I just got back from playing a round of golf, and while I had a great time thanks to my playing partner, my actual game was pretty lousy. Like most golfers, on the drive home I caught myself thinking: maybe it’s time for a new putter, a different set of clubs, or a new brand of golf balls.

But then it hit me — my clubs didn’t suddenly get worse in the past two weeks. My golf balls didn’t change. And my putter didn’t lose its magic. The truth was simple: it wasn’t the equipment, it was me.

My tempo was off. I was swinging too fast. I wasn’t focused. And that got me thinking: the same thing happens in business — especially in law firms.

The “Equipment” Problem in Law Firms

When something goes wrong in a firm — a missed statute of limitations, a conflict of interest issue, or a client complaint — our first instinct is often to blame the system.

• “The calendaring program let us down.”
  
• “The conflict checker didn’t catch it.”
  
• “We need a better case management tool.”
  

That knee-jerk reaction leads many attorneys to shop for the “latest and greatest” software. But just like with golf, buying new equipment doesn’t always solve the problem.

It’s Not the Tools, It’s the Process

Before rushing out to invest in new programs, it’s worth asking: Are we using the systems we already have, properly and consistently?

A few examples to consider:

• Calendaring systems: Are you and your staff updating them daily without fail?
  
• Conflict of interest checks: Are all clients, former clients, and ownership interests properly logged?
  
• Client documentation: Are you recording every conversation, every update, in the system right away — or are you telling yourself you’ll “do it later” and never getting back to it?
  

When these steps slip, it’s not the software that failed. It’s the process.

A Weekly (or Bi-Weekly) Check-In

The fix isn’t shiny new tools. It’s discipline. Take a few minutes each week — or at least every two weeks — to sit down with your team and review:

• Are we updating systems the way we should?
  
• Are we putting in accurate, complete information?
  
• Are we letting bad habits slide?
  

Your systems are only as good as the information you feed into them. If you don’t use them consistently, even the most expensive software won’t save you.

Back to the Golf Course

Golf taught me this: you don’t need a brand-new set of clubs every time you have a bad round. You need to slow down, adjust your swing, and focus on the fundamentals.

In the same way, law firms don’t always need new programs when mistakes happen. They need to look inward, review processes, and make sure the team is disciplined in using the systems already in place.

Remember: success isn’t about the latest equipment — it’s about how you use it.

Lawyers often ask for proof that cyber events and data mistakes really hit small firms—and what those losses look like in dollars. Below are two real-world claim scenarios to help you see how quickly costs add up and which safeguards (and coverages) matter most.

#1: Shared Office, Shared IT… Total Data Loss

The setup:

A three-lawyer firm subleased space from a larger firm and piggy-backed on the larger firm’s IT. To “separate” data, the small firm was given its own file server (originally used for email).

What went wrong:

The larger firm’s IT admin backed up email, formatted the shared server, and reinstalled software—but forgot to back up the small firm’s files. Result: complete data loss and an operational shutdown while the firm tried to rebuild.

Documented impact:

• Data restoration expenses: $23,000
  
• Lost billable hours: roughly $98,900 (about “$99k” in the narrative)
  

Why this matters:

Not every disaster is a hacker. Plain old human error and poor segregation of systems can be just as destructive.

How to prevent this (practical steps):

• Own your backups (don’t rely solely on a landlord’s/host firm’s IT). Use a 3-2-1 backup strategy and test restores.
  
• Put clear, written data-segregation and change-management terms in your office/IT agreement.
  
• Keep off-network backups (immutable/cloud snapshots) and run recovery drills twice a year.
  
• Maintain a simple RPO/RTO target (how much data you can afford to lose/how fast you must be back).
  

Where insurance can help (policy-dependent):
Cyber policies with data restoration and business interruption coverage can respond to accidental data loss; some tech E&O or malpractice policies may also come into play depending on facts. Terms vary—review your policy.

#2: Cloud Downgrade → Confidential Case Exposed

The setup:

A firm used a cloud storage provider with two tiers: free and premium. The premium tier kept data private; the free tier made content searchable/downloadable by others.

What went wrong:

The firm missed the renewal. The account reverted to the free tier, quietly exposing the firm’s files online for months. During that window, third parties downloaded details of a sensitive whistleblower matter.

Documented impact (one case):

• Notification costs: $27,000
  
• Defense expenses: $35,000
  
• Damages: $2,150,000
  
• Fines & penalties: $120,000
  
• (Additional client lawsuits were pending and not included in these totals.)
  

