CyberSecurity for Law Firms Cracking the Cyber Code: Recent Headlines, Reinforcing the Need and Response Planning July 16, 2013
Making the Case Matthew Magner Senior Underwriting Officer Chubb & Son, a division of Federal Insurance Company Leah Montgomery Asst. Vice President, Cyber Security Specialist Chubb & Son, a division of Federal Insurance Company Brian Lapidus Managing Director, InfoSec Practice Leader Kroll Advisory Solutions
Agenda What is the Cyber Exposure? Recent Headlines Reinforcing the Need for Coverage Coverage Considerations Risk Management Response Planning Questions
DISCLAIMER. CRT1 Chubb refers to the insurers of the Chubb Group of Insurance Companies. This presentation is for informational purposes only. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel. Actual coverage is subject to the language of the policies issued. Chubb, Box 1615, Warren, NJ 07061-1615
The Cyber Exposure and Law Firms The technology and amount of confidential data that a law firm relies upon to conduct its business can also significantly increase its vulnerability to cyber security threats any of which can result in significant out-of-pocket and reputational costs that can devastate the bottom line.
What Is A Data Breach Unintended disclosure of personal or confidential information Hacking Rogue Employees Negligence 3 rd Party Vendors
The Cyber Challenge Facing the Legal Profession Law Practice Today, April, 2013 Laurel Bellows, ABA President: Cyber-attacks are happening thousands of times a day, and some of the most vulnerable targets are law firms, which hold significant amounts of client information and serve as gates to their clients. Small law firms, in particular, have become cyber criminals latest victims. Focus of attacks has shifted from server rooms and data centers to the space occupied between the desktop and the chair attorneys, paralegals and administrative assistants.
Lawyers Get Vigilant on Cybersecurity Wall Street Journal, June 24, 2012 current and former law enforcement officials say cyber attacks against law firms are on the rise many law firms may not be aware that they were hacked until [an] agent shows up on their doorstep the weakest links at law firms of any size are often their own employees
Chinese Superspies Have Hacked Most Washington Institutions, Experts Say The Washington Post, February 20, 2013 Law firms, think tanks, newspapers if there s something of interest, you should assume you ve been penetrated. Mandiant: Chinese military unit is allegedly responsible for hundreds of terabytes of data from 141 organizations in 20 industries in the United States and around the world.
Law Firm, Police Hit By Hack Attacks; Lawyer Cell Phone Records Reportedly Accessed ABA Journal Law News Now, Feb. 7, 2012 VA law firm s network hacked by Anonymous through it s web site and sensitive client data was published on YouTube.com. Firm s web-site replaced with hip-hop video. Network off-line for days, with the firm ultimately ceasing operations. Many hacked e-mails had documents attached and were published on Wikileaks.
Three Indicted for Hacking Into Law Firm s Computer System Pittsburgh Post-Gazette, June 27, 2012 Laid off employee at an unnamed law firm, her husband, and another accomplice, allegedly hacked into the computer system at the law firm and installed malware to capture passwords of anyone on the firm s network. Breached information included the personal financial information of the law firm s employees.
Park Sterling Bank Suing Law Firm After Fraudulent Wire Transfer Charlotte Observer, April 3, 2013 Using e-mails, hackers were able to install a keylogger on a law firm s computer. After figuring out the law firm s online banking passwords, the hackers directed Park Sterling to send a $336,600.01 transfer through JP Morgan Chase & Co. to a Konstantin Pomogalove in Moscow. Bank initially refunded the money, then demanded it back.
Outside Law Firm Cybersecurity Under Scrutiny Corporate Counsel, June 6, 2013. Regulators, such as the Office of the Comptroller of the Currency, which oversees financial institutions, have been focusing on law firms. In response, banks are auditing the information security of their outside law firms.
Breach Related Expenses Notification Public Relations Forensics Legal Crafting letter or other notification Printing or design Mailing or other transmission Advertising & Press Releases Call Center Operations Other Services for Affected Persons: Credit Monitoring Legal expenses for outside attorney Cost of forensic examination Cost to remediate discovered vulnerabilities Response to claims or suits Payment of judgments or settlements
Direct Breach Costs By Activity Activity Percent Dollar Investigation & Forensics 12% $23 Outbound Contact 5% $9 Inbound Contact 5% $9 Public Relations/Communications 1% $2 Legal Services - Compliance 4% $8 Free or Discounted Services 1% $2 Identity Protection Services 4% $7 Total Direct Costs Per Record 32% $60 TOTAL COST PER RECORD 100% $188 2012 Annual Study: Cost of a Data Breach; Ponemon Institute, LLC, May 2013
Where s The Coverage ISO Commercial Property? Commercial Crime Form? General Liability Policy? Professional Liability Policy?
