Frequently Asked Questions
What is SafeLaw?
SafeLaw is a cyber risk insurance policy. It is one of our industry-specific products* tailored for law firms. SafeLaw uses a difference-in-conditions wrap structure with your Lawyers Professional Liability policy to avoid gaps, overlaps, or clashes in coverage. Our first and third party coverage is the most comprehensive cyber risk coverage available on the marketplace today. SafeLaw also includes response services from lawyers, technology vendors, and consultants specializing in cyber risk management for law firms.
For example, we cover: first-party cyber property losses, loss of income, legal, ethical, regulatory and malpractice obligations for your data whether it’s collected, created, or stored by you.
Doesn’t the lawyers professional liability (“LPL”) policy cover cyber risk?
The language for LPL policy design isn’t for cyber risk unless you have a “cyber risk coverage endorsement.” Typically, an LPL policy only has broad coverage and might not cover an errors or missions claim, especially if they have cyber risk exclusions. Unfortunately, for specific scenarios, there is no clear answer for “covered” or “not covered” due to the potential overlaps between policies.
Example*: Your firm suffered a computer virus that caused the firm to miss a patent filing deadline. Your client could potentially come back to sue for malpractice. Your LPL policy offers limited coverage for legal liability and our policy covers any gaps.
*The information provided constitutes a typical situation and does not provide any guarantee of specified services
How do I know if my LPL policy covers cyber risk or not?
Attempting to clarify what coverage may or may not exist in a Lawyers professional liability policy can be difficult because coverage for claims is fact specific. However, getting a general feel for the scope of coverage can be accomplished in some cases. We developed the following 6 questions to help SafeLaw clients better understand cyber coverage in an LPL policy. Forward these questions to your LPL insurer for clarification:
- Does our LPL policy cover civil, criminal or regulatory proceedings arising out of loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover civil, criminal or regulatory proceedings arising out of unauthorized use of our firm’s computer network including computer attacks that emanate or propagate from our computer network?
- Does our LPL policy cover civil or regulatory fines, penalties or damages arising out of loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover our costs of complying with regulatory obligation to notify clients or employees following loss or unauthorized disclosure of our firm’s client or employee information?
- Does our LPL policy cover loss mitigation expenses including provision of credit monitoring, ID theft recovery services, and hotline support to our clients or employees in the event of unauthorized disclosure of our firms client or employee information?
- Does our LPL policy cover crisis management and public relations expenses following computer attacks or a data breach?
What is a Difference in Conditions Wrap policy and how does it work?
A difference-in-conditions policy is designed to fill in specific gaps left by standard insurance policies. It provides additional limits, and was typically sought after by large organizations. As a standalone policy, SafeLaw is highly customized to your firm’s cyber risks without conflicting with your Lawyers Professional Liability (LPL) policy.
For example: Our difference-in-conditions policy, SafeLaw, broadens your firm’s coverage in 3 specific ways:
-
- Primary cyber coverage wherever the LPL gaps exist
- Primary cyber coverage “side-by-side” with your LPL if their policy only provides partial coverage
- Provide excess coverage above any cyber risk the LPL may cover
Does the SafeLaw policy have sub limits for any coverage modules?
SafeLaw has a sublimit on two modules of coverage, but no sublimits can be higher than the aggregate limit of the SafeLaw policy.
Ransomware and Extortion: $250,000 to $1,000,000 based on purchase.
Social Engineering and Crime: $250,000 to $500,000 based on purchase.
What are the minimum deductibles in SafeLaw?
The minimum deductible for SafeLaw is $2,500 for all modules except business interruption, which has a 12 hour waiting period. The waiting period can be bought down to 6 hours if needed.
What is the minimum premium for SafeLaw?
Premiums start at a few hundred dollars for very small firms and a few thousand dollars for average sized firms.
What are the maximum limits of coverage available for SafeLaw?
The maximum aggregate limit available from our primary insurer is $5,000,000.
How is SafeLaw’s business interruption coverage different from generic cyber risk policies?
Business interruption insurance covers a firm for income that is lost due to an interruption in a firm’s business operations as a result of a covered loss. When we evaluated the standard business interruption coverage in cyber risk policies, we saw a common flaw that only affects a handful of industries, so we drafted coverage to specifically address unique way law firms generate income. Generally speaking, business interruption insurance covers lost income for a defined period of time called the “period of restoration”, which usually begins the day when the operations are interrupted by covered damage and ends the earlier of when the damage is repaired or business operations are resumed. Loss of income during the period of restoration losses is usually calculated using either of the following methods:
Business Interruption Value = Net Income Plus Continuing Expenses, or
Business Interruption Value = Gross Earnings Less Non-continuing Expenses
This standard business income coverage, which is used by many cyber insurance insurers, can be problematic for law firms because of the length of time between when the service is performed and when the fees are collected. In most cases, insurers will only count income that would have been fully recognized during the period of restoration into the lost income calculation. For example, if a law firm is infected with a computer virus and the computer system is down for 14 days, only the revenue that would normally have been earned from services that are performed, billed and paid during those 14 days would be covered. Therefore, it’s likely that a law firm could lose hundreds of billable hours from a virus following a loss and not be able recover the lost income their insurance company.
