CYBER LIABILITY:

THREATS, TRENDS,
& COVERAGE

CLE Credit: 1.0 Ethics

Sponsor: Lawyers Mutual of Kentucky
Thursday, June 13, 2019
8:30 – 9:30 a.m.
Combs-Chandler
Galt House Hotel
Louisville, Kentucky
 A NOTE CONCERNING THE PROGRAM MATERIALS

The materials included in this Kentucky Bar Association Continuing Legal Education
handbook are intended to provide current and accurate information about the subject
matter covered. No representation or warranty is made concerning the application of the
legal or other principles discussed by the instructors to any specific fact situation, nor is
any prediction made concerning how any particular judge or jury will interpret or apply
such principles. The proper interpretation or application of the principles discussed is a
matter for the considered judgement pf the induvial legal practitioner. The faculty and staff
of this Kentucky Bar Association CLE program disclaim liability therefore. Attorneys using
these materials, or information otherwise conveyed during the program in dealing with a
specific legal matter have a duty to research the original and current sources of authority.

Printed by: Evolution Creative Solutions

7107 Shona Drive
Cincinnati, Ohio 45237

Kentucky Bar Association

 TABLE OF CONTENTS

The Presenters................................................................................................................. i

Cyber Liability: Threats, Trends, and Coverage............................................................... 1

Addendum I ................................................................................................................... 17
 THE PRESENTERS

Sarah Dufendach
Beazley Group
(215) 446-8434 x2088434
sarah.dufendach@beazley.com

SARAH DUFENDACH is the business manager for Beazley Group’s embedded

reinsurance team, Beazley Product Solutions (BPS). BPS partners with insurers to provide
turnkey product solutions, including cyber, employment practices and environmental
coverages, to meet the needs of their policyholders. Prior to joining Beazley, Ms.
Dufendach practiced as an insurance defense attorney in Philadelphia, PA. Ms.
Dufendach is a graduate of Gettysburg College and Villanova University School of Law.

Charles E. “Buzz” English, Jr.

English, Lucas, Priest & Owsley, LLP
1101 College Street
P.O. Box 770
Bowling Green, Kentucky 42102-0770
benglish@elpolaw.com

BUZZ ENGLISH is a partner in the Bowling Green based law firm of English, Lucas, Priest
& Owsley, LLP where his practice areas include civil litigation, business litigation,
condemnation law, product liability law, appellate practice, professional negligence, and
lawyer discipline. He has handled appeals in both federal and state court and is a life
member of the Judicial Conference for the U.S. Court of Appeals for the Sixth Circuit. Mr.
English also serves on the Kentucky Judicial Nominating Commission. He is a graduate
of the University of Kentucky and the University of Kentucky College of Law. Mr. English
served as President of the Kentucky Bar Association in 2009-2010. He was appointed to
the American Bar Association’s Standing Committee on the Federal Judiciary as the Sixth
Circuit Representative evaluating the qualifications of all potential nominees for Article III
judgeships throughout the United States and its territories. He also served on the
American Bar Association’s Standing Committee on Bar Activities and is serving in the
ABA House of Delegates. He was recently elected to serve on the American Bar
Association’s Board of Governors. He is a Fellow with the American Bar Foundation, a
member of the Kentucky Public Advocacy Commission appointed by Governor Steve
Beshear, President of the American Counsel Association, and a member of the Federation
of Defense and Corporate Counsel. Mr. English was recognized as the Outstanding Young
Lawyer in Kentucky in 1992. He received the Public Advocate Award by the Kentucky
Public Advocacy Commission and was recognized with a Special Service Award from the
Kentucky Bar Association and the Gwyneth B. Davis Outstanding Public Service Award
by the Bowling Green-Warren County Bar Association.

i
Jane Broadwater Long
Lawyers Mutual of Kentucky
323 West Main Street
Suite 600
Louisville, Kentucky 40202
long@lmick.com

