Professional Services On Behalf of the Named Insured, that term or similar term is in most, not all, but most lawyers malpractice insurance policies. It is intended to limit the policy coverage to lawyers in the law firm that are providing legal services to clients of the law firm only. Keep in mind that the name of the law firm is usually the name of the Named Insured listed on the policy.
This term usually is a good thing for the law firm in that it does limit the exposure and coverage to the law firm business. It can however be quite a surprise to any firm lawyers working outside the law firm in a “side” venture and moonlighting situation. The policy will not cover professional services performed for anyone that is not a client of the Named Insured/Law Firm.
There are instances where lawyers have worked in a law firm and also maintain a solo part time law practice away from the law firm. Thinking that they had malpractice insurance coverage with the law firm, did not bother to purchase a separate policy for their part time solo work. They did not realize they had no coverage until they were sued for work performed in their part time solo capacity. Ouch! That is a hard lesson.
This situation can also occur if when working in a firm the lawyer agrees to provide legal service for a friend or family member and doesn’t run the business through the firm or sign the client up as a client of the firm.
So check who is the Named Insured on your legal malpractice policy. Make sure it is correct, again it is usually the name of the law firm. Be certain that all lawyers in the firm know that they are NOT or may not be covered by the law firm policy for legal services they perform for others who are not client’s of the firm.
I was recently at a malpractice program given by a carrier we use and they were talking about where their claims are coming from. One of the top 3 causes they presented was conflict of interest. I can’t say that this shocked me but I was a little bit surprised this was in the top 3!
Back in the 90’s conflicts of interest was a huge risk management topic and was on everyone’s radar. For the past several years however the topic seemed to cool when discussing legal malpractice, so to hear it was in the top 3 did catch my attention. It should also catch your attention too!
Conflicts of interest are easy to get caught up in if you’re not careful. They come in many different disguises right? Representing both parties in the same case be it divorce or accident, representing a new client against a former client, having an ownership interest in your client, managing and or directing a clients business. The list can go on and on.
Be careful to not get caught up in the friends and family plan either. You may have had this happen to you when a family member might say “My wife and I want a quick divorce, here is what we agreed to. Can you draw up the paperwork and we’ll both sign and be done?” or a similar situation where you are asked to help save your friends money by representing both sides in any transaction. Friends and Family can and do sue.
So just a heads up to stay vigilant with COI checks so you don’t become part of the top 3.
I have an easy and surprisingly somewhat overlooked risk management tip for you. Read your policy. When was the last time you read yours?
I’m always a little bit surprised that when I speak to prospects and clients alike, how many of them tell me they never or very rarely ever read their policy. Look, I know that we are all busy because our reading stack is very high. And after going through the application and quoting, no one is thinking about finishing the process by reading the policy.
Reading your policy is essential to the process and should supplement any risk management technique you utilize in your offices. The policy tells you who’s insured, what’s insured, what you’re supposed to do when and if you do get sued, your coverage limits, your deductible, and how much it actually costs. These are just to name a few.
The policy is also going to tell you what’s not covered, referred to as exclusions in the policy. And perhaps this is even more important than knowing what is covered.
So, don’t ignore my comments and do nothing. Take a moment and read it. You don’t need to become an expert in legal malpractice insurance. Just an informed consumer. A little knowledge in this matter will go a long way in your risk management efforts to avoid legal malpractice.
“Amateurs hack systems, professionals hack people.” – Bruce Schneier
What is social engineering?
Social engineering occurs when somebody acts like something that they’re not to get information from you so they can better themselves. We’ve heard a lot of stories that involve law firms and wire transfer fraud.
Common Social Engineering Schemes Aimed At Attorneys
There was a firm in North Carolina and they received a phone call, supposedly, from the bank saying, “We noticed some interesting activity on your account. I just want to verify we’re talking to the right person, what’s your username and password?” That firm gave the person on the phone their bank username and password. The bank said, “We’re gonna send you a code. We just want to make sure that you are who you are – let us know what the code is and then we’re going to talk about the issues with your account.” So instead, unbeknownst to the law firm, the people on the phone actually signed into their bank, initiated a wire transfer, and sent them the code needed for the wire transfer. So the law firm received the code and provided it to the people on the phone, they put it in, and then they went on to just have a fake conversation about what was wrong with their account. At the end, they said it just turned out to be an internal error and everything was fine. And 30 minutes later, the firm finds out that there was a wire transfer that they didn’t know about that they didn’t authorize. And in fact, it ended up being the person on the phone that allowed it all to happen.
This is a very common thing that we’ve been hearing more and more lately and it is a very common social engineering scheme aimed at attorneys.
Another one is, they’ll call you and appear like they are from a nonprofit, and they’ll try to, again, get some sort of wire transfer normally.
And then the final one that’s really, really common is they’ll send emails to you as your client. So it’s actually quite easy to appear to send an email as somebody else. It’s called email spoofing. An eight year old could do it, it’s so easy. They’ll send emails to you as your client, and they’ll say, “Hey, are you at the office? Can we send a wire out today? I’m busy, just go ahead and do it and email me when it’s done.” Anytime you get anything like that from your clients, you will need to put something in place where there’s some sort of two factor authentication. Something as simple as if they email you, you have to talk to them on the phone before proceeding. Having processes in place to combat social engineering is, again, part of that knowledge that needs to happen.
Social engineering is definitely an issue, and attorneys are one of the main people that they’ll go after because you have access to such important information.
Is This Really Happening?
I can tell you that, obviously, there have been claims, and whether they’re funds, transfer funds, transfers, or just hacks into the system to try to get information such as social security numbers, ein numbers, birth date health records of clients, it’s happening all the time, and it happens everywhere. The smaller law firms that don’t have a ton of money to spend on high priced security systems out there, they’re considered low hanging fruit or as I said, the easy targets for cyber criminals so be careful.
In the past five years, banks have spent about $90 billion on guarding against social engineering. They’re making it a lot harder to get into their information.
In 2022, cyber criminals have sent about 3.3 billion phishing messages and caused over 4000 data breaches. This exposed about 22 billion personal records.
What is Phishing?
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legit institution to lure individuals into providing sensitive info. And such as PII banking and credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.
How do we fight phishing?
Knowledge
Humans are the number one cause of phishing schemes to succeed. So knowledge is definitely going to be one of your big tools. Make your employees knowledgeable about phishing attacks, the common phishing attacks that are happening now and answer any questions that they might have about these different security issues.
Safeguards
Over 50% of the attacks were caused by humans, but that other 40 something percent was caused by issues in the system. So having safeguards in place, such as a really good spam filter, can help fight against phishing.
And what’s interesting is, Google actually has better safeguards in place than Microsoft Office. So organizations that use Office 365, are more than three times as likely to experience a business email compromise when compared to Google Gmail for business.
One reason that’s probably true is because Microsoft only has access to their small amount of data that is Microsoft specific, whereas Google has access to 90% of the world’s data on the internet. So it would make sense that the Google spam filter and their email filters are much, much stronger, because they have access to so much more data.
Ways to spot phishing schemes
It contains an offer, that’s, that’s too good to be true
If you’ve ever received an email that said “click here to claim your $500 reward”, they want you to go to a website and put in your name and your bank account so they can deposit that $500 reward.
Language that’s urgent, alarming or threatening
In one week, we had three different clients send an email that says the subject line is urgent, your site has been hacked. And the email goes on to say, deliver $3,000 in Bitcoin, or we will take your website offline, and put something else up in its place. So anytime you receive anything like that, that’s definitely a big key to spotting phishing.
Poorly crafted writing with misspellings and bad grammar
Now, this next one, it’s not as prevalent anymore with AI becoming a lot more in tune. More of, you know, chat, GBT, stuff like that. You and I know that no financial institution and no attorney is going to send out anything that has bad grammar. So that’s definitely a way to spot a phishing email.
Greetings that are ambiguous or very generic
You may receive an email that says hello gentleman, or welcome lady. Ignore these.
Requests to send personal information.
This happens a lot with people pretending to be banks, or pretending to be PayPal. They’ll say, oh, there’s an issue with your account, click here to sign in and put in your financial information so we can verify it. Don’t do that. PayPal and banks have come out and said, we will never send you an email that’s like that, so that’s definitely an email to ignore.
