Cyber Attacks on Law Firms Continue
By David A. Gauntlett*
Introduction
In a recent post,[1] we discussed the growing trend of cyber attacks against law firms. According to a BakerHostetler report based on more than 1,250 incidents across industries, law firm cases nearly doubled from the previous year, driven in part by a threat group that used social engineering tactics—impersonating IT staff, gaining remote access to attorneys’ devices, and quickly stealing sensitive data for ransom. Law firms are especially attractive targets because of the high-value confidential information they hold. A recent lawsuit filed against Fox Rothschild LLP shows the trend is continuing and further highlights the need for broad insurance coverage for cyber attacks.
Fox Rothschild Allegedly Targeted by Ransomware Group
A proposed class action lawsuit has been filed against Fox Rothschild in federal court in Pennsylvania following an alleged data breach linked to the ransomware group Silent Ransom Group.[2] Plaintiff Jasmine Trotter claims the law firm failed to adequately protect sensitive personal information, including Social Security numbers, which was allegedly accessed and stolen during a cyberattack in May. The complaint argues that Fox Rothschild knew or should have known that law firms are frequent targets of ransomware attacks and failed to implement reasonable security measures or promptly notify affected individuals. Trotter seeks to represent a nationwide class of potentially thousands of people whose data may have been compromised and is asserting claims including negligence, unjust enrichment, and breach of implied contract.
Fox Rothschild disputes the characterization of the incident. The firm stated that it became aware on May 21 that a single attorney had fallen victim to a sophisticated social engineering attack. According to the firm, the breach was limited to one device, did not provide broader access to its systems, and was quickly contained. Fox Rothschild says it is reviewing what data may have been involved and will provide any required notifications, while emphasizing that its existing cybersecurity measures helped limit the scope of the incident and that it is taking additional steps to strengthen security.
The lawsuit highlights broader concerns about ransomware attacks targeting law firms, which often hold highly sensitive client information and may be vulnerable to extortion. The complaint alleges that Fox Rothschild’s delayed notification and inadequate safeguards have exposed affected individuals to risks such as identity theft, loss of privacy, and the costs associated with monitoring and protecting their personal information.
Cyber Policies Provide Best Coverage for Ransomware Incidents
Ransomware addresses a breach in network security through viruses or other malware to infect a computer system. Even more dangerous is the manner in which malware can manipulate computer functionality. Compared to other attacks like “cryptojacking,”[3] ransomware is less profitable, but it is easier to perform and remains a major threat to online operations. Ransomware attacks extort monies from businesses and typically demand payment in forms of cryptocurrency, making attacks more difficult to track.
Insurers often deny coverage to claims results from ransomware attacks especially where numerous claims can be involved such as system damages, reputation loss, business interruption, data breach and loss, as well as cyber extortion loss.[4]
For example, a Connecticut district court in New England Sys. v Citizens Ins. Co. of Am.[5] determined that in denying coverage to New England for business interruption claims after a ransomware attack, Citizens engaged in bad faith under the policy provision “Cyber Business Interruption and Extra Expense.” The court reasoned that “Citizens intentionally misrepresented pertinent policy provisions when it allowed NSI to undertake self-repair work without disclosing that Citizens knew it would consider NSI ineligible for business-interruption coverage if it performed such work . . . [and] engaged in no investigation of its claims whatsoever.”[6]
Insurers have also attempted to deny coverage to claims resulting from ransomware attacks by applying the “war and terrorism” exclusion contending that ransomware attacks are forms of cyber terrorism that fall within the scope of this exclusion.[7] For example, in Merck & Co., Inc. v. Ace Am. Ins. Co.,[8] a New Jersey court analyzed Ace’s denial of coverage for Merck & Co.’s claims resulting from a NotPetya ransomware attack in 2017. Ace contended that Merck & Co.’s claims fall within the scope of the policy’s war-risk exclusionary clause and relied on a broad definition of “terrorism” and terms related to terrorism to deny coverage.[9] In contrast, Merck asserted that the “all risks” policy covers all risks to property damage “including destruction, distortion, or corruption of computer data, coding, program, or software.”[10]
The court first noted that no case in the country had determined that a “war and terrorism” exclusion had been applied to facts remotely similar to those at issue.[11] The court went on to conclude that the term “act of war” in the war-risk exclusion as applied to cyber attacks is ambiguous and applying it to the NotPetya event would disappoint the reasonable expectations of Merck.[12] The court properly noted that the onus is on the insurer to update its policy language if it wishes to exclude newly developed threats.[13]
Crime Coverage Offers Some Protection for “Social Engineering” Claims
Crime coverage becomes narrower over time. Specific coverages sought might require an endorsement as demonstrated by the newer 2019 policy issued by Hiscox was less comprehensive in addressing coverage for “social engineering fraud”. Endorsement such as eCrime coverage found in a Cyber policy issued by Beazley[14] extend coverage to acts of social engineering fraud under the Funds Transfer Fraud provision. The Coverage D: Computer and Funds Transfer Fraud provision in the 2012 Hiscox policy, available via endorsement, covers Loss resulting from “fraudulent written, electronic...or telephone instructions by a third party issued to a Financial Institution directing such institution to transfer, pay, or deliver Monies or Securities from any account maintained by the Insured Organization.”
