TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Got a data breach? Call a cyber lawyer first Related reading: Study: Cyber insurance programmed for big breaches

rss_feed

""

""

The recent breaches at a number of well-known law firms, not to mention the Panama Papers, may or may not be an anomaly. Either way, the size of a law firm isn’t necessarily relevant when a cyber breach hits. Whether your company is Fortune 500, middle-market or even a mom-and-pop, you’re at risk of a breach. It doesn’t matter whether the intrusion is attributable to malicious activity or simple employee or third-party negligence; the effect is the same. Your clients’, customers and employees’ sensitive information is at risk.

In many cases, the effect of a cyber incident could be devastating, if not fatal, to your company’s reputation – and, by extension, its economic viability.

To whom should you make your first call? A cyber lawyer. 

Unlike a lay advisor, attorneys bring with them the attorney-client privilege and work product protection in many respects.  Although vendors and IT specialists can promote themselves as having the appropriate knowledge and training to teach and implement best practices, they do not possess the critical protections afforded by the attorney-client relationship. In a relatively new space like cyber where the law is uncertain and developing, the likely privileges become even more important.    

How does cyber insurance factor into best practices?

A business’s management should not be dismayed by the obvious need to allocate resources (financial, human and technical) for the implementation of risk-management and risk-transfer strategies. It’s prudent and cost-effective in the long run, and, quite simply, a question of relativities. A company can pay four or five figures now or risk not being able to afford six or seven figures later.

Regrettably, in many cases, executives assume that their commercial general liability forms cover cyber-related risks. This is a critical mistake. Indeed, more than a few insurance brokers and policyholders misunderstand the extent and limitations of general liability insurance. In particular, many mistakenly believe that advertising and personal injury coverage (typically Part B or Part II of a CGL policy) covers a cyber breach. This view is wrong. For this reason alone, a sophisticated insurance broker is a necessity. You could buy a policy. The right broker can ensure that it's the right policy for your business.

Although limited cyber-related insurance may be provided by a CGL insurance policy, the lion’s share of fees, expenses, and other loss incurred following a cyber incident would not be covered. CGL policies cover damage to a third party’s tangible property (or person) as well as, in certain situations, advertising and personal injury.

In stark contrast, cyber insurance – depending on the coverage purchased – will cover not only third-party liability claims, but also will extend to first-party loss (i.e., business interruption, extra expense, extortion threats and the like) as well as the frequently large and unanticipated crisis management fees and expenses.

Moreover, the desire to purchase cyber insurance should play a significant positive role in incentivizing the adoption of best practices which, if handled correctly, will reduce the risk of a cyber incident – as well as the premium associated with the purchase of cyber insurance. The more robust your protections, the lower your premiums. It’s a significant and critical risk/benefit analysis.

The attorney wielding the applicable privileges also is the safest conduit to respond to an insurer, as the attorney will be in a position to assimilate the information provided by a client and pass along relevant claim information to a business’s insurer. Knowledge, of course, is invaluable. And by providing privileged and non-privileged information to the attorney, the company can be more secure that the privileged information is protected while coloring the attorney’s ability to properly advise the insurer of those facts necessary to protect the client’s ability to capitalize on the insurance coverage available.

Put differently, those who discount the need for cyber best practices and cyber insurance should consider this thought: Do you want to risk having your CGL coverage exhausted by a cyber breach? Or would you rather preserve the limits of liability for legitimate – or even frivolous – claims? After reading the foregoing, if you were considering increasing the limits of your CGL policy to account for cyber risks, why not just use the added premium to buy dedicated and tailored cyber coverage and add the available first-party and crisis management protections? Although it may be more expensive than excess CGL coverage – although it’s still modest by comparison to other insurance products – the additional coverages available are worth it.

Be Proactive!

Many businesses are taking cyber risks and exposure seriously. Regrettably, it’s still too few. But there are solutions.

Best practices training and cyber insurance are a practical place to start. An attorney can assist a company in formulating and implementing practical and reasonable steps to protect personally identifiable information, personal health information, and confidential commercial information;[i] and, by extension, the company’s reputation and, perhaps, financial future, all while maximizing protection against that advice being discoverable through the course of litigation.

To the point, the litigation discovery process is one of the key drivers of the rising costs of litigation. And many cases are won and lost in the discovery stage. When used appropriately, a legitimate privilege can shield troublesome documents and evidence from having to be produced to your opponent. And oftentimes, the proper assertion of privilege and the applicable protections afforded can be outcome determinative. 

In the long-run, an experienced, knowledgeable cyber attorney’s fees will be markedly cheaper than the cost of having to remediate a cyber incident, litigate through discovery with an angry client or third party who claims to have been harmed, and, perhaps, lose at trial because documents that otherwise might have been protected from discovery had to be produced. Indeed, the alternative to receiving advice and counsel from a trusted cyber lawyer could be fatal, especially for a business that trades on its reputation and goodwill. 

Some businesses already have made the mistake of not doing so and paid the price. Literally. Your company should not be among them.

[i] Although there are as almost as many attacks on the attorney client privilege as there are on data, and while there are no guarantees that it will be enforced, the privilege does exist and is enforced when appropriate.

photo credit: numbers via photopin (license)

2 Comments

If you want to comment on this post, you need to login.

  • comment Jon Washburn • May 24, 2016
    I agree with Richard that your first call should always be to your lawyer to establish the attorney-client privilege at the outset, before you reach out to a cyber-security consultant to address technical training and best practices, or to remediate any technical risks/effects of a breach.  Also work together with your counsel to determine how the business relationship with any technical consultant is going to work, since the bulk of your confidential information is likely going to be accessible during the course of their engagement.  Your IT consultant will identify technical issues, but your cyber lawyer will help you interpret the risk.  Great points about the complexities of cyber insurance too.
  • comment Lyn Boxall • May 24, 2016
    As I'm a cyber-lawyer and a regulatory lawyer, it's not surprising that I agree.  And it's not just because of legal professional privilege, though that is just as important as is set out in the article.  There's also the perspective of legal/litigation and regulatory strategy to best position the client as remediation of the breach moves forward.  I'm not seeking to diminish the role of technical experts.  They're vital too.