The world is weighing in on the so-called "Panama Papers" data breach — the release of 11.5 million leaked documents detailing attorney-client information for more than 214,000 offshore companies associed with the Panamaian law firm Mossack Fonseca.
Iceland's Prime Minister Sigmundur Davíð Gunnlaugsson stepped down from his position, after his involvement with the law firm became public.
A network security company, in an interview with security trade publication SC Magazine, speculates that the amount of data stolen would have taken nine full days to remove from the law firm's systems. Though many applaud the hackers for bringing to light such gross political deception, it's important to start the conversation around what this breach means for a law firm's management of risk and its insurance policies.
Lawyers' evolving risks
Since the 1960s, courts have levied increasingly punitive judgments against legal professionals as a consequence for their errors. As such, lawyers needed ways to insulate their business and personal assets. Insurers responded with Lawyers' Professional Liability (LPL) policies.
The electronic age ushered in a new evolution in lawyers' exposure with e-discovery, court e-filings, and a shift to normal business correspondence being conducted predominantly online. Today, however, "cyber lite" coverage can be added to an LPL policy for first-party costs, but that still leaves many attorneys' exposures unaddressed.
Why Cyber coverage matters
It's increasingly important for attorneys not to take Cyber risk lightly and relegate risk management concerns to the information technology staff.
While the Panama Papers headlines relate to a large practice, recent breaches have shown that law firms of all sizes are targets for hackers and vulnerable to rogue agents.
What happens when a law firm loses sensitive data about its clients' personal affairs? Or when a banking client's data is breached resulting in the devaluation of its stock price? While some endorsed LPL policies may respond to notification requirements, all Cyber policies should cover forensic investigations and repair an insured's breached platform to mitigate reputational harm.
The majority of law firms seem to be approaching their risk management strategies with only LPL in mind, while a prudent focus on their Cyber exposures is taking a backseat.
Security weakness will cost you
What were some of Mossack Fonseca's security failings?
Its systems were reportedly outdated — its Outlook Web Access login, for instance, hadn't been updated since 2009. To put that in to perspective, the film "Avatar" came out in 2009, and the Heartbleed security bug wasn't disclosed until 2014. Roughly 4.8 million e-mails weren't encrypted, some containing highly controversial information about the firm's clients' business dealings and personal holdings.
The damages Mossack Fonseca might face could be similar to the repercussions Sony experienced. Sony's damages extended far beyond the costs related to its negligence in maintaining sensitive data, notifying current and former employees and clients, credit monitoring, identity protection services, and regulatory penalties.
Sony also had to consider that its entire business model was jeopardized — clients were now less likely to partner with Sony again. Mossack Fonseca, or any other law firm , could be left in a similar position — once clients know you can't be trusted to keep their secrets, they likely won't be your clients much longer.
Sony also faced allegations of breach of an implied contract between Sony and its employees who had to give up their personal information (such as their Social Security numbers), in order to obtain employment with the company.
A law firm such as Mossack Fonseca would not only have implied contracts with its employees, but also affirmative contracts with outside third parties. Corporate confidential information often goes without mention, but should also be a big consideration for law firms, which face potential claims alleging misappropriation of third-party trade secrets and other sensitive corporate data after a breach. Law firms should routinely consider how large of a Cyber risk they're taking on.
The fallout thus far shows how important it is for law firms of all sizes to start talking about Cyber coverage options. Most insurers offer Cyber risk assessment services. Additionally, most Cyber policies come with teams of vetted breach-response vendors who can help mitigate the reputational fallout of a law firm post breach — something, no doubt, Mossack Fonseca could benefit from.
Maureen LePiane serves as senior vice president and head of middle market Errors and Omissions for the Professional Risks division at New York City-based Hiscox USA.
Want to know more about cybercrime? Then join us at America's Claims Event (ACE), where you'll find solutions to the challenges you and your team face daily. From technology to customer service to fraud and litigation, this two-day networking and educational conference is designed for claims professionals. Register to attend and save $350.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.