JANE BROADWATER LONG is Vice President and Claims Counsel for Lawyers Mutual
of Kentucky. Ms. Long joined Lawyers Mutual on January 1, 2003 to coordinate and
supervise claims. Prior to joining Lawyers Mutual, she was in private practice in Atlanta,
Georgia for eight years and worked in-house as corporate counsel of litigation and
employment law for AFC Enterprises, Inc. She returned to Louisville in 2001 to work for
Rice Insurance Services Company, LLC, which provides professional liability insurance to
real estate agents in numerous states, handling claims. Ms. Long received her
undergraduate degree from the University of North Carolina at Chapel Hill in History with
honors. She received her law degree from the University of Kentucky where she was a
member of the Kentucky Law Journal and Order of the Coif. She is a member of the ABA
Tort and Insurance Practice Section. She was appointed as Special Advisor by the ABA
President to the Standing Committee on Lawyers’ Professional Liability. She is an active
member of NABRICO, the National Association of Bar Related Insurance Companies.
Ms. Long is a frequent speaker at Kentucky CLE seminars on legal malpractice, legal
ethics, and risk management. She serves on the Board of Trustees of KESA, the Kentucky
Workers’ Compensation Fund and is a conference committee member of the Women
Leaders in Insurance & Financial Services. In addition, she is actively involved in other
civic and community organizations in Louisville.

ii
 CYBER LIABILITY: THREATS, TRENDS, AND COVERAGE
Sarah Dufendach, Jane Broadwater Long, Charles E. English, Jr.
& Joye Beth Spinks1

I. INTRODUCTION

II. DUTY TO CLIENTS, YOUR PRACTICE, OPPOSING COUNSEL, AND

YOURSELF

A. KBA Ethics Opinion E-446

1. An attorney has an ethical responsibility to implement cybersecurity

measures to protect clients’ information.

a. Requirement to “not reveal information related to the

representation of a client unless the client gives informed
consent.” SCR 3.130 (1.6).

b. Commentary (6) of SCR 3.130 (1.1): Part of “Maintaining

Competence” includes keeping abreast of “. . . the benefits
and risks associated with relevant technology. . .”

This includes continuing technology education and

continual re-evaluation of policies and procedures.

c. KBA E-437: Kentucky lawyers should be competent in the

use of technology in their law practice.

This includes knowledge of cyber defense tools to protect

client data.

d. Attorney should communicate with client at the beginning of

the representation about what levels of security will be
necessary for electronic communications about client
matters. (More sensitive communications may warrant extra
security.)

e. “Reasonable efforts” to prevent cybersecurity breaches

depends on facts and circumstances taken to prevent
disclosure. The Model Rules provide some guidance:

i. Sensitivity of information;

ii. Likelihood of disclosure without additional

safeguards;

iii. Costs of safeguards, difficulty of implementation;

and

1 Joye Beth Spinks is a third year law student at Boston University School of Law.

1
 iv. Extent to which safeguards adversely affect lawyer’s
ability to represent clients. Comment 18.

f. No strict liability.

g. No mandated measures or suggested safeguards.

2. An attorney has some ethical responsibility to advise clients about

cyberattacks against the law practice and breaches of security.

a. Reasonable consultation about the “means by which the

client’s objectives are to be accomplished” under SCR
1.4(a)(2) includes discussing the use of technology, the
handling of confidential information, and the storage of
confidential information.

b. Must tell clients about “significant developments” affecting

the time or substance of representation.

i. Does not require disclosure about general

cyberattacks on the firm or breaches of security
within an attorney’s computer systems.

ii. Disclosure of the client’s specific confidential and/or

privileged information to third parties would be a
“significant development” requiring disclosure to
client.

c. If an attorney failed to disclose a breach involving the client’s

unencrypted personally identifiable information – may be
unethical withholding of information.

d. Duty imposed by SCR 3.130(1.15) to safekeep client’s

property includes client’s files, stored data, and intellectual
property.

3. An attorney may utilize third parties and/or non-lawyers to plan and

implement cybersecurity measures.

a. Ethical requirement to investigate the qualifications,

competence, and diligence of cybersecurity providers.

b. Each attorney within the law firm does not have to have all
the technology competence required to meet the ethical
responsibility – can utilize another attorney within the firm,
non-lawyer staff, and/or outside experts to comply.

