Insight

Cyber Coverage Pitfalls

Institutional data breaches are, unfortunately, more common (and more costly) than ever. Cybersecurity insurance can help—but is your firm’s policy really as ironclad as you think?

Digital lock shatters into pieces
RW

Robert W. Wilkins

November 2, 2022 04:00 PM

An oft-repeated mantra in business and technology is that it’s not a question of if a data breach will happen, but when. The average cost of a corporate data breach in the United States is nearly $9.5 million, according to an IBM report published in 2022. Without adequate cybersecurity insurance, companies (and law firms) might find themselves facing a double threat: being the victim of a breach and then having to contend with the denial of their cyber insurance claim. This article addresses the risks of failing to implement and follow all of the policies and procedures required by the cyber insurance policy.

Given the exponential growth in breaches and their high costs, insurance providers are raising premiums and increasingly investigating whether the practices, as represented by the insured when it applied for coverage at the outset, were implemented and regularly tested and updated as needed. Failure to do so has resulted, and will continue to result, in denial of coverage.

The Expanding Litigation Threat

The biggest risk of this kind that businesses face is not from individual plaintiffs asserting damages from a data breach—it’s a class action brought on behalf of all those similarly situated. In the past, Article III standing cases have generally held that plaintiffs could not establish the requisite “injury in fact” based on the mere risk of future harm because their personally identifiable information or protected health information was exposed.

For years, class-action data breach cases have foundered on that basis. However, a growing body of case law provides guidance on what constitutes “concrete harm,” and the number of class-action cases finding a concrete injury is on the rise. For a good summary of the law on this critical issue, see TransUnion LLC v. Ramirez (2021) and Hunstein v. Preferred Collection and Management Services, Inc. (2022).

Loss of Insurance Coverage

Recent reports have shown that an insured party’s perception of its security versus reality often differ greatly. One of the biggest reasons for coverage denial concerns misrepresentations in the company’s application and/or the failure to maintain security practices amid the ever-changing threat environment. Most cyber insurance policies provide broad coverage for cyber extortion, data restoration, public relations, computer fraud, business interruption, regulatory compliance and related elements. However, the coverage under a policy depends on the representations the insured made in its application, and its subsequent compliance with them.

A typical application for cybersecurity insurance will contain a privacy and security liability questionnaire, as well as a portion about information security. Key items insurance providers require for such policies, according to an August 2022 FitchRatings report, include the use of multifactor authentication, employee training on phishing and other types of cyberattacks, strength-of-password requirements, regulatory reporting obligations, an assessment of the quality of one’s incident-response plan and penetration testing. In addition, all 50 states have data-breach notification laws, and law firms or clients must comply with the requirements of each state in which they do business.

Companies must regularly monitor, update and test all cybersecurity requirements mandated in their policy.”

The hole in the cyber insurance net stems from the insured’s potential misrepresentations in its application and its failure to adjust to the changes in the methods by which bad actors gain illegal access to data. Recently, one insured business that suffered an enormous data breach was denied coverage and had its policy rescinded. See Travelers Property Casualty Company v. International Control Services, Inc. (2022).

Travelers’ success was based on the fact that International Control Services, in its policy application, stated (and signed a separate attestation) that it required multifactor authentication to gain administrative access to its data. Upon investigation, Travelers determined that ICS misrepresented the scope of its authentication process, resulting in the breach.

A business’s failure to follow the policies and procedures claimed in its application is dire. In fact, most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder’s failure to maintain adequate security standards. Companies must regularly monitor, update and test all cybersecurity requirements mandated in their policy. The same is true for policies regarding cyber extortion and ransomware attacks.

It’s not just insurance companies that require businesses to have solid procedures and policies to prevent and contain data breaches. Banks, corporate clients and a multitude of others require similar assurances from law firms they deal with that the firms have, comply with and regularly test, update and monitor a written information-security policy and incident-response plan.

