Lessons Learned after a Data Breach or E-mail Phishing Scam

A proposed class action was filed against an Insured accountant after their clients received a phishing email. “Phishing” is a fraudulent attempt to obtain sensitive information by masquerading as a trustworthy party in an e-mail communication, website, or other electronic communication. In our case, the fraudsters sent emails to all of the Insured’s clients which looked like a legitimate message from the Insured. A copy of the email is listed below with the names changed to protect privacy.

There are a few hints in the content of the email that might alert a client that the email was a phishing attempt like the fact that the client is not addressed by name, the Insured had never mentioned Google Docs or SecureAcess before, and the language syntax is a bit unusual. However, the e-mail address appeared legitimate, the premise seemed reasonably related to accounting matters, and the fraudster even included an Avast email signature indicating that the message came without virus or malware.

One of the Insured’s clients called the Insured to ask about the email and the Insured quickly realized that their firm had been the victim of a phishing attempt. The Insured send out an email to all of their clients advising them not to open the SecureAcess email. However, Insured’s response to the phishing scam did not conform to industry best practices after a potential data breach. Shortly after the Insured’s response to the phishing scam, the Insured was sued for violations of certain state privacy laws, consumer fraud and deceptive business practices, and negligence due to the breach of the Insured’s security system as contained in the phishing email.
Accounting professionals are required to protect confidential client information which includes Personally Identifiable Information, Sensitive Personal Information, and social security numbers. To complicate matters, taxpayer identity theft and other attempts at data breach occur regularly and are likely on the rise with the IRS paying $5.8 billion in fraudulent tax refunds for 2013. Accountants need to develop a strategy for data protection, but they also need to know what to do when their efforts fail and there is an actual or even potential data breach.
The Great American Insurance Accountants Professional Liability Insurance Policy (12 17 edition) provides for assistance after a Security Incident which is defined as “the unauthorized access to or use of data containing private or confidential information in connection with the performance of Professional Services, which results in the violation of any privacy regulation.” The Policy provides for Supplementary Payments in Section VI. As follows:

• B. Reimbursement for Security Incident The Company will reimburse the Named Insured for the following response expenses incurred by the Named Insured in responding to a Security Incident the Named Insured first discovers and reports in writing to the Company during the Policy Period. The maximum amount payable shall be $25,000 for all Security Incidents discovered and reported during the Policy Period, regardless of the number of Security Incidents or the number of Insureds. Security Incident response expenses are:
  1. reasonable fees and expenses by cyber forensic analysts to determine the extent of the Security Incident; or
  2. reasonable fees and expenses by attorneys or consultants to comply with federal, state or local privacy laws requiring that notification or credit monitoring services be provided to individuals when the security, confidentiality, or integrity of their personal information has been compromised by the Security Incident.

  by Kim DeMarinoo.