Why this matters:

Most breaches aren’t Hollywood hacks—they’re misconfigurations, missed renewals, or lax vendor settings.

How to prevent this (practical steps):

• Use auto-renew with multiple payment methods and billing alerts for critical SaaS tools.
  
• Enforce least-privilege access, MFA, and default private sharing settings; require approvals for any public link.
  
• Turn on configuration monitoring and data-loss prevention (DLP) alerts for exposure of sensitive matter names/IDs.
  
• Keep a data map: what you store, where it lives, who can access it, and how long you keep it.
  

Where insurance can help (policy-dependent):

Cyber policies commonly address privacy liability, regulatory investigations (where insurable), breach response (forensics, notifications, PR), and defense. Coverage for fines/penalties depends on jurisdiction and policy language. Some professional liability (LPL) policies may also respond to alleged ethical violations—review both with your broker.

What These Stories Prove

• It’s not just “hackers.” Human error and billing lapses can trigger seven-figure exposure.
  
• Shared or “free” is risky. If you don’t control the system, you don’t control the risk.
  
• Time is money. Even “small” incidents bleed billable hours and momentum.
  

Insurance is a backstop, not a substitute for sound IT practices.

10-Point Cyber Hygiene Checklist for Small & Mid-Size Firms

1. 3-2-1 backups with quarterly restore tests
   
2. Vendor billing safeguards (auto-pay + backup card + calendar reminders)
   
3. MFA everywhere (email, practice management, cloud storage, VPN)
   
4. Least-privilege access and quarterly access reviews
   
5. Encrypted, private-by-default cloud repositories; ban public links
   
6. Patch/update cadence for OS, apps, and network devices
   
7. Incident Response Plan with breach-coach contact and a tabletop twice a year
   
8. Data map & retention policy (limit what you store; purge on schedule)
   
9. Security awareness training (phishing, sharing, and file-handling)
   
10. Annual policy review (cyber + LPL) to close obvious gaps

These aren’t edge cases—they’re everyday risks for modern law practices. A few process tweaks plus the right blend of cyber and malpractice coverage can be the difference between an expensive lesson and a swiftly managed incident.

I recently read something eye-opening in an insurance journal — a reminder that cybercrime isn’t just evolving, it’s organizing.

There are now cybercriminal groups that no longer just pick off random companies with weak cybersecurity. Instead, they target entire industries, strategically identifying and exploiting vulnerabilities across the sector. 

One such group is known as Scattered Spider, and their newest target? The insurance industry.

In recent months alone, major players like Philadelphia Insurance Company, Erie Insurance, and Aflac have been hit with significant cyberattacks. These breaches not only disrupted their operations, but in Erie’s case, have already led to multiple class action lawsuits.

Let’s think about that…

These are companies that:

• Handle sensitive data every day
• Have risk management baked into their company DNA
• Invest hundreds of thousands of dollars (if not millions) into cybersecurity infrastructure
  

… and they still got breached.

So here’s the question every law firm should be asking:

If these highly protected insurance companies aren’t safe, what makes you think your firm is?

The Ugly Truth – Law Firms Are Prime Targets

You might be thinking, “We’re a law firm — not an insurance company. Why would hackers bother with us?”

Here’s why:

• You store the same type of sensitive data: personal information, financial records, privileged communications.
• You likely don’t have the same kind of IT budget or internal safeguards that large insurers do.
• And from a hacker’s perspective, that makes you low-hanging fruit.
  

Whether you’re a solo practitioner in Pittsburgh or part of a mid-sized firm in Cleveland, you’re exposed — and attackers know it.

The Smart Next Step For Your Firm: Cyber Liability Insurance

Even if you have antivirus software, firewalls, and employee training in place (and you should), there’s another essential layer of protection… 

A tailored cyber liability insurance policy.

This isn’t just about protecting your firm — it’s about protecting your clients and your reputation. A single breach can take down your operations, cost tens of thousands in recovery, and damage your trust with clients.

Cyber policies are more affordable than most firms realize, especially compared to the cost of recovering from an attack.

Want to Learn More?

I go deeper into these risks and solutions in my book, Game Over? Not Today! 

It’s written specifically for professionals like you — attorneys, advisors, and business owners who want to understand the threat landscape and take action before it’s too late.

Pick up my free book today here -> https://bit.ly/INF-Game-Over-Not-Today 

Stop procrastinating. Protect your firm, your data, and your clients.

If you’re in Pennsylvania or Ohio and want to explore your cyber coverage options, I’d be happy to help.

I’m Don Ivol — your insurance guy.