4. An attorney has an ethical responsibility to ensure that law firm

employees and third parties employed by, retained by, or
associated with the lawyer, comply with the attorney’s cybersecurity
measures.

2
 a. SCR 3.130(1.5) requires partners, managing attorneys, and
supervisory lawyers to make reasonable efforts to ensure
that lawyers, non-lawyers, and assistants conform to the
Rules.

b. Lawyers with managerial authority must make reasonable

efforts to establish internal policies and procedures that
provide reasonable assurance that non-lawyers in the firm
will act in a way compatible with the Rules. Commentary (2)
to SCR 3.130(5.3).

No specific policies or procedures mandated by the Opinion.

c. Partner, attorney manager, or supervising attorney’s

obligation does not end with policies and procedures – need
to train employees on data security practices and the role of
each party in ensuring the protection of client information.

B. ABA Formal Opinion 483

1. “When a data breach occurs involving, or having a substantial

likelihood of involving, material client information, lawyers have a
duty to notify clients of the breach and to take other reasonable
steps consistent with their obligations under the Model Rules.”

Model Rule 1.1 – Duty of Competence

a. Lawyers should “keep abreast of changes in the law and its

practice, including the benefits and risks associated with
relevant technology.” Comment [8].

b. Not every data breach requires disclosure. A breach should

be disclosed when:

i. Material client confidential information is mis-

appropriated, destroyed, or otherwise compromised;
or

ii. Lawyer’s ability to perform legal services is

significantly impaired.

c. Just as lawyers must safeguard and monitor the security of

paper files and client property, electronically stored client
property and information must likewise be protected. Rule
1.15.

d. An ethical violation does not necessarily occur if breach is

not immediately detected.

i. Potential for ethical violation occurs when lawyer

does not undertake reasonable efforts to avoid data

3
 loss or detect cyber-intrusion and that lack of
reasonable effort causes a breach.

ii. An attorney’s competence in preserving client

confidentiality does not require the lawyer to be
invulnerable or impenetrable.

e. Model Rules 5.1 and 5.3: Duty to ensure the firm has
measures in effect that give reasonable assurance that all
lawyers and staff in the firm conform to the Rules.

2. Legal standard for what is reasonable regarding cyber security is

emerging – no requirements for specific security measures, rather
it is a fact-specific approach that requires a “process” to:

a. Assess risks;

b. Identify and implement appropriate security measures;

c. Verify that the measures are effectively implemented; and

d. Ensure that the measures are continually updated in

response to new developments.

3. Model Rule 1.1 requires that a lawyer act reasonably and promptly
when a breach of protected client information is suspected or
detected.

a. Should consider developing incident response plan.

b. Even if no response plan, must take prompt action to stop

breach and then must make reasonable efforts to restore
operations to service the needs of clients.

4. A post-breach investigation requires an attorney to make

reasonable efforts to determine whether files were accessed, and if
so, which ones.

Determine the scope of the intrusion to allow for accurate disclosure

to the affected clients.

5. Model Rule 1.6 still applies to disclosures to third parties.

In disclosing information to law enforcement about a data breach,

keep in mind that, without consent, a lawyer may disclose only such
information as is reasonably necessary to assist in stopping the
breach or recovering the stolen data. Lawyers have an obligation to
communicate with current clients about a data breach under Rule
1.4.

4
6. Notice to the client may be required if there is a “serious breach,”
where the unauthorized release of information could reasonably be
seen as a significant factor in the representation (affecting the
position of the client or the outcome of the matter).

When a data breach occurs involving or having a substantial

likelihood of involving material client confidential information – the
lawyer has a duty to notify client.

7. The Model Rules for former clients do not direct guidance on a

lawyer’s obligation to notify former clients in the event of a breach
of data relating to the representation of the former client.

a. Best practice: reach an agreement with clients before

conclusion or at the termination of the relationship about
how to handle a client’s electronic information in the lawyer’s
possession.

b. ABA encourages lawyers to adopt and follow a paper and

electronic document retention schedule to reduce the
amount of information relating to the representation of
former clients that the lawyer retains.

c. Data privacy laws, common law duties of care, or

contractual arrangements may still require disclosure of a
data breach to former clients.