Takeaways

The increase in data breaches, the costs resulting from them (which can include potential criminal and regulatory liability), the representations required by clients and insurance companies and the need to meet constantly changing threats in this data-driven age demand that law firms and their clients implement and closely monitor cybersecurity policies and practices. To that end:

  • Read your cybersecurity insurance policy application and representations to confirm each representation is accurate.
  • Update your policies and practices to stay on top of changes and innovations in data security.
  • Train and test your employees in data security practices and potential breaches, especially phishing schemes.
  • Keep an open line of communication with your insurance provider and follow its recommendations regarding cybersecurity.
  • Consider having an outside vendor run penetration tests of your data security systems.

The bottom line: Breaches may be inevitable, but diligence and preparation can mitigate both their financial and reputational impact.

Robert W. Wilkins, a Jones Foster shareholder, and the Litigation & Dispute Resolution Practice Group Chair, is double Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial. He is Co-Chair of the E-Discovery Subcommittee and the Data Security Subcommittee of the ABA Litigation Sections’ Commercial and Business Litigation Committee. He is also an active member of The Sedona Conference Working Group 1, Electronic Document Retention and Production and Working Group 11, Data Security and Privacy Liability.

Headline Image: istock/TU IS

Related Articles

Build Your Legal Practice with Effective Online Networking


by Jamilla Tabbara

How thoughtful online networking supports sustained legal practice growth.

Abstract web of connected figures symbolizing online networking among legal professionals

Blogging for Law Firms: Turning Content into Client Connections


by Jamilla Tabbara

How law firms use blogs to earn trust and win clients.

Lawyer typing blog content on laptop in office

Law Firm Marketing ROI: Strategies for Small and Midsize Firms


by Jamilla Tabbara

Understand how to improve your marketing ROI with methods tailored for law firms.

3D Computer with Icons Representing ROI Tools and Metrics

Law Firm Marketing: 5 Strategic Steps to Attract More Clients


by Jamilla Tabbara

A practical framework for marketing a law firm with purpose.

Light bulb above a chalkboard illustrating strategic ideas

Best Lawyers Introduces Smithy AI


by Jamilla Tabbara

Transforming legal content creation for attorneys and firms.

Start using Smithy AI, a content tool by Best Lawyers

Why Visibility Matters: The Case for Legal Thought Leadership Today


by Jamilla Tabbara

Build trust before the first consultation.

 lawyer standing on a staircase, symbolizing advancement and thought leadership

How Whitepapers Become Legal Content That Builds Trust


by Jamilla Tabbara

Turning expertise into visibility with strategic white papers.

Stack of legal white papers on a desk representing thought leadership

How to Use Content Syndication to Get Your Law Firm Website Content Seen


by Jamilla Tabbara

Syndicate your law firm’s content on trusted legal platforms to reach a wider audience and drive qualified traffic back to your website.

Legal professional drafting syndicated content on a laptop for third-party publication

Changes in Employment Arbitration for 2025


by Debra Ellwood Meppen, Brandon D. Saxon and Laurie Villanueva

What businesses need to know to stay ahead of the curve.

Suited man holding up falling walls with gray and yellow backdrop

Legal Content Strategy: A Key Driver of Law Firm Growth


by Jamilla Tabbara

Is your law firm’s content missing the mark? Here’s why it’s not delivering results.

Marketer developing a strategic plan for legal business growth.

The Best Lawyers Network: Global Recognition with Long-term Value


by Jamilla Tabbara

Learn how Best Lawyers' peer-review process helps recognized lawyers attract more clients and referral opportunities.

Lawyers networking

Showcasing Legal Knowledge: Leveraging Success Stories


by Jamilla Tabbara

Let your firm's success stories speak for themselves.

Person reading client testimonials on a laptop, highlighting social proof for a law firm

Is Your Law Firm’s Website Driving Clients Away?


by Jamilla Tabbara

Identify key website issues that may be affecting client engagement and retention.

