Application Management

Posted on November 17, 2025 by Audrey Merckling

Today I wanted to share an important reminder that too many attorneys learn the hard way: renewal application management matters. In fact, it can make the difference between keeping decades of prior acts coverage… or losing it overnight.

A Real Conversation With a Real Consequence

I recently spoke with an attorney who was considering switching their legal malpractice coverage over to us. They told me they’d had continuous coverage for more than 20 years — never a lapse, never a break.

But when I reviewed their current policy, something immediately stood out:

Their retroactive date was only a couple of years old.

If you’ve carried uninterrupted coverage for two decades, that should never happen. So I asked, “What’s going on with this retro date?”

The answer was painful.

A few years back, their firm submitted their renewal application late. The carrier still issued a quote — but with a new retroactive date. That single change wiped out nearly 20 years of prior acts coverage. One late renewal. One technicality. A massive loss of protection.

Don’t Let This Happen to Your Firm

We’re heading into the busy season — holidays, year-end work, family commitments, and a general whirlwind of “I’ll get to it later.” But your legal malpractice renewal application is not something to push back.

Treat it like you would a statute of limitations.
Put it in your calendaring system.
Enter reminders at 120 days, 90 days, 60 days, and even 30 days before renewal.

Whatever you do, don’t assume you can complete your application on December 30 for a January 1 renewal and expect the carrier to turn it around in time. Most carriers need 20–25 days to properly underwrite your file. You might get lucky once — but luck is not a strategy.

The Stakes Are Too High

Imagine carrying legal malpractice insurance your entire career — 20 or 30 years — only to lose all those prior acts because your renewal was late by a day or two.

It happens.
It’s brutal.
And it’s completely avoidable.

Final Thoughts

If you take nothing else from this story, take this:
Calendar your renewal like a critical deadline.
Protect your prior acts coverage.
Don’t give a carrier any reason to strip away decades of protection simply because paperwork arrived late.

Why You Should Be Protecting Company Devices This Fall

Posted on November 3, 2025 by Audrey Merckling

It’s officially fall. And with fall comes football season. And with football season… comes fantasy football.

While I was at the coffee shop today, I couldn’t help but notice how many people were glued to their phones and laptops — talking about who to start at quarterback, what team to bet on, and furiously updating their lineups.

As I watched, one thought crossed my mind:

How many of those devices are company-issued?

The Overlooked Risk of Company Devices

If you’re an employer — whether you have five employees or five hundred — and you provide laptops or mobile phones for work use, it’s worth asking:

Do you really want your company devices being used for things like fantasy football, online betting, or personal gaming?

Beyond productivity concerns, there’s a serious cybersecurity angle here. Those fantasy sports platforms, betting apps, and community forums aren’t always the most secure. Employees visiting those sites on a work device could be exposing your company’s data to malware, phishing attempts, or data leaks — all while trying to swap out the Green Bay Packers’ defense for the Pittsburgh Steelers’.

Why You Need a Clear Device-Use Policy

If your company doesn’t already have a policy in place outlining what employees can and can’t do on company-issued technology, now’s the time to create one.

A clear, written policy helps:

Protect your network from unnecessary exposure.
Reduce legal and compliance risks tied to inappropriate or unsafe use.
Set expectations so employees know what’s acceptable during work hours (and on work devices).

It doesn’t have to be complicated — just clear, consistent, and enforced.

A Simple Step Toward Stronger Security

As an insurance guy, I’ve seen firsthand how one small oversight — like an unsecured login on a fantasy sports site — can lead to costly consequences for a business.

So while I finish my cup of coffee and enjoy the crisp fall air, here’s my advice:

Take a look at your company’s device-use policy (or create one if it doesn’t exist yet). It’s a small step that can save you from a big headache later.

Until next time — stay smart, stay secure, and enjoy the season.

