The Akron Legal News

Login | March 28, 2024

Encryption set for med mal insurance companies

RICHARD WEINER
Technology for Lawyers

Published: February 19, 2016

I got an interesting phone call a few weeks ago.

An attorney (no names, please) called me from the East Coast, on her way overseas. She was asking me for some advice on encryption. When I pressed the matter a bit, she told me that her legal malpractice insurance carrier was requiring her to encrypt as she said, “everything.”

All data, all communications, all devices. Encrypt “everything.”

She needed to do that from afar, within a small timeframe and on a limited budget.

I gave her some basic guidance but that certainly raised an alarming question of its own: Is this requirement happening with malpractice carriers out there?

And given the whole international discussion on encryption, spy agencies and law enforcement, what would an agency like Ohio BCI think about all attorneys encrypting all of their data?

Ohio Attorney General Michael DeWine’s office has recently released a data safety guide for the populace that includes encryption recommendations for private networks.

To the point of attorneys encrypting “everything,” AG spokesperson Jill Del Greco, said “encryption can, in certain scenarios, make criminal investigations more difficult, but we don’t think that encryption would be an issue unless it was being used to hide a crime.”

Of course, investigators wouldn’t know that until they started their investigations. But just having lawyers encrypting data isn’t on the OAG’s radar.

In terms of the attorney who called me for advice, I had assumed that the attorney’s carrier was the Ohio Bar Association’s in-house malpractice Ohio Bar Liability Insurance Company (OBLIC), but I was wrong. It took me a little while to figure that out….

Her carrier was Zurich American Insurance Company, which came from Switzerland but is headquartered in Chicago. She had gotten the policy from a Cincinnati agency, but that brought up another set of questions because it was entirely possible that a company that had originated in Switzerland had different ideas about encryption than an American company.

According to the Washington Post, in a Feb. 2 article, “Europe believes privacy is a fundamental right, and has data protection promises built into its charter. In the United States, there are some federal protections for things like credit and health care information, but there's no single national law that lays out privacy rights.”

Zurich is one of about “15 to 20” legal malpractice carriers operating in Ohio, said Steven Couch, president and CEO of the Ohio Bar Liability Insurance Company (OBLIC).

To Zurich, it was simply about underwriting. Zurich’s spokesperson Robyn Ziegler put a little perspective on the issue.

“Zurich has no blanket requirement for encrypting data,” she said. “Every Zurich policy is written on a case by case basis, so each policy -and any requirements (such as encrypting data) associated with it – are unique to the customer for which each policy is written.”

Noting that data protection is simply an aspect of risk management, Ziegler said that “we do work with customers to determine if they have good risk mitigation techniques in place to protect against data security breaches. And that can include encryption of data.”

OBLIC’s position on these question arises from its market position, said Couch, who explained that OBLIC primarily exists for solo and small practices.

While OBLIC does conduct cybersecurity CLE’s, Couch said that the company “technically does not require” their insured attorneys to encrypt their data.

However, that statement comes with a few caveats and shades of gray.

Cybersecurity insurance which, among other things, covers the costs of a data breach or the costs of paying a cyber ransom (which they have paid), comes in multiple levels, Couch said and, echoing Zurich, noted that coverages were basically underwriting questions.

OBLIC offers a basic $50,000 limit on cyber breaches as a part of its base policy, said Couch (which doubles for larger firms). “Our approach is to get lawyers at least limited coverage standard. Then, if a breach occurs, there is some level of coverage that can kick in and address the breach,” he said.

However, Couch said “on top of that, if a firm spends the time to evaluate what their cyber exposure limits are we will sell them a policy to those limits. The rates are significantly reduced by the fact that they are already covered.”

On the “other side of things,” Couch said, “high-limit cyber security policies, fully underwritten in the commercial market, can include an 8-10-page application. A ground-up, standalone policy asks all kinds of questions, and varies among providers.”

So while OBLIC does not require encryption, it does recommend cybersecurity measures that may include encryption.

But with cybersecurity breaches now costing the economy many millions of dollars those requirements may be coming in the future.


[Back]