So a few weeks back I was interviewed about several current issues in cyber liability insurance. As part of the lead-up to the interview, I was sent a couple of links concerning issues that the interviewer wanted my take on. Most of them I’d seen before. However, there was one that was new to me:
After reading the article, I was stunned that a law firm – as in a business that performs at least most of its work in the practice of law – would even consider filing such a lawsuit. Turns out they even got an attorney in a different firm to represent them. They were at least smart enough about not being – or having – a fool for a client. While you might disagree with me on the merits of this particular lawsuit – as an attorney whose practice includes insurance coverage matters, I can concede that insurance is treated differently from state to state – there’s definitely something that everyone can take away from this incident.
There is one thing you absolutely, positively must do before purchasing cyber liability insurance:
Talk to a lawyer!
Not just any lawyer. A lawyer who understands insurance coverage. And who has at least a basic familiarity with cyber security. They don’t need to have a side career in IT, just an understanding about how cyber attacks work. This knowledge is particularly important concerning how the interpretation of your cyber insurance policy may apply to a real-world cyber attack.
Here’s an example of what happens when you wait until after a cyber attack to understand what your insurance covers:
The Case: Moses Alfonso Ryan, Ltd. v. Sentinel Insurance Co., Ltd.
Before I continue, my opinions concerning the merits of this case, and of the actions taken by Moses Alfonso Ryan, their attorneys, and representatives, are based solely on the published articles concerning this lawsuit, the filed complaint and answer in this action, and my experience in both insurance coverage issues and cyber security.
For those not familiar, this case involves a Rhode Island law firm, Moses Alfonso Ryan, and their recent experience with ransomware. On May 22, 2015, an attorney at the law firm opened an attachment in an email, and the next thing they knew, everything they had was encrypted. [Compl., ¶¶ 26-31.]
At least, that’s what the lawsuit alleges. What actually happened was that malware embedded in the email planted itself within the law firm’s network. Then, at a pre-set time, it began the process of encrypting the law firm’s files. That’s how encrypting ransomware works.
The law firm’s network was encrypted – rendered “inoperable” per the complaint – resulting in the lawyers and staff losing access to the data they’d stored in their network. [Compl. ¶ 32.] As a result, the law firm was “essentially unproductive.” [Id.] The law firm hired experts in “computer cyber-attack responses” in order to “remedy its computer network and return the firm to efficient productivity.” [Compl., ¶ 34.] Unfortunately, the experts were unable to do anything. [Compl., ¶ 35.]
The law firm then began to “search for the identity of the perpetrators” of the attack, which apparently took a bit of time. [Compl., ¶ 36.]
For what it’s worth, this makes no sense at all. It’s a really bad hostage-taker who is hard to find when you want to learn their ransom demand.
The firm made contact with the hackers in June (which, as you may notice, is a minimum 9 days after the hack first took place), and through what I can only hope was a ridiculous, Keystone Kops comedy of errors, didn’t get their system decrypted until sometime in July, after paying two separate ransoms. [Compl., ¶¶ 37-52.]
There are a ridiculous number of problems that the law firm apparently created for themselves – none of which have anything to do with their insurance policy, some of which I have described above.
The firm reported the cyber attack to their insurance company sometime in June (June 2nd, I believe, based on reading in a different publication that I am unable to recall at the moment). Again, please note, at least a week after the attack was discovered, and potentially after they first made contact with the hackers responsible.
Even though the insurance policy in this matter isn’t what I would necessarily call a “cyber liability insurance policy,” my advice applies to anyone who believes the insurance policy they’re purchasing protects them in the event of a cyber attack.
Update: For anyone interested in how this issue is playing out in other contexts, check out Mondelez’s claim against its insurance carrier concerning the NotPetya ransomware. In that case, Mondelez’s insurance policy is not a cyber liability policy, but the insurer has denied coverage based on their exclusion for state-sponsored acts of war. It’s getting interesting in here, folks.
The lawsuit alleges that the policy covered the law firm’s purported losses as “Loss of Business Income” under the policy’s Special Property Coverage Form. [Compl., ¶¶ 55-61.] The lawsuit then actually quotes the terms of the policy (which would be where this case would end in North Carolina, fwiw):
[The Insurance Company] will pay for the actually loss of Business Income you sustain due to the necessary suspension, (sic) of your “operations” during the “period of restoration”. (sic) The suspension must be caused by direct physical loss of or physical damage to property at the “scheduled premises” including personal property in the open (or in a vehicle) within 1,000 feet of the “scheduled premises”, (sic) caused by or resulting from a Covered Cause of Loss.