ISO Commercial Property Electronic Data Covered Causes of Loss extended to include a virus. But Coverage is limited because data must be destroyed or corrupted.
ISO Commercial Crime Exclusion
What about CGL or LPL Coverage? General Liability Insurance Addresses only physical injury to persons or tangible property, as well as the Insured s liability arising from the publication of material that violates a person s right to privacy. May be further restricted by several exclusions. Professional Liability Insurance May be limited by the description of Professional Services or by Exclusions for Invasion of Privacy. LPL is only a liability contract.
How Policies Can Overlap CYBERSECURITY POLICY Privacy Notification & Crisis Management Expenses Cyber Liability Privacy Injury Lawyers Professional Liability Policy Data Breach Notification & Crisis Data Breach Notification & Mitigation Costs Defense Expenses & Possible Damages Breach of Employee Data
CyberSecurity For Law Firms Lawyers Professional Liability Policy Cyber Liability Privacy Injury Privacy Notification & Crisis Management Expense One Breach E-Business Interruption & Extra Expense E-Threat Expense E-Vandalism Expense
Does the Policy Address Negligent release of information? Lost Laptops and other mobile devices? Access to information in non-electronic form? Employees Data Breach caused by rogue employee? Access to information other than over the Internet? Access to information residing on an outsourced system anywhere? Outsourcers New Technology Cloud Computing?
Crisis Management Coverage Considerations Notification Expenses When required by law or on a voluntary basis Credit Monitoring Expenses For a stipulated period of time and/or under specified circumstances Healthcare Monitoring included Forced to use one vendor Crisis Management Expenses Include expenses related to legal analysis, as well as public relations
Watch for Policy Limitations Some policies exclude coverage for claims related to the Insured s failure to maintain or upgrade their security! Some policies exclude coverage for claims alleging fraudulent or malicious acts by employees! Some policies may not cover various types of computer devices. Some policies exclude claims alleging unfair and deceptive trade practices. Is there defense of regulatory suits and/or coverage for fines and penalties?
Law Firm Specific Considerations Does Business Income include billable hours or fees, if necessary Can the liability portion of the Cyber policy be tailored to dovetail with the LPL? Difference in Conditions First-party coverage remains primary
Incident Response Planning: A Primer Deter Unless there is an investigative reason for permitting an intrusion to continue, steps should be put into place to deter and prevent another (or continuing) intrusion. Detect At the same time the enterprise takes steps to deter problems, it must simultaneously assume that their perimeter security will be breached or that existing intrusions are there and need to be detected. In a nutshell, detection is monitoring the network. Respond When a problem is detected, incident response must respond. Remediate Based on the type of incident and the depth of penetration, remediation events (e.g., swapping out of hardware, rebuilding bastions, re-engineering the network architecture) may be required.
Incident Response Planning: Creating an IRT Establish an Incident Response Team Mission - prevent and minimize any detrimental effects to staff, partners, and stakeholders; and thereby prevent a serious loss of profits and public confidence. They will provide an immediate, comprehensive, effective, and skillful response to any unexpected data loss event involving information, information systems, networks, or databases. Comprised of senior leadership who have been authorized to take appropriate steps deemed necessary to contain, mitigate and resolve a data security event Develop policies, procedures and training in order to ensure that the entire team is prepared for these events Establish a communication protocol for communicating with stakeholders, employees and customers (and media as appropriate) when these issues occur
Incident Response Team: Key Responsibilities
Incident Response Planning: Train Staff on Safeguarding PII Training Documented plans, conducted training, and tested procedures in advance will allow staff members to efficiently coordinate activities when responding to an incident. This gives the ability to exercise procedures and eliminate potential errors or omissions in advance of an incident. This training should include the following: How to identify when the loss of PII has occurred; The actions they need to take to report a suspected incident, including who to notify, how (e.g., web, email, phone), and what information they should report; How to use incident response tools and environments based on their roles and responsibilities; How to communicate appropriately with the news media, including forwarding inquires to public relations staff.
Incident Response Planning: Conduct Drills for the IRT Practice Having a completed and implemented incident response plan does not necessarily mean it will lead to an effective recovery when utilized, or that staff fully understand tasks and responsibilities in a recovery situation. Only through repeated and continuous testing can an organization be assured that the plan will work as designed and personnel will know what to do. Run and perform drills twice a year at a minimum focusing on coordination, integration and interaction of an organizations policies, procedures, roles and responsibilities; Ensure that the IRT team is comfortable in their respective roles and knows what they need to do to ensure a smooth response.
When a data breach happens
Questions