8. The nature and extent of a breach notification depends upon the

type of breach and the nature of the data compromised.

a. No “safe harbour” – if the obligation to notify is triggered, a

lawyer must notify regardless of what type of security efforts
were put into effect.

b. Disclosure must be sufficient to provide the client with

enough information to make an informed decision regarding
next steps, if any.

c. Minimum disclosure under Rule 1.4 is:

i. That there has been unauthorized access to or

disclosure of their information, or that unauthorized
access or disclosure is reasonably suspected to
have occurred;

ii. The known or reasonably ascertainable extent to

which client information was accessed or disclosed;
and

iii. If the lawyer has made reasonable efforts to

determine the extent of information affected by the

5
 breach, but cannot do so, the client must be advised
of that fact.

d. Best practice: Inform the client of the plan to respond to the

data breach, to recover the data, and to increase data
security.

e. Ongoing duty to keep clients reasonably informed of

material developments in post-breach investigation
affecting client’s information.

f. Breach of personally identifiable information: evaluate

obligations under state and federal law.

C. Litigation

1. Shore v. Johnson & Bell, Ltd., No. 16-cv-04363, 2017 U.S. Dist.
LEXIS 25612*, 2017 WL 714123 (N.D.IL. Feb. 22, 2017).

a. Class action by clients against Chicago-based law firm

Johnson & Bell.2

b. Plaintiffs alleged that the firm’s computer systems had

“critical vulnerabilities in its internet-accessible web
services[,]” exposing the clients to great risk of unauthorized
disclosure.

Alleged breach of duty to “implement industry standard data

security measures, resulting in [potential] vulnerabilities and
exposures of confidential data.”

c. No breach had actually occurred, but Plaintiffs claimed that

because of the vulnerabilities of the law firm’s system, it was
only a matter of time before the clients’ information would
be disclosed.

d. The firm had an arbitration clause in their engagement

letters and the plaintiffs were thus ordered to proceed
individually with arbitration.

2. Complaint, Millard v. Doran, No. 153262/2016 (N.Y. Sup. Ct. Apr.

18, 2016).

a. Married plaintiffs alleged that their real estate lawyer was

liable for malpractice and breach of fiduciary duty related to
a real estate transaction in New York City.

2 Kenneth M. Labbate & Jason L. Ederer, “A Brave New World – Cybersecurity and the Potential
for Legal Malpractice Claims,” Mound, Cotton, Wollan & Greengrass, LLP Newsletter (2018),
https://www.moundcotton.com/newsletters/summer-2018/a-brave-new-world-cybersecurity-and-
the-potential-for-legal-malpractice-claims/

6
 b. Cybercriminals hacked the lawyer’s email and intercepted
communications about the transaction between the
Plaintiffs and the lawyer.

c. The cybercriminals then sent fraudulent emails to the

Plaintiffs, posing as the lawyer, instructing the Plaintiffs to
wire funds to a bank account that the cybercriminal
purported belonged to the seller.

d. The clients sent the money ($2 million) to the bank account,
which was actually under the control of the cybercriminals.
The cybercriminals even sent a separate confirmation email
of the transfer to the lawyer, posing as the seller’s attorney,
which the lawyer forwarded to the Plaintiffs.

e. This case appears to have been settled early in the litigation

process.3

D. Other States: Florida and North Carolina

III. THREAT LANDSCAPE

A. Current Statistics

B. Threats

1. Insider threats.

a. Employee negligence.

i. Security failures.

ii. Lost mobile devices.

b. Employee ignorance.

i. Improper disposal of personal information

(dumpsters).

ii. Lack of education and awareness.

iii. Malicious employees.

2. External threats.

a. Hackers/hacktivists.

b. Malware.

3 Id.

7
 i. Phishing and spear phishing.

ii. Social engineering.

iii. Ransomware.

c. Vendors.

d. State-sponsored attacks.

