Login | April 24, 2024
OBLIC Now Covers Cyber Security
RICHARD WEINER
Technology for Lawyers
Published: September 5, 2014
The Ohio Bar Liability Insurance Company (OBLIC) has added cybersecurity to its standard coverage, effective May 1, 2014.
"We had been working on this for about the last year and a half," said Steven Couch, president and CEO of OBLIC. "We added pretty comprehensive cyber breach, data breach coverage onto our professional liability policy."
OBLIC's new coverage is in keeping with national trends in this area, and the company worked with similar carriers in creating it, Couch said.
Mark Bassingthwaighte, a Risk Manager with Attorney’s Liability Protection Society, Inc. (ALPS) who blogs extensively on this topic, has written, at this point, "who hasn't heard of the Target breach, the NSA scandal, the Heart Bleed bug, Chinese cyber-spying, the end of Windows XP support just for starters?"
ALPS is a national legal malpractice insurance company that does not do business in Ohio.
Noting that a 2102 ABA study found that fully 10 percent of law firms had experienced a data breach, Bassingthwaighte went on to write, that if a firm thinks it may be too small to be bothered with, "understand that a significant percentage of cybercrime attack vectors are automated. The size of the target isn’t part of the equation. It’s simply about taking as much data or money that they can...."
It may be his job to be pessimistic, but his basic warning about the inherent risks in this field is simple and to the point: "It’s not if it will happen," he stated. "It’s solely a matter of when."
To put potential damages into financial perspective, according to a 2013 Symantec study, the average per-organization cost of a data breach is over $5 million, although this figure does not necessarily reflect the cost of a law firm data breach.
In response to this new reality, Couch said that OBLIC, "thought that we would get our insureds coverage that they (probably) did not have now, and that most lawyers around the state do not have."
While most carriers add cybersecurity as a policy endorsement, Couch said, OBLIC has written it into the base policy, with limits. But it such a complex area, he said, that it seemed like, "the cybersecurity endorsements are longer than the base policies."
OBLIC's policy covers small firms (under 10 lawyers) for up to $50,000 per policy year in the aggregate at no further premium cost, said Couch. Larger firms are covered for up to $125,000.
"We took a look at our levels of risk, and decided that we could offer this amount of coverage at no further cost," he said. He acknowledged that some data breaches can cost far more than those amounts, and said that greater coverage is available for a greater premium cost.
OBLIC's cyber breach upgrade covers various costs associated with the potential fallout with a cyber breach, including network asset protection, third-party costs, credit monitoring, breach response costs, extortion indemnity, regulatory defense and penalties, and income loss.
Specifically, according to OBLIC's highlight sheet on its cybersecurity coverage, third-party coverage includes, "defense of regulatory proceedings brought by federal, state, or local government agencies," for costs associated with for violations of privacy regulations.
Privacy breach response costs include indemnity for "reasonable" legal costs and costs associated with public relations, advertising, IT forensics, and other like costs.
Network asset protection includes costs associated with data loss, including business interruption costs (with some technical restrictions).
Extortion indemnity is needed when data is stolen, and the thief demands payment to retrieve it, or to keep it out of the public eye.
The policy also includes losses from cyberterrorism, which is very broadly defined as including both personal and political broad-scaled attacks against a computer system.
Couch would like to see this policy upgrade as a part of an educational process for OBLIC's policy holders, in addition to simply covering cyber breaches.
The OBLIC website now contains a, "toolkit to help create internal policies for firms and practical steps to help identify risk, train personnel, avoid problems, and so on," Couch said.
"We would like them to know what to protect themselves against, and become more knowledgeable. More knowledge will help them to be able to evaluate their risks," on individual bases, and determine what coverage they really need in the long term, he said.