For an attorney malpractice policy to cover a cyber claim it must cause a 3rd party covered client lost for attorney malpractice. Even when it triggers the malpractice policy, the policy likely will only cover a portion of the claim that deals with monetary damages to the client. The following claim did not trigger the firm’s malpractice policy. But there were expenses because of the data breach.
The Cyber Claim
On June 1, 2019, a Firm attorney received an email from someone posing as an attorney with whom the Firm attorney had previous dealings. The email contained a link to a Share Point document which the Firm attorney clicked on and to open document the attorney proceeded to enter his login and password. Having trouble with the document, the Firm attorney forwarded the email to a Firm staff member who attempted to open the document. The staff member then entered their login and password. Subsequently on June 2, 2019, the Firm attorney was advised by a client of inconsistent email communications which included instructions regarding the transfer of funds.
When the Firm became aware of the situation, it contacted their technical support IT Vendor. The Firm’s IT vendor advised that it appeared that 80,000 emails in two of the Firm’s email accounts were compromised and manual review was necessary to determine if Personal Identifiable Information (PII) was contained in the compromised email accounts.
On June 10, 2019, the Firm notified their Business Owners Policy (BOP) Insurer of the June 1, 2019, Breach. At BOP Insurer’s suggestion, the Firm retained a law firm that specializes in data breaches to provide legal advice in connection with the Breach. Upon the data breach law firm’s advice, the Firm retained an IT firm to do a forensic analysis of the Breach and to determine if the affected email accounts were accessed, viewed, and/or data exfiltrated. The forensic analysis revealed that 102 emails were viewed or accessed by an unauthorized party.
The manual review of the 102 emails found that the PII of 8 clients may have been disseminated. Accordingly, notification of the possible dissemination of the PII was provided to these clients who were also provided credit and identity monitoring services for 12 months.
There was no coverage for this claim under the attorney malpractice policy. Fortunately, the Firm did have a BOP that provided some cyber coverage. But the cyber coverage had a $10,000 deductible and is limited to a maximum payout of $25,000. The good news for the Firm was the total claim was only around $30,000, so the BOP Insurer paid approximately $20,000 after the Firm paid the first $10,000. It turned out to be a relatively minor claim as almost all the costs being for outside legal advice; forensic analysis of the breached e-mails; and paying for credit monitoring for a few clients. The Firm was very lucky that there were no 3rd party damages (i.e. a fraudulent wire transfer of funds) as the claim could have been much worse with total damages being well over $100,000.
NOTE: Most cyber policies have deductibles starting at $1000 and policy limits starting at $100,000 that can be as high as $5,000,000. And more can be obtained if needed. Some attorney malpractice policies exclude coverage for 3rd party fraudulent wire transfers.
More About Cyber Insurance
Contact Me Today
Lee Norcross, MBA, CPCU
Managing Director, CEO
(616) 940-1101 Ext. 7080