This resource has been written by guest author Collin Walke. Mr. Walke leads Hall Estill’s Cybersecurity and Data Privacy Practice. He is CIPP-US and CIPM certified and is a certified artificial intelligence systems auditor. Mr. Walke received his B.A. in philosophy from Oklahoma State University, his J.D., magna cum laude, from Oklahoma City University School of Law and is a graduate of Harvard’s Business Analytics Program.
In the last year, the average payoff for ransomware attacks rose 71% to $925,162. That amount is solely for the ransom and does not account for any of the attendant costs such as downtime, IT support and general anxiety and fear about what’s going to happen if – after conferring with legal counsel – you decide to pay; because, after all, you are dealing with criminals. They may take your money and keep your data.
All of us think that that it won’t happen to us; but, in 2021, the American Bar Association reported that one in four attorneys suffered a data breach. The next time you and three legal friends are having a conversation, think about that statistic. Then think about all of the data your law office has in it: Social Security numbers, medical records, bank records, business documents, etc. There’s a reason cybersecurity incidents are on the rise, especially with small- to medium-size law firms – smaller companies do not take the same security precautions that large companies do.
Given the astronomical costs of ransomware attacks and data breaches, ensuring you have adequate cyber-risk insurance in place is critical. Standard cyber-risk insurance applications ask for information like “Do you have a cyber-security incident response plan?” (64% of attorneys do not have such a plan) or “Do you have a personal use device policy a/k/a BYOD?” (only 32% of attorneys have such a policy). In other words, far too many law firms are unprepared for an insurance application, let alone an actual cyber-attack.
Aside from being prepared for the insurance application itself, you must also have an understanding of the various aspects of cyber-risk insurance and the types of coverage they provide. For example, will the insurance company cover the cost of technical assistance? Will it cover the cost of providing notice of the breach? Will it provide a legal defense in the event of a lawsuit in the wake of the breach? What happens if the attack is the result of one of your vendors comprising your access credentials?
The Oklahoma Rules of Professional Conduct state that lawyers have a duty to be competent, including competency regarding “the benefits and risks associated with relevant technology.” If the ABA statistics are any indication, then odds are you aren’t prepared for a cyber-attack nor are you compliant with the Rules of Professional Conduct.
It’s time to invest in cyber protection. Lawyers may say that they can operate like they did in the 1990s or early 2000s and be just fine. I’m sure Nokia thought the same thing – but Nokia is now a shell of its former self and hardly thought about. Lawyers who are not prepared for a cyber-attack will likely see the same fate.
I am more than happy to help advise and establish the necessary policies and procedures in order to obtain the appropriate cyber-risk insurance. You can also contact OAMIC to discuss your cyber coverage (included with every LPL policy, with base limits), and how to increase your protection with increased limits. Because the question isn’t whether you will be hacked, but when.