Distinct from the Beazley endorsement, in a Crime policy issued by Federal Insurance Co., a CHUBB entity,[15] provides, under Insuring Clause (E), coverage for “direct loss…resulting from Computer Fraud committed by a third party.” This express language requiring “direct loss” restricts the policy coverage in that the insured must demonstrate that the Loss directly resulted from or was directly caused by a Computer Fraud (i.e., email spoofing).
Policyholders may be able to find coverage for ransomware claims under traditional commercial liability coverage.[16]However, “property damage” and “property loss” do not encompass computer systems and data so policyholders will more often than not find themselves without coverage for ransomware. For example, Sony was denied coverage after experiencing a data breach by hackers accessing secure company information because Sony’s standard Coverage B under its CGL policy did not extend to third-party acts (e.g. hackers).[17]
Conclusion
With the always increasing reliance on computer technology for day-to-day business functions and cloud-based storage for recordkeeping, ransomware attacks represent a greater risk than ever. The only reasonable response to this simple reality is securing appropriate cyber coverage to mitigate the harm of any such incident. These policies offer robust coverage, though insurers will often deny claims no matter how clearly covered they are. In such cases, coverage counsel can assist in securing the policy benefits you are owed, including potential damages for bad faith if the insurer’s conduct meets the jurisdictional standard.
*David A. Gauntlett is a principal of Gauntlett & Associates and represents policyholders in insurance coverage disputes regarding intellectual property, antitrust, and business tort claims, as well as in the underlying actions. Mr. Gauntlett can be reached at (949) 514-5662 or dag@gauntlettlaw.com. For more information, visit Gauntlett & Associates at www.gauntlettlaw.com.
[1]https://www.linkedin.com/posts/davidgauntlett_new-ai-enhanced-cyber-attacks-increase-risks-activity-7442963306178527232-RT9R?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAMIKT4BcbZGN1Ja9aNU5caPWmSEA_y71zg
[2]Trotter v. Fox Rothschild LLP, Case No. 2:26-cv-03931, U.S.D.C. E.D. Penn.
[3] Typically defined in a Cyber policy as “the Unauthorized Access or Use of Computer Systems to mine for Digital Currency that directly results in additional costs incurred by the Insured Organization for electricity, natural gas, oil, or internet.”
[4]See National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 684–85 (D. Md. 2020) (“[A]lthough the intended use of the software might sever it from the tangible form in which it was originally transmitted…Maryland courts would find physical damage to Plaintiff's computer software, despite its installation on Plaintiff's computer system, because the software was rendered entirely unusable by the ransomware attack.”)
[5]New England Sys. v. Citizens Ins. Co. of Am., No. 3:20-cv-01743 (JAM), 2021 U.S. Dist. LEXIS 93601 (D. Conn. May 17, 2021).
[6]Id. at *11.
[7]See Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018).
[8]Merck & Co. v. Ace Am. Ins. Co., 2021 N.J. Super. Unpub. LEXIS 4566.
[9]Id. at *2–3.
[10]Id. at *2.
[11]Id. at *13.
[12]Id.
[13]Id. at *14.
[14] Beazley USA Services, Inc., Breach Response, F00653 112017 ed. (April 2021).
[15] CHUBB Group of Insurance Companies, Crime Coverage Part, Form No. 14-02-17277. (Issued April 15, 2021).
[16]National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 686 (4th Cir. (Md.) Jan. 23, 2020) (A ransomware attack can cause “loss of use, loss of reliability, or impaired functionality demonstrate[ing] the required damage to a computer system, consistent with the "physical loss or damage to" language in the Policy (emphasis added).”)
[17]Zurich Am. Ins. Co. v Sony Corp of Am. et al, Case No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014).