Urgency to click on unfamiliar hyperlinks or an attachment
A real website for a bank, credit card company, or other business won’t look or feel like it’s trying too hard. You won’t find important messages spread all over these sites. If you go to a site and it seems to have a lot of urgent messages that don’t seem to fit, you should check the URL to make sure you’re in the right place. Phishers use this kind of urgency to make it more likely that people will share sensitive information quickly and willingly.
Strange or erupt business requests
In this type of phishing attack, the victim is sent an email from an address they know, like the CEO, the Human Resources Manager, or the IT support department. The email tells the victim that they need to act quickly and transfer money, update information about their employees, or install a new app on their computer.
Fuzzy or low resolution images
A company will never send you an email where their logo looks bad. If their logo looks bad or fuzzy, whoever sent it didn’t have access to the high resolution version of it. So it’s not from them.
The sending email address doesn’t match the company where it’s coming from
So if they say, Hi, this is PayPal, but the address says PayPal1234@outlook.com, those two don’t mesh. And so, you know it’s not from PayPal.
What does a phishing email look like?
As an example, we have this email where you can see this isn’t the actual PayPal logo, it’s a little bit different. It’s missing a few features. And then it says response required. Then you can see here it says service.epaypal@outlook.com. The purpose of this email is they want you to click this login and put in your username and password, so they have your paypal username and password.
Common phishing schemes
Account deactivation
Compromised credit card
Funds Transfer
Social media requests
Google Docs fake login
IT support request
Social engineering
Questions about anything in this article? Contact Stacey Ivol at 412-563-2106 or email her at sivol@integrityfirstins.biz
Did you know that, according to Pew Research, 39% of people use the same password for everything? Why is that bad? For example, Sony got hacked a few years ago, and what was really interesting was that the incidence of fraud didn’t just happen with Sony, but it went up at target.com and it went up at amazon.com. It went up kind of across the board, about 35 to 40%. And why is that? Because when one thing is hacked, the people that steal the data, actually take all of that information and try to use it online at as many places as they possibly can because they know that about a third of people use the same password for everything.
With that said, it’s really important to have a good password. And not only that, it’s important to have a different password for each account.
What constitutes a strong password?
A strong password is typically at least 12 characters, and it consists of uppercase letters, lowercase letters, numbers and symbols. Now, we know that’s going to be a little bit difficult to remember. So typically, we recommend using songs or other other things that are familiar with you to remember your passwords. For instance, say you are a Frank Sinatra fan. So, one of your passwords might use the phrase “fly me to the moon”, then adding a symbol and some numbers.
So, make sure that your passwords that you have to remember are something that’s easy for you to remember.
Using a password manager
The average American has over 120 passwords. Now, you can’t be expected to remember 120 passwords with 12 characters, uppercase letters, lowercase letters, numbers and symbols. One thing that we do recommend is a password manager. With a password manager, you only have to remember one password to get into the password manager, and then you can actually store all of your passwords within the password manager itself.
What’s really nice about a password manager is it will help you create passwords that are secure as well. When you create a new password, you actually would just click on new, and then it will fill in the password for you if you want it to.
Good password manager examples
We’ve only put Password Manager examples on this list that have not been compromised in the commercial market. There are some other password managers on the market that have been compromised, so they didn’t make this list. Some examples are Dashlane, 1Password, Bitwarden, Keeper and KeePass. INF and Integrity First Technology Solutions both use KeePass.
You can see in the photo above, in a password manager you have your list of passwords, then you’ll have your username and your password. So let’s say you want to login to your bank. You will go to your bank’s website, you double click on your username, and then you click paste. And it would go right into the browser and then you would double click on the password, click paste, and then it would sign you in.
So you just have to remember that one password to open your password manager, and then you have access to all of your usernames and passwords.
Two Factor Authentication
Another thing that goes along with passwords is two factor authentication, or you might have seen it as 2FA. Two factor authentication is an extra layer of security that actually would have helped all those people that had the same password for everything. So not only do you have to enter your username and password, but then there’s an extra step. This is most likely something that you have seen before. You’ll put in your username and password and then they’ll ask if you want to receive a phone call, a text message or an email with your one time verification code.
