Ransomware locks down prominent Providence law firm
Recently a prominent law firm in Providence, RI was subject to a ransomware event. All their files were encrypted and they had a demand for $25,0000 in bitcoin to unlock the files. They allege in a lawsuit filed against their insurance carrier that they had to re-negotiate the terms after the initial key provided by the hacker did not work. The firm also alleges that they incurred $700,000 in lost billings due to downtime of their 10 attorneys.
Now we can all feel for the firm in that we would not want to be locked out of our files with no plan in place to get this resolved. While the police and FBI often advise firms not to pay the ransom, my experience is that most of these guys unlock your files and go away. They submitted the claim to their carrier and the claim was denied.
Before we feel too bad for them, let’s note that a stand-alone Cyber policy for this size firm would have cost a few thousand dollars for broad coverage with a least 1M in coverage. These are smart individuals that did not buy a cyber policy, and are now fishing around in a lawsuit against their BOP carrier that had no intent to cover this type of claim. This type of policy would cover business interruption cause by a physical event like a fire, not an event that caused damage to intangible assets like data.
And don’t be fooled that just having a stand-alone policy would cover them. Most of the damages claims in the lawsuit are optional coverages that are readily available in the market, but not everyone purchases these coverages and may be left with a false sense of security. Additionally, we often get the questions – “Isn’t this covered under their legal malpractice policy?” The answer is not likely. Even if the policy does not have an exclusion and is silent – at best you may get some defense costs covered from any customer that sues you, but that is a very small percentage of the costs. A broad stand-alone policy would have covered the extortion payment, the resulting business interruption, and the cost to rebuild any damaged digital files. It would then also provide coverage for regulatory defense, fines and penalties, other defense costs and indemnity payments as well as IT forensics, customer notification, credit monitoring and public relations expenses.
In the article in the Providence Journal about the ransomware event the police state that the law firm should go to their back up tapes, but that is often not a fix as we have seen cases where even that data is affected or unable to be restored. Attached here is a copy of the complaint where the Law firm is suing the carrier for bad faith for declining the claim. At the end of the day, this small firm needed a cyber policy with a carrier that can provide all the enhancements.