Lawyers told to get serious about cybercrime

Get serious about cybercrime or be ready to pay the cost, LawPRO is telling lawyers as it looks to limit coverage for practitioners who fall victim to such incidents.

In its report to Convocation at the Law Society of Upper Canada last week, LawPRO announced it’s freezing its insurance premium next year but is making changes to coverage, most notably for cybercrime. “There will be $250,000 in coverage under the policy, a limited amount that provides some protection but will need to be supplemented by a vigorous risk management program on the part of law firms,” LawPRO chairwoman Susan McGrath and president and chief executive officer Kathleen Waters wrote in a letter to Convocation detailing the insurance changes for 2014.

In announcing the $250,000 cap, LawPRO’s report noted a number of high-profile cybercrime incidents affecting businesses in recent years. “Lawyers and law firms are no exception to this,” the report stated. “In fact, given their access to confidential client information and client trust funds, as well as varying levels of technological security, it can be expected that lawyers and law firms represent appealing targets to cyber criminals.”

The new policy will “exclude coverage for claims relating to or arising out of cybercrime, except where claims arising out of liability for cybercrime results in the unauthorized disclosure of confidential data and/or misappropriation of client trust funds, that have been entrusted to the lawyer as a direct consequence of the performance of professional services, in which case coverage, funded by base rate premiums, shall be available subject to a sublimit of liability of $250,000 per claim and in the aggregate (inclusive of indemnity payments, claim expenses, and/or costs of repairs, as well as deductible) per lawyer and across the law firm, for single and related claims.”

According to McGrath, no other legal professional liability insurer in Canada offers protection for cybercrime. So in instituting the $250,000 cap, LawPRO is encouraging lawyers to “become serious about cyber security.” They also have the option of getting additional coverage for cybercrime in the commercial market, McGrath notes.

“The only protection is for client data or client money,” she says, adding a big concern relates to security at small law firms as opposed to their larger counterparts that in some cases have invested heavily in the area following revelations of large data breaches in recent years.

“I think the biggest concern is from the smaller firms or small practitioners,” she says. “I think part of the problem is cybercrime and cyber security is not top of mind for all lawyers across Ontario.”

Lawyers do have questions, however. Technology lawyer Mark Hayes of Heydary Hayes Professional Corp. notes the exclusion should clearly define what cybercrime is given the wide range of things that can happen. “There’s an extraordinarily wide range of activities that could fall under that rubric,” he says. “It’s one of those things that can mean almost anything.”

While he agrees with the need to address the issue, Hayes says affording commercial insurance for cybercrime will be a challenge for some lawyers. Instead, he’d rather see LawPRO take a “more granular” approach to the issue by providing the coverage but on a sliding scale based, for example, on the risks associated with different practice areas. “The problem for lawyers is that it’s generally a more expensive proposition to do individual assessments of those kinds of risks,” he says.

Like McGrath, Hayes suggests many of the concerns lie with smaller law firms in terms of how effectively they’ve put in place protections to prevent cybercrime. “I think there has been some seriousness in the bigger firms,” he says.

“In the smaller firms . . . I think it’s been an extraordinarily wide range,” he adds, noting the big risk in terms of data security is with firms that use cloud computing services.

For Daniel Tobok, national managing director of forensics for Telus Communications Co., law firms need to do more than just investing in firewalls to prevent data breaches of client information. “I always start with the internal process, education,” he says, noting talking to employees about security issues is cheaper than elaborate technological solutions. Audits and controls are also key, he adds.

What’s worrisome, he says, is that many lawyers, particularly those at small law firms, aren’t aware of the threats as they believe they won’t be a target. “They all have this feeling that nobody’s going to target them. What they’re missing is it’s no longer about somebody going particularly after you,” he says.

“It’s random,” he adds.

In describing some of the concerns he’s had about law firms, he notes some of them have Wi-Fi networks without passwords. “If I can get into their network through a Wi-Fi, I can do a lot of damage to them,” he says.

He also has concerns about firms’ bring-your-own device policies, something he calls “the devil’s work.”

“The problem is not every law firm knows how to handle that. We’ve seen some interesting incidents in many law firms.”

LawPRO’s changes follow high-profile revelations of the siphoning of $380,000 from an Ontario firm’s trust account last year. Through malware, fraudsters were able to follow a bookkeeper’s keystrokes and use the information to access its online banking system. “With total incurred costs of $392,715, this claim represents the first substantial loss under the program as a result of cybercrime,” the LawPRO report notes.

For some lawyers, restrictions on coverage for cybercrime are welcome. Toronto criminal lawyer Aaron Harnett, who has seen many bogus-cheque scams in his e-mail inbox, says practitioners need to be extra vigilant.

Besides the cybercrime changes, the good news for lawyers is LawPRO is freezing base premiums at $3,350. It’s also increasing the deductible for claims related to administrative dismissals to $10,000.

For related stories, see "Law firm's trust account hacked, 'large six figure' taken."