Once you choose your verification method, they will send you your verification code just like it’s shown in the picture above. You would put the verification code in and then you can sign in to your account.
We definitely recommend turning this on when you’re given the opportunity to do so, because it really is a very strong extra layer of protection, and it protects your accounts from hacks. If a company were to get hacked, they would get your username and password but they wouldn’t get access to your two factor authentication, they wouldn’t get access to your phone, or your email, so this would definitely help protect your account from any hack that happened.
The weakest link in the security chain
“Companies spend millions of dollars on firewalls, encryption and secure access devices and it’s money wasted. None of these measures address the weakest link in the security chain.” – Kevin Mitnick. What do you think is the weakest link in the security chain? If you said humans, you are correct!
Questions about anything in this article? Contact Stacey Ivol at 412-563-2106 or email her at sivol@integrityfirstins.biz
There’s ranges of encryption, but having encryption present is extremely important.
For instance, there was a person from an insurance company who went to a football game in Detroit and when he went to the restroom, he sat his phone down. He didn’t have it locked, and he didn’t have any encryption on it. Whenever he left the restroom, he forgot his phone and they actually ended up having a large data breach because whoever had the phone was able to access all his emails and any files that he had access to.
So device encryption is so important. Something as innocuous as “Oh, I left my phone in the restroom” could cause something huge. So how do you go about implementing that type of encryption?
Encrypting Apple Devices
If you have a Mac, encryption actually comes built in. So all you have to do, if you don’t already have it turned on, is turn on Filevault. You’ll go to your security and privacy settings, go to Filevault, and then you’ll click turn on Filevault. When you turn on Filevault, you’ll be able to see your computer encrypting your data – it’ll just be a little progress bar.
Every time you then turn on your computer, you’ll have to put in your password twice, once for unlocking the computer and then once for unlocking the encryption. You’ll actually be able to again, see a little progress bar and it’ll say decrypting data. So you’ll see that it sits at rest in an encrypted state. If somebody were to steal your Mac, your data would be encrypted.
Now with your iPhone, as long as you have iOS version 8.0 and up, and about 95% of devices do have iOS 8.0 and up, the iPhone actually encrypts as soon as you add a passcode or password. The way to check that you have your passcode or password turned on, number one, is whenever you open your phone, you have to be able to put in a password. And number two, if you go to your settings, and then click on face ID and passcode and you scroll all the way down to the bottom, you’ll see this little sentence that says data protection is enabled. As long as data protection is enabled, that means that your iPhone is sitting encrypted.
Encrypting Microsoft Devices
Now, let’s say you have a Microsoft device. If you have a Microsoft device with Windows Pro on it, BitLocker is the encryption software that they use. If you have a Windows machine, that is the pro version, all you have to do is go to the Control Panel, look up BitLocker, and then you’ll just turn on BitLocker. And again, a progress bar will show and you’ll see that the device will now have the data sitting encrypted.
Now, if you have Windows Home and not Windows Pro, you are able to upgrade. The upgrade costs anywhere between $100 to $120, depending upon the sales that they have going on at the time. Once you go from home to pro, then BitLocker will become available, and you can turn BitLocker on and encrypt your Microsoft device.
Encrypting Android Devices
Finally, if you have Android devices, and you have Android 4.4 or lower under security, what you’ll need to do is add a pin and then enable encryption. If you have an Android device, that is the OS 5.0 or greater, most devices are actually encrypted by default with a password. And all you have to do is again, check your security menu to see that option. Go to your security menu and then scroll down and it will say encryption is on. So as long as you see “encryption on” your Android device is protected.
Bonus Tip – Set Phone Notifications So They Don’t Appear On Your Lock Screen
Now, as kind of a bonus tip, one thing that can happen that you’ll show data that it’s inadvertent is if your phone is locked and your phone notifications show. So it’s possible that you could have your phone out or on a table or with another client and you could actually have a notification show on your lock screen.