The Safelaw policy addresses these problems with standard cyber risk business interruption policies head-on. Safelaw specifically covers loss of billable hours as a result of a covered peril, such as a virus, hacker, or denial of service attack. In addition, Safelaw includes coverage for extended billable hours interruption, extra expense and contingent business income to blanket your firm with coverage designed for a law firms unique needs.
Does Safelaw cover loss of confidential legal information
Yes. Safelaw provides specific coverage for your firm’s legal information including the liability that could result if it is disclosed in an unauthorized manner. Many cyber insurers don’t cover loss off confidential legal information, but Safelaw was built around the concept of protecting a law firms confidential information and includes coverage for the liability, income interruption and rebuilding expenses associated with the loss of or damage to confidential information.
How can my firm get a SafeLaw quote?
To get a pricing indication, we have a system to get initial pricing indications for brokers. Reach out to your SafeLaw representative for access. To receive a bindable quote, the applicant needs to fill out and sign an application. The application includes but is not limited to the questions below:
- number of lawyers and partners working at your company;
- revenue
- areas of practice your law firm provides services
- your LPL policy premium, deductible and limit
- 10 information security questions
- warranty questions about any existing or potential claims
What are the minimum requirements for getting SafeLaw coverage?
SafeLaw has some conditions precedent for coverage. These include agreeing that any information security controls in place will remain in place. Your quote may have subjectivitys that need to be remediated prior to or after bind.
How do I file a claim under a SafeLaw policy?
Safelaw is structured to make claims easier for you. Please contact Kevin O’Hagan at1-855-247-4710 or kohagan@ohaganmeyer.com to get the process started.
Does the SafeLaw information incident response and claims team have experience in the legal industry?
Yes, the SafeLaw incident response and claims team has dedicated expertise with law firms and significant experience in handling cyber risk claims at law firms. With SafeLaw you have the option of using your own expert vendors or select from SafeLaw’s panel of cyber risk expert. Each of the vendors we recommend works with clients in the legal industry and understands the special requirements for working with law firms. We understand the confidential nature of legal information and importance of structuring proper relationships with vendors that won’t break attorney client privilege.
What ethical, regulatory, malpractice and contractual obligations does my firm have in the event of an unauthorized disclosure of client information?
Your ethical, regulatory, malpractice and contractual obligations to disclose and incident will depend on a myriad of variables. The types of ethical, regulatory and malpractice obligations your firm has following a breach will depend largely on the types of information disclosed, how much of it was disclosed and if it was encrypted. Contractual obligations will also depend on similar factors plus any duties spelled out in the contract itself.
SafeLaw provides clients with access to legal and technical experts to help your firm understand the current privacy and confidentiality regulatory environment for law firms. SafeLaw clients have round the clock access to a network of experts specializing in everything from confidentiality and privacy to breach notification.
How can the SafeLaw team help my firm navigate a claim?
A breach coach is an expert in managing a data security breach and minimizing potential losses. SafeLaw policy holders have access to a breach coach before a loss occurs to assist in developing a breach response plan and after a loss to help navigate the complex regulatory and legal environment surrounding unauthorized disclosures of NPI. If a breach occurs the breach coach will be your first point of contact for coordinating with subject matter experts to navigate the complex process of responding to a data breach. Each data breach is unique and the services a breach coach advises and assists your firm with will be tailor to suit your firm’s needs following the breach. Some of the core services a breach coach can help you with include:
- Conducting technical forensics to determine the scope and cause of the data security breach;
- Understanding the relevant regulatory, legal, ethical and malpractice obligations associated with the breach;
- Determining which authorities and regulatory bodies must be notified and guide your firm through the notification process;
- Identifying the individuals and businesses your firm must notify, the individuals you may wish to notify and guide your firm through the notification process;
- Selecting and implementing the best loss reduction solutions for the breach including credit monitoring, legal filings, insurance or fraud prevention;
- Managing ongoing communications with business and individuals that are victims of the breach including procuring call center services, developing scripts and training call center staff;
- Coordinating with a public relations firm to implement a public relations campaign to protect your firm’s brand.
Can you help our firm value a cyber risk loss?
Yes, SafeLaw policyholders have access to top experts to assist in the valuation of losses including technical forensics and forensic accountants. Cyber risk insurance policies require that proof of loss forms be filed for business income and data damage losses, but most organizations don’t have the internal expertise to value the loss and the cost of paying experts to assist is very cost prohibitive. SafeLaw provides coverage for technical forensics and forensic accounting services to assist you with proof of loss and claim recoveries.
Are there established loss prevention policies and procedures for the legal industry?
Yes. The generally accepted standard of information security is the ISO17799/27001 standard. ISO17799/27001 is published for any company with information technology. Many law firms have their internal information security policies and procedures audited against the ISO 17799/27001 standard annually. In addition, the legal industry has two specialized organizations dedicated to the development and implementation information security policies and procedures built for the unique needs of the legal industry. The International Legal Technical Standards Organization (ILTSO) publishes free information security standards for the legal industry annually. The International Legal Technology Association (ILTA) has a security initiative called LegalSec, which is dedicated to information security best practices for law firms.
What's the easiest way to boost my information security (IT) risk profile?
SafeLaw offers many loss control resources. We have pre-negotiated arrangements with HavocShield, a vendor that specializes in small business IT and cyber risk. SafeLaw policyholder’s receive a discount on their services to help your cyber security hygiene and implementing software.