Login | February 24, 2020

OBLIC starts fifth year of cyber insurance coverage

Technology for Lawyers

Published: January 17, 2020

The Ohio Bar Liability Insurance Company is entering into its fifth year of offering cybersecurity (cyber breach) insurance to Ohio lawyers, and the effort to add that protection to the company’s basic legal malpractice coverage was well worth it, said President and CEO Steve Couch.
“We have had four solid years” with the coverage, he said.
A $50,000 data breach coverage amount comes automatically with OBLIC’s professional liability insurance policy for all firms it insures, with a $50,000 aggregate limit for firms with under 10 attorneys and a $125,000 aggregate for larger firms, said Couch.
The company offers higher levels of coverage upon further application and approval.
“If firms evaluate their exposure and find that they need higher coverage, we can sell higher limit policies,” he said.
OBLIC’s basic data breach coverage is supplied by Tokio Marine America Insurance Company.
OBLIC has partnered with the Ohio State Bar Association to provide legal malpractice and other lawyer-specific insurance coverage since 1979. Besides professional liability and cybersecurity coverage, OBLIC provides through its captive insurance agency business owners policies, court bonds, disability insurance, and health and life insurance, among other products.
OBLIC currently covers about 5,800 Ohio attorneys including solos to firms of over 65 attorneys, in all areas of practice. Even though data breaches at large firms have been an ongoing problem for several years, the attorneys covered by OBLIC have not yet been dinged all that badly by breaches.
Couch said that there have been about 30 cyber breach claims filed with OBLIC since 2015. Only three were in the current mega-threat category of ransomware and were for “very small amounts.”
In fact, one attorney only reported his second ransomware attack. The rest of the data breaches were in various categories, including phishing attacks and lost devices.
The costs of a data breach can add up quickly.
Costs can include ransom payments, computer forensics, legal representation, PR, client notification, business interruption and reputational damage, not to mention the possibilities of a civil lawsuit or an ethics violation grievance.
The policy also explicitly covers the legal cost of any problems with the various federal and state agencies that may be in on a cybersecurity breach case.
Even a small cyber breach can be costly to a small or mid-sized firm, so this kind of insurance can be very helpful in the case of a data breach.
In addition to breach coverage, OBLIC also supplies policy holders with a set of tools to help with law firm cybersecurity matters in its “Cyber Toolbox.”.
These include cyber training courses and guides, awareness posters, recorded webinars, sample internal policies and procedures, sample agreements, information security incident response plans, and a wide variety of best practice tips and advice.
The toolbox also includes some basic information regarding an assortment of privacy laws, including the new CCPA and GDPR.
If a firm does decide that the base coverage of the cyber breach policy may be insufficient, they may apply for more expanded coverage through OBLIC with Tokio Marine America Ins. Co., said Couch, who sent an application to review.
These expanded policy limits start at $250,000 and can be as high as $5 million (with correspondingly higher premiums) and are individually underwritten.
While the basic coverage is included in the policy without any extra rating, the expanded policy coverage application takes a deep dive into the inner workings of the law firm.
Questions on that application include full business disclosures, including annual business trends (is your business going up or down?).
There is a question on the percentage of business dedicated to e-commerce, more than a score of extensive detailed questions on internal cybersecurity, full disclosure of wire transfer protocols (real estate attorneys are often cyberattacked during money transfers), questions on removable media by type and policy and more.
Larger firms or firms that are more exposed to breaches by virtue of their practice areas (like, again, real estate or intellectual property) may benefit from these larger policies.
Couch said that there are about two dozen firms that have taken the extra coverage. The need for higher limits is often dictated by the amount and type of data collected and maintained by law firms – the older the firm, the greater amount of data.
And it is likely that the larger the firm, the more scattered, and therefore the more vulnerable, that data is. It is a constant battle.