It might say you have an email from someone, it might show you the first line depending, it can show you all the text from an actual text. Depending upon your situation, you don’t typically want other people to be able to see your notifications. So we recommend turning those off. That way your notifications won’t be visible unless a password is entered.
Once you set this up, if your phone is off or in lock mode, you will not get any type of notifications that show anything without your password being entered.
Have any questions about the topic discussed in this article? Contact us today at 412-563-2106.
When it comes time to purchase or renew a legal malpractice policy, most people focus on price, which is not a bad thing. If it’s not the top priority, it is certainly in the top five. There are, however, other items that should be included on that list. Today, I want to give you my top items on my list in no order of importance.
1. Prior acts coverage. Why is that important? Most claims filed against lawyers stem from professional services they provided five or more years ago. You don’t want a policy that excludes that type of claim.
2. Definition of professional services. Many lawyers wear many hats when providing professional services, acting as an arbitrator, mediator, trustee, Guardian, and title agent, just to name a few. Make sure that these services are not excluded in the policy that you purchase.
3. Speaking of exclusions, number three is exclusions. I’ve long said that if you’re going to read only one section of the policy, read the exclusion section. At least this gives you some idea of what is not going to be covered under the policy. I have seen policies that have less than 10 exclusions. I’ve seen policies that have more than 25 exclusions. I’m not saying that the policy with 25 exclusions is any worse than the one that has 10 exclusions, but you need to read them and make sure if any of them apply to you.
4. Extended reporting periods or extended reporting coverages. It’s commonly referred to as tail coverage. In the event that you quit practicing law, or you retire from the private practice of law, this provision will allow you to purchase an endorsement that allows you to report future claims that are filed against you for services that you performed in the past that would have been covered under your last policy.
5. We’re going to come full circle and back to price. Price is important. Nobody wants to overpay for a policy. But please remember your objective when you first started the process. Your objective should have been to find a policy that provides the coverage you need and protects both you and your client all at a reasonable cost.
Every year, most insured lawyers are asked by their carrier to complete a renewal application. Now, I can hear the collective moans coming from the offices before we even send out the renewal application. I’ll be the first to admit that the applications can be long and contain confusing questions. But keep in mind, this is the only time the carrier can get a complete picture of your firm, you need to take advantage of this.
You need to let the carrier know what your practice is, how your practice is doing, and what you are doing to reduce risk in your office. You do this by answering all of the questions on the application completely. Unanswered questions or incomplete details only cause more questions and increase the back and forth between client and carrier. Take the time to read each question. Don’t assume you know what the carrier is asking for.
There is one question on the application that I think causes concern, or at least causes me concern. And that is the area of practice grid. That’s the chart on the application that you are asked to put a percentage in, in the areas of where your firm is playing. Now, some carriers will ask for that percentage to be listed as a percentage of your time spent. Other carriers will ask for that percentage to be listed as a percentage of the revenue of the firm. Answering that question one way or the other will create a substantially different picture of your firm and definitely have an effect on the premium that you pay.
So please, again, make sure that you’re reading each question and answering those questions completely. You’ll be glad that you did.
Many of our risk management video tips are surrounding the need for early reporting of claims and potential claims. A very important risk management tip. In this same vein, I want to talk about the angry client.
Many insureds have had this situation where a client unexpectedly shows up at the office, or calls you on the phone to express their displeasure about something you did or something that has happened.
Perhaps their case is taking too long. They haven’t heard from you in a few weeks, their phone call wasn’t returned, or they’re just not feeling the love from your office. Don’t just shrug this off as that’s just Joe being Joe, or they just want to blow off steam, or you convince yourself that nothing you did was wrong or incorrect and it’ll blow over.
Unfortunately, many insureds take this approach and find themselves embroiled in a legal malpractice suit down the road. As with any claim or potential claim, report the issue, let the carrier know about it and let them decide if it meets the definition of a claim or potential claim. And if you don’t report it, at least call the malpractice hotline that may be available to you from your carrier. Most insurance carriers do provide a hotline for this type of situation and you would be well advised to use it. It is part of the benefits program of being an insured.
Don’t be the cautionary tale of an unhappy client.
