It seems that every week, the news reports on yet another company that suffered a cyber breach. Law firms, even small firms, are not immune from cyber-attacks. As you know, your ALPS legal malpractice insurance comes with a separate Cyber policy attached unless you opted out of this coverage. However, as this is a new product and this threat relatively recent, you may not understand the details and, more importantly, your obligations when you discover a cyber issue in your law office.
IMMEDIATE WRITTEN NOTICE – This is the first and most important obligation of the Insured and it is not one to be taken lightly. Your cyber coverage depends on this first and most important step. This is because your cyber policy, just like your legal malpractice insurance policy, is a Claims Made and Reported Policy. This means that you must immediately report any claim in writing. Different from your legal malpractice insurance policy however, your Cyber policy also contains first party coverages. The policy also requires that you immediately report any cyber incident upon discovery. In other words, in order to trigger coverage under your Cyber policy, you don’t need to wait for a “claim” as that is traditionally understood. Rather, any type of discovery of a cyber breach triggers your obligation to send in written notice.
One reason that it is so important to immediately notify ALPS when you discover a cyber issue is because your policy provides Privacy Breach Response Services. This is defined in your cyber policy as costs incurred to hire a computer security expert to determine the existence and cause of any electronic data breach and for fees charged by an attorney to determine the applicability of breach notice laws and actions necessary to comply with these laws in the event of a theft of certain types of information from your law firm. It also provides notification services and call services. However, all of these services must be provided through certain specialists through your policy. Therefore, it is NOT possible to address a cyber incident and later notify ALPS and request reimbursement. Your policy also contains coverages that may pay for regulatory defense and penalties that the firm may be subject to because of the breach.
An additional reason immediate written notice is so important is because your policy also provides coverages for Crisis Management in the event of a Public Relations Event. A Public Relations Event is defined by your cyber policy as the publication or imminent publication of a covered claim under the cyber policy or an incident requiring privacy breach notifications. Some of the expenses that the Cyber policy may pay under this section are costs incurred to retain a public relations or crisis management consultant; costs for media purchasing or printing/mailing materials intended to inform the general public about the event; voluntary notifications to clients; costs to restore certain types of records and to provide required government notifications. Again, in order to receive the policy benefit of all of these types of services, you must first report the situation to ALPS and work through your Cyber policy. It is not possible to attempt to manage these types of tasks on your own and later request reimbursement.
Therefore, if you find yourself in the unfortunate situation of having suffered a cyber breach, please notify ALPS immediately at firstname.lastname@example.org.