[Compl., ¶ 55 (emphasis added).] Yes, that’s from the plaintiff’s complaint. Note that in what’s supposed to be a document providing the most persuasive case for why the law firm is entitled to recover from the insurance company, their only claim is based on a policy provision that covers “direct physical loss of or physical damage to property.”
How much are they demanding from the insurance company? According to press reports, $700,000. Oh, and that’s just the compensatory damages. The lawsuit also seeks attorney’s fees, expert witness fees (apparently beyond what would normally be allowed in a breach of contract case), and… yep, punitive damages.
So how does the policy cover cyber attacks?
The question of what is covered by any particular insurance policy is almost always going to be determined exclusively by looking at the policy language itself. This policy is not a cyber liability policy, so where should we begin to determine if this policy provides any coverage in this case?
Turns out, there’s actually an entire section of the policy that actually includes the word “Computer” in its title. If you were guessing that the law firm’s case was based on recovering pursuant to that section, you’re either new here, or have yet to pick up on my sarcasm. The law firm is relying on the Special Property Coverage. So where is the computer stuff?
Under a completely separate endorsement to the policy – the Computers and Media Endorsement. [Answer, Affirmative Defense 1-4.] That endorsement is the only part of the policy that provides protection for… wait for it… a “computer virus.” And the policy in place did provide coverage for loss of data and business income due to a computer virus – $20,000 in total, to be exact. All of which, the insurance company notes in its response, it has already paid.
I’m honestly not sure how this lawsuit will play out.
I know how I think it should play out, and likely how it would in North Carolina: In my mind, this is a 12(b)(6) or 12(c) win for the insurance company in a heartbeat. And potential Rule 11 issues for the attorney who filed a lawsuit based on a claim that was clearly not covered by the insurance policy in question.
The language of the policy – directly cited by the law firm in its freaking complaint – should be enough to show that the policy didn’t cover computer hacking under the “physical damage” provision. Moreover, the fact that the policy did provide coverage for hacking in a different section – information the law firm will likely be charged with knowing, since most states assume an insured has read their own policy – should be damning. Plus, it’s difficult for me to envision a judge agreeing that a law firm, as a sophisticated party, has any legitimate reason to claim lack of understanding of an insurance policy.
However, it’s clear that the law firm, and their counsel, fundamentally don’t understand cyber security, or the insurance that provides coverage in the context of a cyber attack.
This case may not the best example of honest, legitimate confusion concerning whether a policy should apply to a cyber attack. A better example might be whether legal malpractice insurance applies when a real estate law firm mis-directs a wire transfer due to fraudulent instructions. However, both situations demonstrate the trouble you could be in if you don’t fully understand how your insurance policy works.
How Well Do You Know Your Cyber Liability Insurance Policy?
Does your insurance policy include any coverage for cyber attacks?
Do you know if your insurance policy will treat a ransomware attack differently than a data breach where confidential data is stolen?
Do you know if your insurance company will pay for IT specialists to help you recover your data after they’ve dealt with the cyber attack?
Do you know if your insurance company will limit or deny coverage if your law firm’s cyber security policies are not enforced?
Do you know how your insurance policy works in the event you are attacked?
Since You Don’t Know, You’d Better Ask!
… and probably before you’re in the position Moses Alfonso Ryan found themselves.
I don’t care that you’re a lawyer. The intersection of cyber security and insurance is difficult enough to navigate for insurance brokers and insurance attorneys – trust me, I know. It’s beyond disturbing to me when I hear a pitch from a broker about cyber liability coverage that I know is a misrepresentation of the policy. It happens more often than not, sadly.
If you’re not familiar with how your cyber liability insurance policy operates (or if you even have one), or you don’t know what your insurance policy covers – as the Moses Alfonso Ryan law firm clearly did – how can you ensure you’re adequately protecting your clients? Do you really think that the attorneys at Moses Alfonso believed that their law firm name would be synonymous with ignorance of both how to respond to a cyber attack and how your own insurance policy works? Too bad, they already are, at least to the people I’ve talked to about this case.
Before you purchase a cyber liability insurance policy, talk to someone who knows them. I actually recommend bringing them with, if you can. There is no standard policy yet, no regulator-approved version of the policy language with decades of case law to rely on as with most other types of insurance. This is a new area, and it’s largely untested.
Since the security of your clients’ confidential information, and the health of your business, is at stake, remaining in the dark simply isn’t an option.
About the Author
Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.