C. What Kind of Information is at Risk

1. Consumer information.

a. Credit cards, debit cards, and other payment information.

b. Social Security numbers, ITINs, and other taxpayer records.

c. Customer transaction information, like order history,

account numbers, etc.

d. Protected healthcare information (PHI), including medical

records, test results, appointment history.

e. Personally identifiable information (PII), like driver’s license

and passport details.

f. Financial information, like account balances, loan history,

and credit reports.

g. Non-PII, like email addresses, phone lists, and home

address that may not be independently sensitive, but may
be more sensitive with one or more of the above.

2. Employee information.

Employers have at least some of the above information on all of

their employees.

3. Business partners.

a. Vendors and business partners may provide some of the

above information, particularly for sub-contractors and
independent contractors.

b. All of the above types of information may also be received

from commercial clients as a part of commercial
transactions or services.

c. In addition, B2B exposures like projections, forecasts, M&A

activity, and trade secrets.

8
IV. CYBER TRENDS & DEVELOPMENTS

A. Business Email Compromise

1. Business email compromise ramped up as a major threat during

2018.

2. Beazley handled over 800 business email compromise incidents in

2018, which was 24 percent of all incidents reported. This was an
11 percent increase over 2017.

3. The main form of business email compromise was an email account

takeover – where the attacker compromises email account
credentials through phishing or malware.

4. Typically, the attacker sends a phishing email with a link to a

website that looks “legitimate” and prompts the user to enter their
username and password. On the backend, the attacker has now
acquired those credentials and can then remotely access an email
account and pose as the legitimate owner.

5. Why compromise email accounts? Attackers are able to leverage

and monetize a compromised inbox in several ways:

a. Get additional credentials.

b. Fraudulent wire transfers.

c. Access to HR/payroll portal.

B. Phishing

1. Payroll diversion phishing – A typical payroll phishing attack

happens as follows:

a. The attacker targets the organization’s employees with an

email phishing campaign.

b. One or more employees fall for the phishing campaign and

supply their email credentials.

c. The attacker determines which vendor the organization

uses for payroll/HR.

d. With the user credentials, the attacker creates a new inbox

forwarding rule for the compromised account. The
forwarding rule sends any email coming from the payroll
provider directly to the trash.

e. Using the compromised email address, the attacker

requests that the payroll provider reset the password for that

9
 account. The payroll provider sends a password reset email
with a temporary password. Because of the forwarding rule,
the email goes directly to the trash and the user never sees
it.

f. The attacker uses the newly supplied password to access

the employee self-service portal. If the organization uses
single sign-on for access to the payroll provider, the attacker
doesn’t even have to request a password reset.

g. The attacker changes the direct deposit information for the

employee. The next time payroll is processed, the
employee’s pay check goes into an account the attacker
controls.

2. W-2 phishing.

This type of attack involves a threat actor impersonating a high-level

person at an organization (typically the CEO or CFO) and acquiring
copies of the organization’s W-2 forms essentially by duping a
human resource or finance department employee into believing the
request is legitimate and providing the W-2s to the criminal. The
criminal then uses this information to file fraudulent tax returns.
Because these attacks focus on tax information, they occur
primarily between January, when W-2s are created, and April 15th,
at which point the vast majority of individuals have already filed their
taxes and the W-2s become less useful to these threat actors.

C. Ransomware

1. Ransomware continues to be a major problem for organizations.

2. Seventy-one percent of the ransomware incidents reported to

Beazley in 2018 impacted small businesses.

3. The main attack vector that we have seen bad actors use this year
is to come in through open Remote Desktop Protocol, or RDP,
ports.

4. Many small businesses outsource their IT to contractors that they

allow to remotely access their networks via RDP.

5. Attackers will scan the internet for open RDP ports, and then
attempt to brute force a weak password to get access.

6. Ransomware trends.

a. Frequency and severity increasing.

i. 2015: $300 to $600.

10
 ii. 2018: $1,500 to $50,000+.

b. Targeting: Anyone and everyone, it really doesn’t matter.

i. State and local governments – direct hits.

ii. Cloud service providers – indirect hits.

iii. “Ransom Demands and Frozen Computers:

Hackers Hit Towns across the U.S.,” Wall Street
Journal, June 24, 2018.

c. Methods (the “Vector”): Anything goes.

i. Emails with malicious links and attachments.

ii. Malicious ads.

iii. Unpatched server software.

iv. Compromised software from internet.

d. Material expenses often associated with ransomware.

i. Ransom payment & consultant.

ii. Costs to restore data.

iii. Costs to replace hardware.

iv. Business downtime (loss of revenue).

v. Employee overtime.

vi. Loss of data.

vii. Breach notification (forensics, legal, mailing, credit

monitoring, etc.).

