In the past we have blogged about attorney malpractice policies not answering cyber claims and that even though a business owner’s policy (BOP) may contain some cyber coverage, it likely will not provide all of the coverage and limits that a true cyber policy provides. This is a recent cyber claim that illustrates those points.
There was no coverage for this claim under the attorney malpractice policy. Fortunately, the Firm did have a BOP that provided some cyber coverage. But the cyber coverage had a $10,000 deductible and is limited to a maximum payout of $25,000. The good news for the Firm was the total claim was only around $30,000, so the BOP Insurer paid approximately $20,000 after the Firm paid the first $10,000. It turned out to be a relatively minor claim with almost all of the costs being for outside legal advice; forensic analysis of the breached e-mails; and paying for credit monitoring for a few clients. The Firm was very lucky that there were no 3rd party damages (ie a fraudulent wire transfer of funds) as the claim could have been much worse with total damages that would have easily exceeded $35,000.
NOTE: Most cyber policies have deductibles starting at $1000 and policy limits starting at $100,000 that can be as high as $5,000,000. And more can be obtained if needed. Many attorney malpractice policies exclude coverage for 3rd party fraudulent wire transfers.
The Cyber Claim
On May 1, 2017, a Firm attorney received an email from someone who appeared to be an attorney with whom the Firm attorney had previous dealings. The email contained a link to a Share Point document which the Firm attorney clicked on and proceeded to enter his login and password to open the document. Having trouble with the document, the Firm attorney forwarded the email to a Firm staff member to obtain assistance in opening the document. The staff member then entered their login and password to open the document. Subsequently on May 2, 2017, the Firm attorney was advised by a client of inconsistent email communications which included instructions regarding the transfer of funds.
When the Firm became aware of the situation, it contacted their technical support IT Vendor. The Firm’s IT vendor advised that it appeared that 80,000 emails in two of the Firm’s email accounts were compromised and manual review was necessary to determine if Personal Identifiable Information (PII) was contained in the compromised email accounts.
On May 10, 2017, the Firm notified their BOP Insurer of the May 1, 2017 Breach. At BOP Insurer’s suggestion, the Firm retained a law firm that specializes in data breaches to provide legal advice in connection with the Breach. Upon the data breach law firm’s advice, the Firm retained an IT firm to do a forensic analysis of the Breach and to determine if the affected email accounts were accessed, viewed, and/or data exfiltrated. The forensic analysis revealed that 102 emails were viewed or accessed by an unauthorized party.
The manual review of the 102 emails found that the PII of 8 clients may have been disseminated. Accordingly, notification of the possible dissemination of the PII was provided to these clients who were also provided credit and identity monitoring services for 12 months.