Cybersecurity breach, privacy law violation, and artificial intelligence pose risks of significant liability for law firms and businesses. Just like we would never practice law without malpractice insurance, we should not practice law in the digital age without coverage for this exposure. That type of insurance is not typically included in other policies. Rather, lawyers and business leaders need to purchase the right policies to ensure that their firms and companies have appropriate and sufficient coverage for potential cyber, privacy and AI liability.
Cybersecurity Insurance. Law firms and businesses face two predominant cybersecurity threats, and need two types of insurance to cover them. The first risk involves compromise of a computer network or device leading to encryption or theft of information. The damages that typically result from such a breach include costs for forensic investigation, legal fees for breach management, ransom payment, data review, notification of affected individuals, credit and identity protection services for them, notification of regulators, legal fees for regulatory audit, and payment of regulatory fines, as well as lost business revenue. The type of insurance necessary to cover such damages is typically called cyber liability insurance.
The other predominant threat involves the compromise of an email or financial system leading to a monetary loss through funds transfer fraud. While cyber liability insurance is needed to cover the costs to investigate this breach, that insurance typically will not reimburse the financial loss. Rather, the type of insurance needed to cover the loss is commonly called either cyber crime, computer crime, fund transfer fraud, or social engineering insurance.
Law firms and businesses need both types of cyber insurance to appropriately cover exposure to these threats. However, not all insurance agents are as facile with these policies as we might expect them to be. As a result, lawyers and business leaders need to devote time and attention to ensure that the limits and sub-limits of each of those coverages is sufficient for the amount and sensitivity of the information they handle and the financial transactions they conduct.
Privacy Insurance. Privacy laws are different than cybersecurity laws. Cybersecurity laws require safeguards to be implemented to protect against loss or theft of information, and notification in the event of breach. Privacy laws govern the collection and use of information. Privacy laws require firms and businesses to notify and obtain consent from individuals before collecting and using their information, limit certain types of collection and use of information, and create rights individuals can assert with respect to information about them.
Because privacy and cybersecurity laws differ, the cyber insurance discussed above (which is usually meant to cover only cybersecurity breach) will not necessarily cover a breach of privacy laws, and sometimes such policies exclude it. Moreover, privacy breach coverage is something that insurance agents are more likely to unfamiliar with. Thus, lawyers and business leaders need to work closely with their agents to ensure that they cover this exposure.
AI Insurance. Law firms and businesses are jumping at opportunities to implement AI. While this technology presents powerful potential, it also poses proportionate risk. Just like any other technology, even when deployed properly, AI can make mistakes that significantly damage the firm or business using it and the client or customer the AI is used for.
Most existing insurance policies were not designed to address AI. Thus, while the language of some policies can be construed to cover damages caused by AI errors, other policies cannot and some expressly exclude such coverage. As insurance underwriters catch up on AI, it seems likely that more policies will exclude coverage for damages caused by AI errors, requiring the purchase of an AI endorsement or separate policy to secure such coverage.
As law firms and businesses approach insurance renewal time, they should work closely with their agents to identify their existing and upcoming AI risk, and secure appropriate and sufficient coverage for it. That may be in the form of a modified cyber insurance or errors & omission policy, or an endorsement to one of those policies. Additionally, developers of AI, firms that deploy AI for others (including managed services providers), and businesses heavily engaged in AI use may need to explore a separate policy to cover their AI exposure.
Do not make the mistake of assuming that your liability for cybersecurity breaches, privacy law violations, or AI errors is covered by your existing insurance, including a cyber or errors & omissions policy, business owner’s policy (often called a BOP), or other insurance. Operating in a digital world means that law firms and businesses need be sure that they have appropriate and sufficient insurance to cover these digital risks.