a laptop containing personal information of millions of veterans was stolen from a VA data analyst, although it was later recovered with the data apparently intact.
A third source of risk is intentional or negligent misuse of legitimate credentials. In December 2010, Experian reported to the New Hampshire Attorney General’s Office that the legitimate credentials of a law firm had been used to download an unspecified number of consumer credit reports.
The standard provisions of professional liability insurance generally available in New Hampshire covers attorneys for damages incurred in connection with privacy injuries and unauthorized access to client confidential commercial information that occurred in the rendering of legal services.
This generally means the firm is covered for any damages resulting from unauthorized access to an individual’s name, address, telephone number, social security number, and bank or credit card account information resulting from the firm’s negligence, failure to comply with its own data security policy, or applicable state or federal law. Coverage does not extend, however, to statutory fines or penalties incurred on account of the breach, or the multiplied portion of multiplied awards.
Firms are also covered for damages incurred on account of unauthorized access to any confidential commercial information covered by a confidentiality agreement. These provisions encompass unauthorized access both to electronic files and paper documents.
The policy covers the attorneys’ fees, costs and court costs incurred in connection with a regulatory inquiry into a privacy injury. A regulatory inquiry is an investigation into an actual or alleged violation of a privacy breach notification law, or any law, such as HIPAA, relating to a breach of privacy. For example, a violation of the New Hampshire data security statutes, e.g., RSA 332-I (use and disclosure of medical records); 359-C:19-21 (notice of information security breach), must be reported to the attorney general’s office. If the attorney general’s office launches an investigation, the policy will cover the firm’s costs of other counsel incurred while responding to the investigation, but only up to a limited specified amount, typically, for example, $20,000 or $25,000.
The policy covers client network data claims, which includes a demand or suit for money or services alleging a security breach or computer virus damaged a client’s computer network. Damage to the network excludes physical damage, but includes an unscheduled inability of an authorized user to access the system, the transmission of a computer virus to another network, the deletion or alteration of data on the other network, or the suspension or interruption of any network. This may include a suspension or interruption resulting from the denial-of-service attack against another network using the firm’s systems.
What’s Not Covered
A firm faced with a data breach issue, particularly a breach resulting from a third-party electronic hacking event, will likely incur significant expense in the course of investigating the source, nature, and extent of the breach, and implementing remedial measures.
The firm may also wish to employ public relations consultants to help develop a communication strategy with respect to the likely publicity associated with a substantial breach event. Such costs are outside the scope of crisis management costs generally covered by the lawyer’s professional liability policy.
A data security breach may trigger notification obligations under applicable law (e.g., RSA 359-C:19-21; Mass. Gen. Laws 93H-1; Me. Rev. Stat. title 10, sec. 1347, et seq). The costs of complying with those requirements, which may require individual letters to dozens or even hundreds of clients, and/or publication of the breach in news media outlets, is outside the scope of the policy.
The policy covers only attorneys’ fees and attorneys’ costs associated with investigations by regulatory agencies or licensing boards, and only up to a limited amount, typically $20,000 - $25,000.
A cyber-liability policy, by contrast, will cover the costs of forensic computer specialists, public relations consultants, notification costs, and associated attorneys’ fees, up to the limit of the policy.
Next Steps to Consider
Any insurance or risk management effort must arise from awareness of the potential risks so commensurate preventative steps can be taken. The risk of a data security breach depends on a number of factors, including existing policies and procedures relating to the confidentiality, accessibility, and security of sensitive information in the firm, and the extent to which the firm follows those policies in practice.
An understanding of the steps involved, along with the attendant costs of identifying, investigating, remediating, and reporting a data security breach is advisable, as well as a clear understanding of the nature and extent of available insurance coverage relative to those costs. Law firms, as repositories of sensitive personal and business information, must be increasingly attuned to the rapidly developing risks of data security, and should carefully examine their policies and insurance coverage to ensure those risks are adequately addressed.
Christopher Hawkins practices in the areas of professional liability defense at Nelson Kinder & Mosseau in Manchester.