Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Does Your Law Firm Have Cyberliability Insurance? Who Knows? Do You?

October 7, 2015

Apparently, 80% of lawyers in firms with more than 100 attorneys don't know whether their firms have cyberliability insurance.

As Bloomberg BNA posted, based on an ABA Legal Technology Resource Center Survey, of the more than 880 lawyers who responded to the survey, only 11% reported that their law firms had cyberliability insurance.

The survey found that firms with more than 100 lawyers experienced the most significant jump in reported breaches, which were defined as everything from a lost or stolen smartphone to a break-in or website exploitation.

In a follow up question, 71.4 percent of participants from a firm with 500 or more lawyers, and 66.7 percent from a firm with 100 or more lawyers said there was no significant business disruption or less. Five percent of the firms reported that the breach required their firm to notify clients, and three percent reported that a breach resulted in unauthorized access to client data.

My experience is that lawyers are fairly clueless about whether their firm has been breached, clueless about their cyberinsurance, clueless about impact of the breach on confidential data and distinctly clueless about whether they did (or more importantly, should have) notified clients – under state data breach notification laws or under their ethical duties.

More than 75 percent of law firms with 100 or more attorneys have a chief information security officer or a staff person with responsibility for data security. This too is pretty amorphous. A staff person with responsibility for data security might be very well qualified – or not qualified at all – their responsibilities notwithstanding.

Asked whether a client ever requested a security audit or asked their firm to verify security practices, roughly 52 percent of respondents from firms with 100 or more attorneys said they didn’t know. In the real world, if the firm has more than 100 attorneys, it has probably been asked for an audit by multiple clients, many of whom are distinctly worried about law firm security.

An even larger number of respondents didn’t know if their firm has ever had a full security assessment conducted by an independent third party — at firms with 100 to 499 attorneys, 57.6 percent didn’t know, and at firms with more than 500 attorneys, 77 percent didn’t know.

And that's a crying shame. Those attorneys have no idea whether their confidential data is adequately protected. Their firms should be educating them about that – and they should be asking questions to ensure that they are in compliance with their own ethical duties, a requirement which they cannot simply transfer to whomever is responsible for cybersecurity.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson