42
CyberSecur ity for Law Firms A Discussion of the Cyber Exposure, Coverage and Loss Prevention Matthew Magner October 25, 2012
| Date post: | 17-Dec-2015 |
| Category: |
Documents |
| Upload: | drusilla-french |
| View: | 214 times |
| Download: | 1 times |
CyberSecurity for Law FirmsA Discussion of the Cyber Exposure, Coverage and
Loss Prevention
Matthew MagnerOctober 25, 2012
Agenda• What is the Cyber Exposure? • Ripped from the Headlines• Loss Scenarios• Federal and State Regulation• Breach Related Expenses and Costs • Risk Management• Coverage Gaps and Overlaps• Questions
DISCLAIMER….
Chubb refers to the insurers of the Chubb Group of Insurance Companies. This presentation is for informational purposes only. The information provided should not be relied on as legal advice or a definitive statement of the law in any jurisdiction. For such advice, an applicant, insured, listener or reader should consult their own legal counsel. Actual coverage is subject to the language of the policies issued. Chubb, Box 1615, Warren, NJ 07061-1615
The Cyber Exposure and Law Firms
The technology and amount of confidential data that a law firm relies upon to conduct its business can also significantly increase its vulnerability to cyber security threats – any of which can result in significant out-of-pocket and reputational costs that can devastate the bottom line.
The Cyber Exposure and Law Firms • A lawyer has duty of privacy and confidentiality to his or her client.
• While the Lawyers Professional Liability policy may address some risk regarding this duty, there are additional risks – and costs – firms may face today.
• This presentation reviews those risks, costs, risk mitigation and potential insurance protection.
What Is A Data Breach
• Unauthorized access to protected information– Hacking– Rogue Employees– Negligence – 3rd Party Vendors
What Information is at Risk of a Breach?
• Personally Identifiable Information (“PII”)– Generally, a person’s name in combination with
their social security number, driver’s license number, financial account number, credit/debit card or other payment card number, information related to their employment or individually identifiable health information pursuant to HIPAA.
• An organization’s non-public information
• Lost or stolen laptops and computers
• Lost or stolen mobile devices
• Poor passwords
• Disposal of obsolete data
• Hackers
• Employees/Vendors stealing information
• Social Engineering
• The “Cloud” or data aggregators
Where are the threats?
“Lawyers Get Vigilant on Cybersecurity.” Wall Street Journal, June 24, 2012.
• “… current and former law enforcement officials say cyberattacks against law firms are on the rise…”
• “… many law firms may not be aware that they were hacked until [an] agent shows up on their doorstep…”
• “… the weakest links at law firms of any size are often their own employees…”
“China-Based Hackers Target Law Firms to Get Secret Deal Data.”
Bloomberg, Jan. 31, 2012.• Seven law firms cyber-attacked in 2010 in an attempt to
derail large acquisition and acquire trade secrets .• Law firms increasingly threatened with loss of client
business if they can’t show improved security as such attacks continue to increase.
• 200 law firms met with the FBI to discuss rising number of law firm intrusions.
• FBI: “Hackers see law firms as back door to the valuable data of their corporate clients.
• Mandiant: 80 major U.S. law firms hacked in 2011.
“Law Firm, Police Hit By Hack Attacks; Lawyer Cell Phone Records Reportedly Accessed.” ABA
Journal Law News Now, Feb. 7, 2012.
• VA law firm’s (Puckett & Faraj) network hacked through it’s web site and sensitive client data was published on YouTube.com.
• Firm’s web-site replaced with hip-hop video.• Network off-line for days (Update: Operations
ceased).• Awaiting direction from state bar regarding
notifications to current and former clients.• Many hacked e-mails had documents attached.
“Elliott Greenleaf Sues Ex-Partner, Stevens & Lee Over Client Files.”
The Legal Intelligencer, Feb. 10, 2012.
• Former partner allegedly installed software without authorization on Elliott Greenleaf’s network that allowed the partner to have continued access to the firm’s files through the “cloud.”
• Software allegedly enabled continued, secret access to the confidential and proprietary information and trade secrets of Elliott Greenleaf and its clients. This data could then be monitored or altered remotely on an ongoing basis.
• Complaint further alleges that up to 5% of Elliott Greenleaf’s back up tapes were deleted.
“Malicious Phishing Scheme Targets WilmerHale.” ABA Journal Daily
Newsletter, January 5, 2011.
• “E-mail from a fictitious ‘Brian Willmer’ is being sent, purportedly from the firm, urging recipients to click on a link to determine how to respond to a commercial litigation subpoena, the firm says in a warning note prominently displayed on its website.”
“Cameras May Open Up the Board Room to Hackers.” The New York Times, Jan. 22, 2012.
• “Two months ago, [HD] Moore wrote a computer program that scanned the internet for videoconference systems that were outside [a] firewall and configured automatically to answer calls. In less than two hours, he scanned 3 percent of the internet.” In that sliver, he discovered 5,000 wide-open conference rooms [including] law firms…”
• “Any reasonably computer-literate 6-year-old can try this at home.”
“How Secure are Law Firm Networks?” Corporate Counsel, Feb 21. 2012.
• Rich with client information, law firms are often much less equipped to fend off cyberattacks than the corporations they represent. Ergo, “…a hacker can hit a law firm and it’s a much, much easier quarry.” Mary Galligan, FBI.
• Article offers a dozen questions for corporations to ask law firms regarding information security.
Cyber and Law Firms: More Headlines
• “Employee at a Palo Alto law firm steals 90 laptops and 120 desktop computers and sells them.”
• “Eighteen laptops stolen from the Orlando office of a major law firm.”
• “Paralegal at a New York law firm downloads a 400 page trial plan in a major case and offers to sell it to the adverse party.”
• “Employee of a vendor at the Los Angeles office of a major law firm steals a client’s highly confidential encryption data and posts it on hacker websites.”
Source: “Law Firms Feel the Data Breach Heat and Start Buying Source: “Law Firms Feel the Data Breach Heat and Start Buying [Cyber Liability] Insurance.” ([Cyber Liability] Insurance.” (Management Liability UpdateManagement Liability Update, May 13, , May 13, 2010).2010).
A medical malpractice defense attorney forgets A medical malpractice defense attorney forgets an unencrypted Blackberry in an airport an unencrypted Blackberry in an airport restaurant. It is never recovered. It is late at restaurant. It is never recovered. It is late at night on a weekend and the Blackberry is not night on a weekend and the Blackberry is not remotely wiped for 2 days. The attorney has remotely wiped for 2 days. The attorney has 8,000 emails and some contain protected 8,000 emails and some contain protected health information. health information.
Loss Scenario 1: Blackberry Lost!Loss Scenario 1: Blackberry Lost!
Loss Scenario 2: “The Cyber ID Thief”
On a “black hat” website, Myra learns how to write an SQL Injection script that allows her to gain access to a law firm’s databases through their website.
She is able to access and download over the Internet names, addresses and Social Security numbers of 1,500 of the firm’s clients.
As required under State breach notification laws, the firm notifies their affected clients, incurring $250,000 in notification and related crisis management expenses.
Loss Scenario 3: “The Oops Factor”
Rodney, in Personnel is rushing to get a spreadsheet containing the names, addresses and Social Security numbers of 250 job applicants to a background screening firm.
Attaching the sheet to an e-mail, he then inserts the name of his contact in “To:”, not realizing that what he has inserted is his bowling league contact list.
He hits Enter – and sends the list of prospective employees to the correct contact – and 30 other people outside the organization.
Loss Scenario 4: “The Inside Job”
20.
Prior to dismissal for cause, a disgruntled system administrator installed a logic bomb into the firm’s computer system. Some time after departure, the logic bomb began systematically corrupting critical data.
The firm identified the root cause and quickly quarantined the corrupted data. However, it took several months to restore the data and resume normal business operations.
Laws and Regulations are Developing
When a data breach occurs, there are many US Federal/State and regulatory laws to consider:
Financial Services Modernization Act of 1999 / Gramm Leach Bliley Act (GLBA)
Federal Trade Commission’s Fair Credit Reporting Act (FCRA) - Federal “Red Flag” Rules (16 CFR 681.2)
Health Insurance Portability & Accountability Act (HIPAA) and 2009 HITECH Act
State Data Breach Notification LawsMassachusetts Security Regulations (201 CMR
17.00)
State Statutes• California first state to enact “security breach notification” legislation – July 1, 2003 [SB 1386].
• Currently, 46 other states have enacted some type of security breach notification legislation, including:
– Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Maine, Massachusetts, Minnesota, Mississippi, Montana, New Hampshire, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Vermont, Washington and Wyoming; plus
– District of Columbia, Puerto Rico and U.S. Virgin Islands.
The Reach Of The Laws
Breach Related Expenses
Notification
Crafting letter or other notification
Printing or design
Mailing or other transmission
Public Relations
Advertising & Press Releases
Call Center Operations
Other Services for Affected Persons: Credit Monitoring
Forensics
Legal expenses for outside attorney
Cost of forensic examination
Cost to remediate discovered
vulnerabilities
Legal
Response to claims or suits
Payment of judgments or settlements
25
For internal use only. Not to be distributed outside of Chubb.
