Here are a few examples of claims made. None of these law firms had a cyber policy:
1. Your client is about to close on a business deal that you and the client have been working on months. The money needs to be transferred by close of business on Friday. Unbeknownst to you and your client, your client’s e-mail was hacked a few months ago. The Cyber Criminal has just been monitoring the progress of the purchase and has been waiting for the transfer to come about on this coming Friday. A spoofed e-mail is sent to your client by the Cyber Criminal with new wiring instructions. The e-mail looks like it came from your law firm, but it did not. The client follows the instructions and sends the $2.5 million out per the fraudulent wire transfer instructions.
2. You won a large settlement on a case a few months ago. Today is payday and you have received the settlement. Because the case was from a referral, you send the referral attorney their share of the settlement proceeds. Unfortunately, your e-mail system has been hacked and the cyber criminal waits until they know that you have received the settlement. The cyber criminal puts out a fake e-mail from you to your bookkeeper that appears to be an e-mail forwarded from the referral attorney as to where the funds should be wired to. The bookkeeper follows your instructions and wires the money.
3. Your computer system is hacked. When you log in one morning you are informed by the cyber criminal that you have 3 days to send the equivalent of $10,000 in bitcoins per their instructions. You notify your malpractice insurance carrier, law enforcement and hire a computer expert. You decide not to pay the ransomware, and your computer system is completely offline of the next 3 months. While you were able to service your current clients, much of the data could not be recovered and had to be restored manually. Between the recover costs, the new computer hardware and your lost billings it costs the firm over $750,000.
4. You find out that your client’s collection accounts personally identifiable information which includes bank account numbers, credit card information and birth dates is now up for sale on the dark web. You now need to notify the appropriate state agencies, each collection account and now you need to set up credit monitoring for the 5000 plus accounts that were hacked. And you need to hire a forensic IT firm to find out what happened and plug the hole. Turns out a former staff member walked out with a thumb drive.
5. A partner at a small law firm receives an e-mail with an attachment from a former client. The e-mail had an attachment that the partner had trouble opening. The Share Point document asked for his password and login which he shared but it did not open the document. He forwarded the e-mail to a staff member who also tried their login and password. They also had trouble opening the document. A few days later a client advised the partner of strange e-mails that they had received from him with new wiring instructions for funds. The firm hires a law firm that specializes in data breaches and an IT firm that does forensic analysis. They found over 80,000 e-mails that were compromised with 102 of the e-mails viewed or accessed by an unauthorized party. With 8 clients personally identifiable information that may have been disseminated.
Lee Norcross, MBA, CPCU
Managing Director, CEO
(616) 940-1101 Ext. 7080