Lady Gaga's Law Firm Hacked & Client Data Held For Ransom: How Advisors Should Act Going Forward
How secure is your client data?
Whether a firm works with stars like Lady Gaga, Elton John, and Madonna, or less renowned hard working individuals and families, the client data that they store and utilize is at an ever-increasing risk of being targeted by cyber criminals. The increased prevalence of cyberattacks on businesses large and small has brought both cyber security and cyber insurance to the forefront of risk management conversations. Unfortunately, however, too few companies have adequate coverage for their, and their clients' needs. This lack of coverage can result in enormous and potentially bankrupting out of pocket expenses, as well as lawsuits from clients seeking indemnity for their lost information and the potential public relations costs and impact of having their private information leaked to the public.
With the average cost of a cyberattack on businesses now hovering somewhere between $200,000 to over $4,000,000 (and increasing steadily), and new cyber insurance offerings from top rated carriers being launched and frequently improved to reflect the ever evolving risk landscape, there remains no excuse for firms to not have this final layer of protection in place. While it remains to be seen whether or not Lady Gaga’s law firm had cyber insurance in force and if so at what limits, the ransomware demand they are facing is for no less than $21,000,000 dollars, and that is without considering the prolonged financial damage the firm will face due to the inevitable loss of client trust following the incident. Whether it ends up being the firm or their insurance provider, someone is going to be losing millions even if the ransom is denied. It is now up to risk managers and those advising clients to force this issue, as public knowledge of the availability of this coverage remains limited. It should not simply be assumed that either a firm’s cyber security measures will prevent 100% of attacks or that they have a cyber insurance policy in place with adequate limits and coverage. Indeed, it should not even be assumed that a firm has any form of advanced cyber security in place.
Considering that something as simple as a minor human error can open the digital door for hackers, there is no antivirus software, double authentication system, data backup, or other method or combination of methods that will provide guaranteed security from cyberattacks or cyber extortion. The ever-present risk that even the tightest security measures will fail, must be acknowledged by all firms handling client data or generating even a portion of their revenue online, and by acknowledging this exposure they must additionally acknowledge that the only way to provide a proper protective backstop is through the purchase of a broad cyber insurance solution.
While governmental entities such as the EU and the state of New York have mandated data protection compliance regulations of varying complexity, there is no one size fits all solution to protecting online data, and as with any regulation there remains room for unintentional failure to comply, as well as exemptions for smaller firms that may still face enhanced risk due to the nature of their business operations. Further, though regulatory measures are often born out of the intention to protect consumers, firms, particularly those handling data of and providing services for affluent individuals and families should not need a governmental push in order to take decisive action to provide a solution to indemnify their clients if they are hit with an attack that leads to financial loss and potentially a public relations fallout.
In order to better protect client data across the board and to provide improved standards for businesses maintaining client data to protect their own operations as well, I propose that clients and any of their trusted advisors who refer them to other firms that will, or may, work with their private information demand proof that this firm has adequate cyber insurance in force before agreeing to do business with them. Certainly the term adequate does not suggest a firm number, and it is not intended to. Adequate insurance limits must be estimated and calculated based on the exposure of the firm and of the client whose data is being utilized. Firms servicing affluent individuals and affluent individuals themselves are likely at greater risk of attack than those out of the public eye, for example. This proof of insurance precedent, while not yet popularized in regards to client data protection, is seen throughout nearly every industry. When someone rents an apartment or home or when a business leases office space, they are generally contractually obligated to at the very least provide proof of liability insurance up to a required limit. When buying a home, a mortgage company will mandate insurance be purchased with specified coverage limits in place. When buying a car, the loan agreement will generally require that proof comprehensive and collision coverage be in place. The list could go for several more paragraphs, but the point is clear: providing proof of insurance prior to handling someone’s property is a requirement with clear precedent.
Personal information, such as digital conversations (e.g. email exchanges and text messages), images, financial information and the like, even when in digital format, is property just like a car, home or office space. Though the hazards that place digital data at risk are far different than the fires, burst pipes, and falling objects that can damage physical property, the concept of digital property deserving similar consideration and protection is, in my opinion, rather indisputable. Forcing the issue of acquiring cyber insurance should not be the duty of the government, as it is the firms utilizing client data that are themselves at risk, not just their clients, and therefore the purchase is also in their best interest, not just in the interest of their clients. Government insurance mandates are, though well intentioned, often significantly inadequate. For example, state auto insurance liability limits are generally extremely low, and anyone who has seen insurance claims involving uninsured/underinsured motorist coverage knows this to be true in too many cases. There is no reason that this would not be the end result of state or national governments mandating cyber insurance be purchased by certain firms with specific minimum limits.
The focus, and the challenge, of figuring out what limits are adequate for specific firms handling the data of affluent individuals (e.g. law firms and accountants) should lie on the firms and their insurance brokers, as well as the advisors who refer and mutually work with these clients (e.g. wealth managers). This method will provide a holistic approach to assessing risk, which will undoubtedly result in both better cyber security measures being in place as well as more adequate cyber insurance limits being purchased across the board. If clients and their referring advisors press the issue, over the coming years we will see proof of cyber insurance as a contract stipulation before agreeing to share data just as often as we see liability insurance as a stipulation for obtaining office leases, and privacy will be safer because of this.
Lastly, to those who may suggest that it is the responsibility of the individual sharing their data to protect it and decide who to share it with, this is only partially possible at the present time. While certain High Net Worth (HNW) insurance providers offer personal cyber insurance coverage to affluent individuals and families, these coverage offerings, while broad in their language, often exclude damages caused by cyberattack originating on their party systems. Therefore a hack of a law firm or other entity holding their data (e.g. a cloud services provider), would not be covered, and would remain the responsibility of the hacked entity to resolve and potentially provide indemnification. Personal lines cyber insurance is an extremely important product, and one that will continue to develop over time, but it cannot be assumed to be a backstop for poor handling of data by external entities. Though advisors must also discuss personal lines cyber coverage with their clients, it must be known that it has limited utility. It remains unclear what will happen to Elton and Gaga's law firm, but what we should do now is hope that the fallout is minimal while also using this as added impetus to help further add to the popular consciousness the ever growing need for cyber insurance.