Professional Services Firms under threat: data security breaches and compliance risks

Posted on

The recent fallout from the “Panama Papers” data leaks have not only thrown the use of offshore tax havens and fiscal transparency back into the spotlight, but also highlighted the threat of data security breaches and associated compliance risks to corporates, including law firms in particular. We have brought together an overview of the main legal issues arising from these leaks, commenting on the risks and implications for: money laundering, asset tracing, circumvention of sanctions, data protection, corporate reputation, professional indemnity and cyber security risks and funds, private equity structuring and tax.

Professional Indemnity cover and Cyber security risks

Law firms and other professional service providers face two major risks in relation to cybercrime which may not be covered by professional indemnity coverage: breach of client confidentiality and structural/financial impact upon a law firm itself.

Unauthorised “leakage” of confidential information by employees, commercial espionage, “phishing” attacks, the use of “malware” and hacking are all risks facing law firms given the nature of confidential information they hold. Where these result in civil claims against the firm by clients or other third parties to whom the firm owes a duty of care and/or prompt an investigation or inquiry, there may be cover under the firm’s professional indemnity cover, subject to its terms and conditions (which commonly exclude cover for fines or penalties).

Firms may also face threats to their own ability to carry out their professional business, for example, due to attacks on their own websites or servers or on those of external providers. As well as some third party losses, first party losses – such as breach response, PR expenses, forensic investigations, business interruption, denial of service, extortion threats, breach of employee confidentiality, and fines and penalties – caused to a law firm may not be covered by its professional indemnity insurance.

Where news of a breach of confidentiality breaks, a firm is in a situation which has legal, regulatory, technical and public relations dimensions and it is vital that a firm (a) plans for this contingency and (b) identifies in advance a specialist internal or, if necessary, external team that can assist. Many cyber insurers provide access to such support as an ingredient of the coverage.

Read full article: http://www.lexology.com