D. Fraudulent Instruction

1. In fraudulent instruction attacks, a cybercriminal uses compromised

email credentials to induce an employee to make a wire transfer or
other electronic payment to a bank account controlled by the
cybercriminal.

2. The business email account is first compromised after a successful

phishing incident or through installation of a key logger. The criminal
can use the access to gain insight into company financial protocols
related to wire transfers.

11
 3. Then, the criminal leverages a trusted relationship to provide
instructions for the target organization to divert a planned payment
or to cause a fraudulent payment to be made. The target of the
fraudulent instruction is often a trusted business partner or
someone with internal authorization to make wires on behalf of the
victim organization. For instance, we often see these incidents
occurring in a real estate transaction, where lawyers, real estate
agents, and title or escrow companies are frequent targets and the
cybercriminal can exploit the short timeframe for the closing to take
place. In a recent incident, the cybercriminal compromised a
broker’s email and sent revised wire transfer instructions, diverting
the closing payment.

4. Frequency and severity increasing.

a. >$250,000 not uncommon.

b. Frequency is neck-and-neck with ransomware.

5. Targeting: anyone with money or access to money.

6. Methods.

a. Email compromise: you, your customer, your supplier.

i. Brute force.

ii. Password re-use.

iii. Weak or default passwords.

b. Email spoofing: bob@cityoflongestname.gov vs.

bob@cityoflongestname.com.

7. How much do they cost?

a. How much money do you have? Crooks will take everything

to which you have access.

b. Crooks usually come back for “another bite at the apple” and
only stop when caught.

c. Banks won’t reimburse lost funds.

d. Money usually wired offshore and not recoverable.

V. CYBER COVERAGE

A. What Does a Typical Cyber-insurance Policy Cover?

B. Coverage Summary – Breach Response

12
 C. Coverage Summary – First Party

D. Coverage Summary – Third Party Liability

E. Coverage Summary – Crime

F. What’s Not Typically Covered

G. Future & the Newest Coverage

H. How to Prevent Gaps in Cyber Liability Insurance Coverage

• See Addendum I

VI. BEST PRACTICES

A. Why are Law Firms or Lawyers Vulnerable?

1. Many small law firms do not invest enough resources towards

information security.

2. Untrained employees.

3. Outdated antivirus software and open networks or firewalls.

4. Beyond what is legally required, law firms must consider ethical

obligations to clients. A data breach may implicate a number of
Rules of Professional Conduct.

a. For example, the comments to Model Rule 1.1

(Competence) provide that a lawyer must “keep abreast of
changes in the law and its practice, including the benefits
and risks associated with relevant technology.”

b. Model Rule 1.6(c) (Confidentiality of information) requires a

lawyer to “make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a
client.

B. Protecting Your Organization from Phishing

1. Turn on two-factor authentication for external access to all

applications, or at the very least, to particularly sensitive ones such
as email, payroll or benefits providers, remote desktop protocol
(RDP), and virtual private networks (VPNs).

2. Audit recent direct deposit changes prior to issuing payroll and

confirm the changes over the phone or in person with your
employees.

13
 3. Educate and train employees about phishing. Consider whether
simulated anti-phishing campaigns make sense for your
organization’s risk profile.

4. Periodically review email distribution lists, especially where reports

containing PII or PHI are sent to a list.

5. Use role-based access controls to manage access to sensitive

information and ensure that access is terminated or updated
appropriately when an employee changes roles or leaves the
organization.

6. Enforce strong password policies. Educate employees about the

risks of recycling passwords for different applications.

7. If your email system permits, set up alerts whenever new forwarding

rules are created so that messages cannot be secretly diverted.

