Liability to the client where confidential or private information is disclosed and thereafter used to the client's disadvantage, privacy liability arising from a breach of personally identifiable or confidential corporate information, defense costs, fines and, potentially, indemnity liability in connection with proceedings brought by state regulators for violation of their privacy breach regulations; and
Liability for defamation and copyright infringement arising from the dissemination of content (e.g., information on social media or the firm's website) as a result of breaches or other data protection failures.
The Insurance Implications
The insurance-related consequences of data breaches and losses (which are not inclusive), must also be understood.1 There are two aspects. First, law firms need to make realistic assessments of the risks in the context of their particular client base, practice areas and (because regulations differ among the states), their geographic footprint, based on the technology architecture they have in place. Second, firms need to assess what existing insurance coverage they have that would (or would not) respond to assist them if (or, more likely, when) they are confronted by a data breach or lossand what additional coverage they should consider obtaining.
Risk Assessments. By way of example, this author recently learned from one law firm that the first flaw in its security that its assessment had identified was that a well-dressed individual (an investigator employed by the consultant/auditor engaged by the firm to conduct the assessment) had been able to walk into the firm's offices without being stopped, to find his way to an empty "visiting lawyers'" office, to turn on the computer on the desk, to access the firm's network, and to work undetected for seven hours before being discovered. For obvious reasons, therefore, such assessments are an essential part not only of understanding firms' vulnerabilities, but also of determining the options (and costs) in addressing weaknesses that may be identified.
Most firms representing large corporate clients are finding that these clients now require their lawyers to respond to in-depth questionnaires regarding the level of the firms' information security protocols. Some firms also report full-blown actual audits being undertaken by, or at the insistence of clients, to determine the actual (as opposed to reported) level of security in place.
Existing Insurance Coverage. At best, Lawyers Professional Liability (LPL) coverage provides only partial coverage for the kinds of consequences that could flow from breaches of data security or other loss of confidential information described above. The basic limitations of LPL coverage in the context of these kinds of losses are that:
LPL is negligence based. This is significant for two reasons. First, many of the acts giving rise to claims for data breaches and loss result from intentional acts of wrongdoing that are expressly excluded from LPL coverage. For instance, some of the causes of these losses are:
Theft of data, e.g., by hacking or loss/theft of a laptop or PDA;
Malicious, willful or intentional misuse of a computer system by third parties resulting in damage to or loss of data;
Intentional employee acts (whether leaking confidential data, or issuing an extortion demand).
LPL policies require a third-party claimant. However, as described above, some of the potential consequences of data breach or loss may arise when there is no liability to a third party. These include: