Tag Archive for: Law Office

Let’s face it, the past several months have been rough on everyone. COVID-19 has radically disrupted our everyday lives, changed the way we do business and drastically increased the number of times we all say “strange” and “unprecedented.” One group that’s been thriving in the COVID-19 world, however, are Cyber Criminals. With the rush to implement “work from home” protocols, security has by and large taken a back seat to operational survival and Cyber Criminals have positioned themselves well to take advantage of this new reality. Poorly configured remote desktops, home “Wi-Fi” networks, a host of new applications and employees forced into the strange new land of remote working all add up to a perfect Cyber Storm. Luckily it’s not all gloom and doom and there are things you can do to help make your firm more resilient to Cyber Attacks.

As we take a closer look at Cyber Risk, it is helpful to consider two questions when thinking about these threats:

  • Do you have a Cyber Incident Response plan?
  • Will you survive a Cyber Attack?

Our friends Mike and Ben will make cameos later on to illustrate the importance of these two questions when determining your firm’s resilience in the face of Cyber Threats.

A good place to start is by examining “What’s at Risk” for your firm. Typically this can be broken down into three categories: Data, Disruption and Dollars.


a) Corporate Data: Every law firm is different, which means the type and volume of information will vary greatly from firm to firm. Personal Injury attorneys may have sensitive health information and medical records, M&A attorneys may have sensitive deal information, real estate and trust attorneys may have sensitive financial information in their files, etc. Think about the information your firm collects, stores and processes.

b) Employee Data: Regardless of what type of law you practice, every firm has employees. Think about all the information you take in when onboarding an employee: Name, Address, Phone Number, Social Security Number, Bank Account information for Direct Deposit, background checks, etc. As an employer it is your legal responsibility to protect this information.

c) Data in Transit: Data is at Risk while it is on your firm’s computers, while it is in transit (faxes, emails, texts) and finally, when it resides on a third party’s network. Many organizations believe that by utilizing a third party to store information they are absolving themselves of all responsibility for what happens after the transfer. However, the truth is much more complicated. Data Privacy Law states that the owner and/or collector of information maintains responsibility for that data, and the liability cannot be transferred via contract.


While the bulk of the discussion regarding Cyber Risk has historically focused around Data Breaches, (with good reason: they’re dangerous and tremendously expensive to deal with) the mass proliferation of Ransomware has now catapulted Business Disruption to the top of the list for concerned firms across the world.


Pretty straightforward. Cybercriminals are after your money AND your clients’ money.


Now that we’ve identified “What’s at Risk” for your law firm, let’s dive into “How Breaches Occur.” There are three main Cyber Threat Vectors: Outside Attackers, Insider Threats and Third Party Incidents.

Outside Attackers

Hackers. Typically depicted in a hoodie and gloves in a dark room (not ideal for typing), Hackers deploy malicious software, commonly referred to as “Malware,” in order to corrupt legitimate computer code for the hackers’ own purposes. A few different types of outside attacks are:

a) Ransomware: Ransomware is a specific type of malware that is designed to encrypt key files and/or systems, with an accompanying ransom demand in order to provide the decryption key. The newest and most costly form of Ransomware in the Cyber world today is called “Maze” Ransomware. A new twist on Ransomware, the group behind Maze, exfiltrates sensitive information, publishes the name of your firm online, then demands a ransom payment which (supposedly) guarantees that the Cyber Criminals will not publish all of your sensitive information online.

b) Keyloggers: Keyloggers are a type of Ransomware that when downloaded (via an errant click on a website, email attachment, etc.) quite literally logs the key strokes of your computer as you type. Keyloggers are typically used to pick up usernames and passwords which can then be used across various networks to inflict harm.

c) DDoS: Distributed Denial of Service attacks are brute force attacks designed to overwhelm a target with a flood of requests. Cyber criminals compromise and harness the power of various internet connected devices (computers, copiers, security systems, baby monitors, refrigerators, microwaves, etc. and yes, we’re serious about refrigerators), then direct that computing power at a single target, flooding the victims with billions or potentially trillions of requests per second until the targeted organization is completely overwhelmed and shut down.

d) Business Email Compromise: Business email compromise is exactly what it sounds like. A hacker gains access to your email or a vendor’s email and utilizes that email to fraudulently induce various parties to transfer money or sensitive information.

Insider Threats

As we’ve found, not all attacks come from the outside. Employees are also a large driver of Cyber Losses.

a) Malicious or Disgruntled Employees: One of the best examples of the damage a malicious insider can cause comes from a professional services firm in the UK. The story goes like this: Firm hires a new employee to perform data entry and data integration, employee works from 9-5pm and at 5pm leaves work and brings all their data from work home with them to their significant other who is a hacker, said hacker uses this information to commit wide scale insurance fraud.

b) Careless employees and Honest Mistakes: Phishing and Social Engineering attacks are designed to trick employees into disclosing sensitive information, transferring money to a bad actor or clicking on a link or attachment that provides the entry point for a malware payload. Lost and compromised devices such as laptops and mobile phones have also proven to cause huge losses to a variety of organizations and some Cyber Insurance carriers contain exclusions for the losses arising out of lost devices that are unencrypted.

Third Party Incidents

Everyone has had the story of the Target breach beaten repeatedly into their head at this point, but for a quick recap: a third-party contractor that did business with Target was compromised by a bad actor. The bad actor then used the third-party contractor as an entry point to infiltrate Target’s systems, ultimately resulting in the massive theft of credit card information belonging to Target’s customers and enormous financial losses for Target itself. While the chances are your firm is not the size of Target, it is helpful to use this example as a lens through which to view the third-party “Hub and Spoke” security issue. Think of your firm as the “Hub” in this scenario, with all the third party vendors you use every day as the “Spokes.” Your firm is doing a great job with cybersecurity due diligence and purchases Cyber insurance. In essence, the “Hub” is protected. Are all of your “spokes” (cloud providers, billing services, credit card processors, software vendors) protecting themselves the same way? How are you validating or contractually mandating them to do so?


Solutions:  Cybersecurity + Cyber Insurance = Cyber Resilience

Finally some good news. While the Cyber world can be a scary place, the good news is there are actions you can take to help prepare your firm for Cyber Incidents.


There are a TREMENDOUS number of Cybersecurity solutions out there, so many, in fact, that sometimes we’re tempted to throw our hands up and say “Where do I even start?” While this is by no means an exhaustive list, these are some of the easiest to implement and effective steps your firm can take right now to harden your firm’s Cyber Risk posture:

  1. Firewalls and Anti-Virus Software: Will this prevent your firm from being compromised? Not necessarily. Does it help protect you? Yes. Think about this from the analogy of a burglar looking to rob a house. The firewall or anti-virus is a fence around the property. Does a fence prevent every burglary? Absolutely not. Does it make it a little bit harder? Yes.
  2. Strong Passwords and Password Management: Everyone reading this probably just rolled their eyes, but the bottom line is that a huge number of Cyber Incidents could be thwarted by stronger passwords and password management. There are a ton of good vendors out there that can help!
  3. Back-Ups: Make sure you are backing up your information. There are a variety of different ways to do this and a proper discussion of back-ups would require an article unto itself. Oftentimes folks are lulled into a false sense of security because “everything is backed up” only to find their back-ups have been compromised or they haven’t tested them in 10 years. The bottom line, however, is that back-ups are important. Make sure you back up your data in one way or another.
  4. Employee Training: The vast majority of Cyber Incidents involve the human element at some point in the process. Training employees to be on the lookout for suspicious emails or behavior within the company will go a long way in creating a company culture that takes Cyber Risk seriously.
  5. Multi-Factor Authentication: Enabling multi-factor authentication (using two or more pieces of information to validate a user) is an incredibly simple way to harden your defenses. The leader of the Cyber Practice at a large Insurer recently shared that about 1/3 of their recent claims could be prevented by properly implementing Multi-Factor Authentication.
  6. Patching: Remember all of those little notifications that pop up and tell you that an update is available? Those are important! It means that someone found a vulnerability AND they also found a way to patch that vulnerability.
  7. Constant Testing and Updating: Once you’ve established cybersecurity protections, back-ups, incident response plans, etc. make sure you test them!

Cyber Insurance

A lot has changed in the Insurance world over the past 5-10 years and nowhere is that more evident than in the world of Cyber Insurance. Before we get into the specifics of Cyber Insurance, let’s understand what Cyber Insurance is at a high level:

Cyber Insurance is a risk transfer mechanism that shifts the financial burden of a Cyber Incident from an organization to an Insurer.

Okay, that sounds nice but what does it do?

First Party Coverage

  1. Cyber Incident Response: Carriers have partnered with a wide-variety of law firms, forensics teams and PR experts to provide immediate and effective response to a Cyber Incident. The Incident Response portion of a Cyber Policy provides access to and funding for:

    a) Data Breach Coach: A law firm specializing in responding to Cyber Incidents.
    b) Forensics Teams: Your “boots on the ground.” These folks will determine: What happened? Is it still happening? What do we do now?
    c) Notification Costs: Do we have to notify anyone? If so: Who? How? When? What will be our message? The “Where” is also crucial, as there are currently 50 different state guidelines for data breach notifications and the laws apply to the affected individual rather than the affected organization, so you could have one breach that triggers multiple state reporting guidelines.

  2. Extortion/Ransomware Coverage: Provides coverage for Ransom payments and expenses arising out of a Ransomware threat.
  3. Digital Data Recovery: Covers the cost to restore, replace, recreate, re-collect or recover Digital Data from records that have been corrupted, stolen or destroyed.
  4. Business Interruption: Covers loss of Income (net profit before taxes) and extra expenses that a business suffers to an interruption or degradation in service cause by a Cyber Incident. Note: Business Interruption due to Cyber Incidents is now widely excluded under traditional Insurance Policies.
  5. Cyber Crime: Theft of funds or securities is technically covered under Crime Insurance, however there is a clear overlap between Cyber and Crime in this case. It is crucial to understand how your Cyber and Crime coverages interact to ensure that you are covered for a Cyber Crime loss.

Third Party Coverage

  1. Privacy/Network Security Liability: Covers defense and settlements for third party liability claims arising out of:
    a) Actual/alleged failure of Network Security
    b) Actual/alleged failure to protect Personal, Protected or Confidential Info
    c) Actual/alleged failure to prevent the transmission of malicious computer code
  2. Regulatory Proceedings: With the ever-expanding list of Data and Privacy Regulations (HIPAA, CCPA, BIPA, GDPR to name a few), coverage for regulatory actions and investigations has never been more important.
  3. Payment Card Industry (PCI) Fines and Penalties: Coverage for losses which an organization is legally obligated to pay as a result of the insured actual or alleged failure of Network Security or failure to properly handle, protect, dispose of Payment Card Data.
  4. Media Liability: Coverage from claims pertaining to an organization’s display of Media Content on their website, in printed material or Media content posted by or on behalf of an organization on any social media site.

Benjamin Franklin and Mike Tyson: Cyber Experts

“Failing to plan is planning to fail” – Benjamin Franklin

“Everyone has a plan until they get punched in the mouth” – Mike Tyson

Although these two probably didn’t have a tremendous amount in common, we have brought them together here because their sage words help frame the approach your firm should take to Cyber Risk.

Make a plan! Fortify your defenses with cybersecurity best practices, develop an internal response plan for a Cyber Incident, and transfer the financial cost of an Incident to an insurer who will also bring in an external Cyber SWAT team to get you back up and running ASAP.

Test your plan! Plans look nice on paper, but as our friend Mike reminds us, when things get real, plans tend to go out the window. Make sure you test your plan and everyone involved knows their roles and responsibilities.

The Cyber World can be a scary place but there are lots of ways to help make it safer for your firm. The worst thing you can do is to do nothing; take action today. And if you ever find yourself overwhelmed or scared, just imagine Ben Franklin and Mike Tyson talking you through all of this… That should help!


Written By: Adam Abresch | Acrisure National Cyber Risk Practice Leader

As the Cyber Risk Practice Leader at Acrisure, (parent company of AHERN), Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.

Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. A proud Tarheel, Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor (CIC) designation, Cyber COPE Insurance Certification (CCIC) from Carnegie Mellon/ Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.


Substantial portions of this work appeared in the November 2020 issue of Orange County Lawyer magazine (Page 40). The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched. Reprinted with permission.

Gayle has been a business litigator for decades.  She recognizes litigation was not the best fit for her personality, but she did it well and was a fine lawyer.  It provided a solid income for her family, which she had cherished – even though her work pulled her away and played a role in her divorce.

The conflicting demands of trying to be the best mother and the best litigator took its toll on Gayle.  Recently, whenever the phone rang, or an email or text arrived, she started feeling dread: more work to be done or maybe a criticism of her work.  She felt less able to keep up, more ineffective, and less productive.  She felt more cynical, isolated, forgetful, and less able to concentrate.  Every problem – at work or home – felt serious, even if it was not.  She felt exhausted constantly and had trouble sleeping.  She dreaded going to work, and never felt recovered after a weekend or a rare vacation.  While she had always felt like a successful, accomplished person, she had begun to feel she was failing, professionally and personally.

Most frighteningly for her, the anxiety attacks she first experienced in law school had returned with increasing frequency and severity – so terrifying that thoughts of suicide had even crossed her mind.

In addition to Gayle’s symptoms of burnout, other symptoms include: ongoing stress and crises; feelings of isolation and helplessness; irritability; excessive feelings of responsibility, inadequacy, and self-doubt; obsessive thoughts; guilt about missed personal activities; inability to balance heavy work and family responsibilities; reluctance to say no; sweating, heart palpitations, and feelings of panic; and self-medicating with alcohol and other substances.

The Cost

While Gayle felt alone in her despair, she was not.  As in other high stress fields, burnout is a serious problem in the legal profession, not only in terms of individual lawyers’ misery, but in the resulting harm to their firms and, sometimes, clients.

For lawyers, untreated burnout can lead to – or go hand in hand with – physical and emotional problems like depression, anxiety disorders, and substance abuse.  Compared to other professions, lawyers suffer very high rates of depression, substance abuse, and suicide.

Burnout also creates real problems for law firms.  Lawyers suffering burnout are unhappy, less engaged, less productive, and at greater risk for making errors that could result in malpractice claims or Bar complaints.  Firms also risk losing good lawyers too soon, costing substantial amounts to hire, train, and make new lawyers part of the team.

The Causes

Lawyers’ inherent personality traits, along with the adversarial, high pressure nature of the work, create a perfect incubator for burnout.  Lawyers tend to be perfectionists, setting impossible to meet standards for themselves and the sense that nothing is ever good enough.  Lawyers are also trained to be on the constant lookout for problems and to be responsible for taking care of clients.  This inherent pessimism over what might go wrong creates a sense that problems are everywhere, the true urgency of which becomes exaggerated.  Lawyers also often fail to seek out help when needed, not wanting to appear weak.  They also face constant deadlines set by the courts, other parties, and clients, over which they have very little control.

Law firms, in turn, rarely foster an atmosphere where a lawyer experiencing burnout would feel comfortable exposing – and getting help for – what could be perceived as weakness.  Law firms are competitive places, with increasing demands for greater productivity at lower cost, and with limited, highly competitive opportunities for advancement.  New technologies also add pressure on lawyers, who feel constantly tethered to their work and client demands.

Prevention and Treatment

Lawyers and their firms can work together to promote a healthier approach for lawyers and, in turn, greater success for firms.  Individual lawyers (and firms, through wellness programs and thoughtful institutional changes to discourage a workaholic culture) should strive for: healthy diet; sufficient sleep; meditation; regular exercise, including yoga and walking; learning to say no, to set realistic work boundaries, and to protect time fully away from the demands of work, including regular vacations; dropping difficult clients; learning to express one’s feelings and concerns to someone who listens and cares; pursuing personal interests that bring satisfaction; and better protecting a healthy work/life balance generally.  In serious cases, lawyers can ask to take a leave of absence, change jobs, or even change careers.

Arizona lawyers have very helpful resources available through the State Bar’s Member Assistance Program, including its Peer Support Network, Support Groups, and Crisis Hotline.

Burnout is a serious occupational hazard for lawyers.  But, with the help of their firms, lawyers can strive to avoid feeling trapped and hopeless by taking the right steps to regain a healthy, balanced life.

(Article originally published in Attorney at Law Magazine – Phoenix Edition, Volume 11, Number 5).

*No portion of this article is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only.

By Daniel W. Hager | Corporate Counsel, AHERN Insurance Brokerage

Daniel W. Hager is Corporate Counsel to AHERN Insurance Brokerage and has spent his career practicing in the fields of lawyers’ professional liability, risk management, and legal ethics.