C. Protecting Your Organization against W-2 Fraud

1. Establish clear procedures for how any legitimate request for W-2
information will be handled, and train relevant employees annually
on the procedures. If possible, establish a policy that no requests
will be made or responded to by email. Policies and procedures
should be put in place that trigger a confirmation by phone or other
non-email channels before W-2s are sent to anyone.

2. Train all employees, especially those with employee payroll or

benefits information, to beware of phishing attempts and W-2 fraud.

3. Configure your email system to highlight emails coming from

outside the network. W-2 phishing emails are often masked to look
like they are from within the company, so this defense will call
attention to their true nature.

D. Protecting Your Organization from Ransomware

1. Train employees on the indicators of ransomware and malware,

how to identify phishing emails, and how to report suspected
incidents.

2. Keep systems up to date and patch as soon as possible. For

smaller organizations, enable automated patching for operating
systems and browsers.

3. Segregate networks based on functionality and the need to access

resources, including physical or virtual separation of sensitive
information.

4. Limit unnecessary lateral communications within the network.

14
 5. Manage the use of privileged accounts. Implement the principle of
“least privilege.” No users should be assigned administrative
access unless absolutely needed. Those with a need should only
use them when necessary. Limit the use of administrative shares.

6. Configure access controls including file, directory, and network

share permissions with least privilege in mind. If a user only needs
to read specific files, they should not have write access.

7. Harden network devices with secure configurations, including

disabling unnecessary services and remote administration
protocols. Always change default passwords.

8. Keep offline data backups up to date. Recent attacks have deleted

backups accessible from the network, making it harder to recover
your data.

9. Enforce strong password requirements. Longer is better. Windows

systems can be configured to require 14 characters as a minimum.

10. Eliminate unused service accounts and monitor which accounts are
using remote desktop protocol (RDP). Disable any unrecognized or
unauthorized accounts.

11. Consider using a product that prevents brute-force attacks using

RDP, so that an account is locked after a certain number of failed
login attempts.

12. Require two-factor authentication for external access to all

applications.

E. Protecting Your Organization from Fraudulent Instruction

1. Alert employees who have access to accounts payable systems or

wire transfer payments about these scams.

2. Train all employees to beware of phishing attempts.

3. Establish out-of-band authentication procedures for wire transfer

requests and changes to vendor payment instructions. Ensure that
confirmation of any instruction involves a separate channel.

4. Organizations handling many payments may wish to establish more

formal mechanisms for how vendors or customers can change
payment instructions, such as implementing app-based two-factor
authentication or establishing a preset code.

5. Require significant payments, changes to payment instructions, or

requests for sensitive employee data to be authorized by more than
one employee. Consider a holding period for transactions
exceeding a certain amount.

15
 6. Turn on two-factor authentication for external access to all
applications, but particularly to sensitive ones such as email, payroll
or benefits providers, remote desktop protocol (RDP), and virtual
private networks (VPNs).

7. Enforce strong password policies. Educate employees about the

risks of recycling passwords for different applications.

8. Once an organization becomes aware of potential fraud, time is of

the essence:

a. Contact your financial institution immediately and request

they contact the corresponding financial institution where
the fraudulent transfer was sent.

b. Contact the Federal Bureau of Investigation (FBI) if the wire

is recent. The FBI, working with the U.S. Department of
Treasury Financial Crimes Enforcement Network, might be
able to help return or freeze the funds.

c. File a complaint, regardless of dollar loss:

https://www.ic3.gov or for BEC/EAC victims at:
https://www.bec.ic3.gov.

VII. CLAIMS EXAMPLES

A. Stolen Portable Device

B. Unintentional Disclosure

C. Hacking/Malware

16
 ADDENDUM I
Reprinted with permission from the ABA – Standing Committee on Lawyers’ Professional Liability
in Protecting against Cyber Threats, A Lawyer’s Guide to Choosing a Cyber-Liability Insurance
Policy pages 26-27.