Breach Costs By Activity (Ponemon, 2010)
Activity Percent DollarInvestigation & Forensics 11% $23Audit & Consulting Services 10% $21Outbound Contact 5% $10Inbound Contact 6% $13PR/Communications 1% $2Legal Services - Defense 14% $30Legal Services - Compliance 2% $4Free or Discounted Services 1% $2Identity Protection Services 2% $4Lost Customer Business 39% $83Customer Acquisition Cost 9% $19___
Total 100% $214
Risk Management Misconceptions• IT is on top of it, so there is little to no
exposure.
• We are too small a firm to be in a hacker’s cross-hairs.
• Our data is stored off-site with a third-party vendor, so any breach is their problem.
• Our mobile devices are secure because they are password protected.
Risk Mitigation• Information Security Policy (ISP)
• Virus Prevention / Intrusion Detection / Penetration Testing
• Mobile Device Security
• Incident Response Plan (IRP)
• Expert Security Assessments
Information Security Policy
• First measure that must be taken to reduce the risk of unacceptable use of the company’s information resources.
• Development & implementation of a security policy turns employees into active participants towards securing company information.
• Helps reduce risk of security breach through ‘human factor’ mistakes.
Incident Response Plan• Essential for a company to have in place in
order to effectively respond to a security breach.
• IRP’s typically include:– Members of the IRP Team (i.e., Managing Partner,
head of IT, etc.)– Notification process– Guidelines for getting 3rd Parties involved (e.g., legal
counsel, public relations, printers, forensic experts) with pre-negotiated rates.
• IRP’s should be tested at least annually using various breach scenarios.
Cyber Liability Insurance Offered as a stand alone product. One single policy with combined third party liability and first party coverages. Designed to provide coverage to Insureds who transmit or store confidential customer information.
CyberSecurity By ChubbSM
• E-Business Interruption & Extra Expenses
• E-Threat Expenses
• E-Vandalism Expenses
• Cyber Liability
Disclosure Injury
Reputational Injury
Content Injury
Conduit Injury
Impaired Access Injury
Insuring Clauses
• Privacy Notification Expenses
• Crisis Management & Reward Expenses
Don’t I Have Cyber Coverage Already?
• 1st Party Exposures? Post-breach expenses?• Regulatory prosecution?• Breach of employee information?• Website/Social Media?• Breaches that do not arise from “Professional
Services?” System-to-System injury?• Rogue insider?• Low LPL limits?
Traditional Insurance Approach
ISO Commercial Property?Computer Crime ?
General Liability Policy?Professional Liability Policy?
ISO Commercial Property - “Electronic Data”
Covered Causes of Loss extended to include a “virus”.
But –Coverage is limited because data must be “destroyed or
corrupted”.
Surety And Fidelity Association Computer Crime
Computer Crime Policy has three major exclusions:
What about CGL or LPL Coverage?
General Liability Insurance
Professional Liability Insurance
Addresses only physical injury to persons or tangible property, as well as the Insured’s liability arising from the publication of material that violates a person’s right to privacy. May be further restricted by several exclusions.
May be limited by the description of “Professional Services” or by Exclusions for “Invasion of Privacy.” LPL is only a liability contract.
Notification & Crisis Management
Lawyers ProfessionalLiability Policy
Data Breach Notification &Crisis Management Expense
Privacy Notification &Crisis Management
Expense
CyberSecurity Policy
Cyber Liability – Privacy Injury
Liability – Cyber Excess of LPL
Lawyers ProfessionalLiability Policy
Defense Expense & Possible Damages
Privacy Notification &Crisis Management
Expense
CyberSecurity Policy
Cyber Liability – Privacy Injury
What About a Breach of Employee Data?
Lawyers ProfessionalLiability Policy
Breach of Employee Data
Privacy Notification &Crisis Management
Expense
CyberSecurity Policy
Cyber Liability – Privacy Injury
CyberSecurity For Law FirmsLawyers
ProfessionalLiability Policy
One Breach
Privacy Notification &Crisis Management
Expense
Cyber Liability – Privacy Injury
E-Vandalism Expense
E-Threat Expense
E-Business Interruption&
Extra Expense
Final Thought on Cyber
“Even if law firms manage to take heroic measures to secure their computer systems, experts say they … must accept the reality that cyberspace will never be entirely safe. As a result, experts say systems should be constructed so they are resilient enough to adapt to and recover from attacks rather than avoid them altogether.”
Source: “Cyberspace Under Siege: Law Firms are Likely Targets for Attacks Seeking to Steal Information Off Computer Systems.” (ABA Journal Magazine, November 1, 2010).
Questions?
?