Phone displaying 'This site cannot be reached' message

6 Steps to Finding the Right Keywords for Your Legal Content


by Jamilla Tabbara

Follow a practical guide to keyword research and boost your law firm’s SEO to reach more potential clients.

 letters symbolizing keywords for legal content

Effective Communication: A Conversation with Jefferson Fisher


by Jamilla Tabbara

The power of effective communication beyond the law.

 Image of Jefferson Fisher and Phillip Greer engaged in a conversation about effective communication

Jefferson Fisher: The Secrets to Influential Legal Marketing


by Jennifer Verta

How lawyers can apply Jefferson Fisher’s communication and marketing strategies to build trust, attract clients and grow their practice.

Portrait of Jefferson Fisher a legal marketing expert

Trending Articles

Introducing the 2026 Best Lawyers Awards in Australia, Japan, New Zealand and Singapore


by Jennifer Verta

This year’s awards reflect the strength of the Best Lawyers network and its role in elevating legal talent worldwide.

2026 Best Lawyers Awards in Australia, Japan, New Zealand and Singapore

Revealing the 2026 Best Lawyers Awards in Germany, France, Switzerland and Austria


by Jamilla Tabbara

These honors underscore the reach of the Best Lawyers network and its focus on top legal talent.

map of Germany, France, Switzerland and Austria

Effective Communication: A Conversation with Jefferson Fisher


by Jamilla Tabbara

The power of effective communication beyond the law.

 Image of Jefferson Fisher and Phillip Greer engaged in a conversation about effective communication

The 2025 Legal Outlook Survey Results Are In


by Jennifer Verta

Discover what Best Lawyers honorees see ahead for the legal industry.

Person standing at a crossroads with multiple intersecting paths and a signpost.

The Best Lawyers Network: Global Recognition with Long-term Value


by Jamilla Tabbara

Learn how Best Lawyers' peer-review process helps recognized lawyers attract more clients and referral opportunities.

Lawyers networking

Jefferson Fisher: The Secrets to Influential Legal Marketing


by Jennifer Verta

How lawyers can apply Jefferson Fisher’s communication and marketing strategies to build trust, attract clients and grow their practice.

Portrait of Jefferson Fisher a legal marketing expert

Is Your Law Firm’s Website Driving Clients Away?


by Jamilla Tabbara

Identify key website issues that may be affecting client engagement and retention.

Phone displaying 'This site cannot be reached' message

A Guide to Workers' Compensation Law for 2025 and Beyond


by Bryan Driscoll

A woman with a laptop screen reflected in her glasses

Medical Malpractice Reform Trends in Texas, Utah, Georgia and SC


by Bryan Driscoll

A fresh wave of medical malpractice reform is reshaping the law.

Medical Malpractice Reform Trends hed

Why Jack Dorsey and Elon Musk Want to 'Delete All IP Law'


by Bryan Driscoll

This Isn’t Just a Debate Over How to Pay Creators. It’s a Direct Challenge to Legal Infrastructure.

Elon Musk and Jack Dorsey standing together Infront of the X logo

Best Lawyers Launches CMO Advisory Board


by Jamilla Tabbara

Strategic counsel from legal marketing’s most experienced voices.

Group photo of Best Lawyers CMO Advisory Board members

As Fla. Pushes to Repeal Controversial 'Free Kill' Law, DeSantis Signals Veto


by Bryan Driscoll

The fight to transform state accountability standards may be in trouble

free kill law hed

Changes in California Employment Law for 2025


by Laurie Villanueva

What employers need to know to ensure compliance in the coming year and beyond

A pair of hands holding a checklist featuring a generic profile picture and the state of California

Key Issues to Tackle on Law Firm Landing Pages


by Jamilla Tabbara

Identify key issues on law firm landing pages to improve client engagement and conversion.

Laptop showing law firm landing page analytics

New Employment Law Recognizes Extraordinary Stress Is Everyday Reality for NY Lawyers


by Bryan Driscoll

A stressed woman has her head resting on her hands above a laptop

Best Lawyers Introduces Smithy AI


by Jamilla Tabbara

Transforming legal content creation for attorneys and firms.

Start using Smithy AI, a content tool by Best Lawyers