How to Prevent Gaps in Your Cyber-Liability Insurance Coverage

It is likely that your firm purchases at least one or more of the following: commercial
general liability (CGL) insurance; property/business interruption coverage; professional
liability insurance; crime insurance; and possibly kidnap and ransom insurance.
Depending upon policy terms, these coverages may offer some protection against data
breach-related liability and losses. But the landscape of the insurance market is changing,
and the insurance industry is taking steps to exclude data breach incidents from coverage
under these standard policies. Insurers now offer a number of specialized insurance
products to fill in the gaps. It is more important now than ever to have a good
understanding of exactly how your insurance program responds to data breach situations
and whether a special cyber-liability policy is right for your firm.

For example, your firm's current CGL policy may provide some protection against
allegations of liability resulting from a data breach, and the fact that the costs of defending
claims will not erode the limits of the policy often makes this possibility very attractive to
policyholders. CGL policies cover a firm's liability due to "property damage," and also
because of injury caused by violation of a "person's right of privacy." Insurers have
challenged the applicability of these coverages to data breach situations, arguing that
damaged or lost data is not the type of "tangible property" to which CGL coverage applies.

Insurers have also successfully argued that a data breach does not result in a necessary
"publication" of information resulting in a violation of privacy rights that would be otherwise
covered under the commercial general liability policy's "advertising and personal injury"
coverage. While the legal wrangling over these issues remains to be fully resolved,
insurers are taking steps to carve "data-related liability" out of CGL insurance policies.

A crime policy would cover computer crime by a third party or rogue employee, though
typically only if the crime involves theft of funds or securities. It might even provide first-
party identity fraud expense reimbursement for an employee who lost personal information
and will require costs to get his or her life back together (such as lost wages, attorney
fees, notary, and affidavit costs). However, the crime policy does not cover any first-party
business interruption costs; regulatory fines, fees, or proceedings; costs to investigate or
notify clients of a breach; and the like.

Your firm's professional liability insurance policy may also provide some protection against
liability to a third-party resulting from a data breach or network security failures during the
course of your professional legal services. However, similar to the crime policy, it would
not cover the firm for its own first-party losses, downtime, and expenses.

Commercial property insurance covers loss to the firm's own assets, as opposed to CGL
and professional liability policies that protect against allegations of liability to a third party.
While property insurance policy language vary, most insurers cover only data destruction
due to fire, water, and property damage, but exclude coverage for loss resulting from a

17
 breach. Others will add limited cyber-coverage, but often with limits of five- to ten-thousand
dollars.

The below chart, attributed to Ames & Gough, a professional liability insurance broker,
portrays the gaps in cyber-liability coverage among various insurance policies purchased
by law firms.

Which of my insurance General Kidnap Professional Property/

policies will respond to a Crime Liability & Liability Business Cyber
cyber-related loss? Policy Policy Ransom Policy Interruption Policy
Policy Policy
First Party Cyber Losses
Business Interruption
Costs (net profit before
X
income taxes) due to a
Although
Network Security Breach
some GL
(unauthorized access or X
Policies
use; malicious code;
sublimit or
denial of service attack) of
exclude
the firm’s computer
system.
Restoration, Repair,
Recollection, Recreation of
Digital Assets (written
records, audio files,
images), due to:
Computer Crime by a 3rd
X X
party
Rogue Employee
Sabotage X X

Operational Errors and

Admin Mistakes
1st party Identity Fraud
Expense Reimbursement
(1st Party Reimbursement
to get a person’s life back
together – attorney fees, X X
mail, limited lost wages,
notary and affidavit costs,
etc.)
Public Relations Costs for
Reputational Damage X
Forensic (Investigation)
Expenses X
Cost to Notify Clients &
Others/Breach Notification X
Expenses
Credit/Identity Theft
Monitoring Expenses X
(Credit Thaws/Freezes)

18
Regulatory Fines &
Penalties X
Cyber Extortion Payments X X
Data Destruction Due to No
Fire, Water, Property coverage
Damage – Has to
arise out
X of a
Network
Security
Breach.
Third Party/Client (& Data Privacy) Losses
Breach of Client/3rd Party
Information or Funds (Due
to Network Security X X
Breach)
Damages to network
security of trading X
partner/vendor
Intellectual Property
Infringement, Plagiarism, X X X
Defamation
Regulatory Proceedings X X
Legal Defense Expenses
arising out of a 3rd party X X
loss

19
20