Frequently Asked Questions
Doesn’t the lawyers professional liability (“LPL”) policy cover cyber risk?
Unless your firm’s LPL policy has a “cyber risk coverage endorsement” then it wasn’t designed to cover cyber risks. LPL policies were only designed to cover legal liability for errors or omissions committed in the course of providing professional legal services. LPL policies were not designed to cover law firms for legal liability arising out of viruses, hackers, or denial of service attacks. However, LPL policies typically have broad errors or omissions triggers without specific cyber risk exclusions, and cyber risks could potentially cause a pure errors or omissions claim, so in some cases, LPL policies may provide limited coverage for legal liability which are caused cyber risks. For example, if a firm suffered a computer virus that caused the firm to miss the deadline for a patent filing, the client could bring a suit for malpractice against the firm. Unfortunately, there is no clear answer about “covered” or “not covered” as it relates to cyber risk and lawyers professional liability insurance. In fact, one of the reasons it’s so difficult for law firms to select the right cyber risk coverage is due to the potential overlaps with the LPL policy. If you want more information about the types of cyber risks that may be covered in an LPL policy, please follow click on the following link to review our detailed LPL cyber risk coverage gap analysis.
How do I know if my LPL policy covers cyber risk or not?
Attempting to clarify what coverage may or may not exist in a Lawyers professional liability policy can be difficult because coverage for claims is fact specific. However, getting a general feel for the scope of coverage can be accomplished in some cases. We developed the following 6 questions to help SafeLaw clients better understand cyber coverage in an LPL policy. Forward these questions to your LPL insurer for clarification:
- Does our LPL policy cover civil, criminal or regulatory proceedings arising out of loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover civil, criminal or regulatory proceedings arising out of unauthorized use of our firm’s computer network including computer attacks that emanate or propagate from our computer network?
- Does our LPL policy cover civil or regulatory fines, penalties or damages arising out of loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover our costs of complying with regulatory obligation to notify clients or employees following loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover loss mitigation expenses including provision of credit monitoring, ID theft recovery services, and hotline support to our clients or employees in the event of unauthorized disclosure of our firms client or employee information?
- Does our LPL policy cover crisis management and public relations expenses following computer attacks or a data breach?
What is SafeLaw?
SafeLaw is a cyber risk insurance policy designed for law firms. SafeLaw was created specifically for the unique first and third party exposures at law firms. In addition, SafeLaw was built around the firm’s lawyers professional liability policy (“LPL”) using a difference in conditions wrap structure to avoid gaps in coverage, overlaps and coverage clashes. as well as the LPL insurance. SafeLaw is provides the most comprehensive cyber risk coverage available for law firms in the marketplace today.
Most cyber risk policies were designed with the of insuring a company for third-party liability from consumer privacy breaches. Many law firms don’t collect large amounts of personally identifiable information, but all law firms collect, create and store very valuable information that must be protected. SafeLaw covers a firms legal, ethical, regulatory and malpractice obligations for all the data a law firm collects, creates or stores.
SafeLaw also protects law firms from first-party cyber property losses and loss of income due to a cyber peril. Most cyber risk insurance policies provide first-party cyber coverage designed for companies that sell products, such as a retailer. We understand that law firms earn, bill and collect revenue differently, so SafeLaw has coverage crafted around a law firm’s business model and covers the loss of billable hours when cyber losses happen.
SafeLaw also includes educational and breach response services specific to the legal industry. We only use lawyers, technology vendors and consultants that specialize in cyber risk management at law firms. No other cyber risk insurance policy provides coverage and services specific to law firms.
What is a Difference in Conditions Wrap policy and how does it work?
A Difference In Conditions insurance policy is a broad form standalone policy designed to fill specific gaps in standard insurance policies and provide additional limits of coverage. They are usually highly customized and typically only available to large industrial or commercial risks. They are frequently sought after by large organizations to fill gaps in traditional coverage without coverage conflicts coverage and paying full price for it. Since Lawyers Professional Liability insurance provides a little cyber risk coverage, but does not adequately cover most cyber risks we designed the SafeLaw policy to interact but not conflict with LPL your coverage.
SafeLaw is a difference in conditions wrap policy designed to broaden a law firms coverage by a) providing primary cyber risk coverage wherever gaps in LPL policies exist; b) switching to excess coverage when LPL policies provide coverage for cyber risk; and c) sitting side by side in a primary capacity with your LPL and covering the uncovered portion of cyber claims when LPL policies only provide partial coverage.
Does the SafeLaw policy have sub limits for any coverage modules?
No, there are no sub limits of coverage in the SafeLaw policy. Most cyber risk insurance policies have small sub limits of coverage for one or more of high risk exposures, such as regulatory violations or fraudulent funds transfers, but SafeLaw gives full limits of coverage for all covered perils.
What are the minimum deductibles in SafeLaw?
The minimum deductible for SafeLaw is $1,000 for all modules except business interruption, which has a 12 hour waiting period.
What is the minimum premium for SafeLaw?
Premiums start at a few hundred dollars for very small firms and a few thousand dollars for average sized firms.
What are the maximum limits of coverage available for SafeLaw?
The maximum limit available from our primary insurer is $15,000,000. Excess coverage is available through Lloyds.
How is SafeLaw’s business interruption coverage different from generic cyber risk policies?
Business interruption insurance covers a firm for income that is lost due to an interruption in a firm’s business operations as a result of a covered loss. When we evaluated the standard business interruption coverage in cyber risk policies, we saw a common flaw that only affects a handful of industries, so we drafted coverage to specifically address unique way law firms generate income. Generally speaking, business interruption insurance covers lost income for a defined period of time called the “period of restoration”, which usually begins the day when the operations are interrupted by covered damage and ends the earlier of when the damage is repaired or business operations are resumed. Loss of income during the period of restoration losses is usually calculated using either of the following methods:
Business Interruption Value = Net Income Plus Continuing Expenses, or
Business Interruption Value = Gross Earnings Less Non-continuing Expenses
This standard business income coverage, which is used by many cyber insurance insurers, can be problematic for law firms because of the length of time between when the service is performed and when the fees are collected. In most cases, insurers will only count income that would have been fully recognized during the period of restoration into the lost income calculation. For example, if a law firm is infected with a computer virus and the computer system is down for 14 days, only the revenue that would normally have been earned from services that are performed, billed and paid during those 14 days would be covered. Therefore, it’s likely that a law firm could lose hundreds of billable hours from a virus following a loss and not be able recover the lost income their insurance company.
The Safelaw policy addresses these problems with standard cyber risk business interruption policies head-on. Safelaw specifically covers loss of billable hours as a result of a covered peril, such as a virus, hacker, or denial of service attack. In addition, Safelaw includes coverage for extended billable hours interruption, extra expense and contingent business income to blanket your firm with coverage designed for a law firms unique needs.
Does Safelaw cover loss of confidential legal information
Yes. Safelaw provides specific coverage for your firm’s legal information including the liability that could result if it is disclosed in an unauthorized manner. Many cyber insurers don’t cover loss off confidential legal information, but Safelaw was built around the concept of protecting a law firms confidential information and includes coverage for the liability, income interruption and rebuilding expenses associated with the loss of or damage to confidential information.
How can my firm get a SafeLaw quote?
Getting a quote is simple. The only information needed to get a bindable quote for Safelaw coverage is:
- the number of lawyers and partners working at your company;
- the areas of practice your law firm provides services; and
- your LPL policy premium, deductible and limit
If you choose to bind the Safelaw coverage quotation the only additional information required is a signed affirmation stating that no cyber risk claims have already occurred and that you are not aware of any potential claims in the future.
What are the minimum requirements for getting SafeLaw coverage?
SafeLaw has some conditions precedent for coverage. They include antivirus software, firewalls and encryption.
How do I file a claim under a SafeLaw policy?
Does the SafeLaw information incident response and claims team have experience in the legal industry?
Yes, the SafeLaw incident response and claims team has dedicated expertise with law firms and significant experience in handling cyber risk claims at law firms. With SafeLaw you have the option of using your own expert vendors or select from SafeLaw’s panel of cyber risk expert. Each of the vendors we recommend works with clients in the legal industry and understands the special requirements for working with law firms. We understand the confidential nature of legal information and importance of structuring proper relationships with vendors that won’t break attorney client privilege.
What ethical, regulatory, malpractice and contractual obligations does my firm have in the event of an unauthorized disclosure of client information?
Your ethical, regulatory, malpractice and contractual obligations to disclose and incident will depend on a myriad of variables. The types of ethical, regulatory and malpractice obligations your firm has following a breach will depend largely on the types of information disclosed, how much of it was disclosed and if it was encrypted. Contractual obligations will also depend on similar factors plus any duties spelled out in the contract itself.
SafeLaw provides clients with access to legal and technical experts to help your firm understand the current privacy and confidentiality regulatory environment for law firms. SafeLaw clients have round the clock access to a network of experts specializing in everything from confidentiality and privacy to breach notification.
How can the SafeLaw team help my firm navigate a claim?
A breach coach is an expert in managing a data security breach and minimizing potential losses. SafeLaw policy holders have access to a breach coach before a loss occurs to assist in developing a breach response plan and after a loss to help navigate the complex regulatory and legal environment surrounding unauthorized disclosures of NPI. If a breach occurs the breach coach will be your first point of contact for coordinating with subject matter experts to navigate the complex process of responding to a data breach. Each data breach is unique and the services a breach coach advises and assists your firm with will be tailor to suit your firm’s needs following the breach. Some of the core services a breach coach can help you with include:
- Conducting technical forensics to determine the scope and cause of the data security breach;
- Understanding the relevant regulatory, legal, ethical and malpractice obligations associated with the breach;
- Determining which authorities and regulatory bodies must be notified and guide your firm through the notification process;
- Identifying the individuals and businesses your firm must notify, the individuals you may wish to notify and guide your firm through the notification process;
- Selecting and implementing the best loss reduction solutions for the breach including credit monitoring, legal filings, insurance or fraud prevention;
- Managing ongoing communications with business and individuals that are victims of the breach including procuring call center services, developing scripts and training call center staff;
- Coordinating with a public relations firm to implement a public relations campaign to protect your firm’s brand.
Can you help our firm value a cyber risk loss?
Yes, SafeLaw policyholders have access to top experts to assist in the valuation of losses including technical forensics and forensic accountants. Cyber risk insurance policies require that proof of loss forms be filed for business income and data damage losses, but most organizations don’t have the internal expertise to value the loss and the cost of paying experts to assist is very cost prohibitive. SafeLaw provides coverage for technical forensics and forensic accounting services to assist you with proof of loss and claim recoveries.
Are there established loss prevention policies and procedures for the legal industry?
Yes. The generally accepted standard of information security is the ISO17799/27001 standard. ISO17799/27001 is published for any company with information technology. Many law firms have their internal information security policies and procedures audited against the ISO 17799/27001 standard annually. In addition, the legal industry has two specialized organizations dedicated to the development and implementation information security policies and procedures built for the unique needs of the legal industry. The International Legal Technical Standards Organization (ILTSO) publishes free information security standards for the legal industry annually. The International Legal Technology Association (ILTA) has a security initiative called LegalSec, which is dedicated to information security best practices for law firms.