Cybersecurity Myths Lawyers Still Believe

Posted on October 28, 2025 by Audrey Merckling

Even in 2025, many law firms are still making the same dangerous mistake — assuming they’re too small, too secure, or too “tech-savvy” to be hacked.

Spoiler alert: those are myths.

Let’s bust some of the biggest misconceptions about cybersecurity that could be putting your law firm — and your clients — at serious risk.

Myth #1: “Hackers Only Target Big Firms”

Many attorneys believe cybercriminals only go after giant firms with massive case files and deep pockets.

The truth? Small and mid-sized firms are often easier targets because hackers assume your defenses are weaker.

Think about it — stealing just a few real-estate transaction details or trust-account logins can be a huge payday for a cybercriminal.

📊 Did you know?
43% of all cyberattacks now target small businesses.

If your firm handles sensitive data (and whose doesn’t?), you’re already on the radar.

Myth #2: “Our IT Guy Handles Everything”

Having a good IT professional is important — but cybersecurity isn’t just a tech problem.

It’s a people problem.

Hackers rely on human error — that one employee who clicks a phishing link or opens an infected attachment. Even the most experienced IT team can’t stop someone from making a simple mistake.

That’s why training matters more than technology.

Every member of your staff should know how to spot fake emails, suspicious requests, and signs of a breach before it’s too late.

Myth #3: “The Cloud Keeps Us Safe Automatically”

Cloud storage is convenient — and often more secure than local servers — but it’s not foolproof.

The cloud is only as safe as your settings, passwords, and access controls.

Imagine leaving your office file cabinet unlocked because your building has security cameras. That’s what happens when you rely on the cloud but ignore user permissions or password strength.

✅ A Secure Cloud: Strong passwords, limited access, MFA enabled
❌ An Unsecured Cloud: Shared logins, weak passwords, open access

The difference between the two? One data breach away from disaster.

Myth #4: “It Won’t Happen to Us”

This is the most dangerous myth of all.

Cyberattacks aren’t a question of if — they’re a question of when.

Law firms are prime targets because they handle confidential client data, financial records, and case files that can be exploited or sold.

Every firm, regardless of size or specialty, needs to assume they’re a target and prepare accordingly.

Don’t wait to react — prepare now.

How to Stay Ahead of Cyber Threats

Now that we’ve busted some myths, here’s how to keep your firm protected:

Train your team regularly.
Make cybersecurity awareness part of your firm’s culture.
Use strong passwords and multi-factor authentication.
A few seconds of inconvenience can prevent months of chaos.
Have a response plan.
Know who to call, what to do, and how to communicate if something goes wrong.

Cybersecurity doesn’t have to be complicated or scary. By staying informed and ditching outdated myths, you can keep your clients, your data, and your reputation secure.

For real-world stories and practical protection strategies, check out Game Over? Not Today! by Don Ivol — a great read for any professional serious about defending their business against modern threats.

Stay smart. Stay safe. And keep busting those myths.

Deepfakes & AI Voice Scams: The Next Wave of Social Engineering

Posted on October 20, 2025 by Audrey Merckling

Imagine this…

You get a voicemail from your managing partner instructing you to wire funds immediately to close a deal.
The voice is unmistakably theirs — the same tone, cadence, even the familiar urgency.
You make the transfer… only to discover later that your partner never made the call.

Scary, right?
It’s not science fiction anymore. It’s happening right now — and law firms are among the prime targets.

How AI Is Supercharging Scams

Artificial intelligence is transforming how we work, communicate, and market — but it’s also arming cybercriminals with disturbingly powerful tools.

With just a few seconds of recorded speech — perhaps from a webinar, a YouTube clip, or even a voicemail — scammers can now use deepfake and AI voice cloning technology to recreate someone’s voice almost perfectly.

They use these fake voices to:

Call your office pretending to be a partner or client
Leave urgent voicemails requesting fund transfers
Send recorded messages convincing enough to trick even cautious employees

It’s the next generation of social engineering — and it’s frighteningly effective.

Why Law Firms Are Prime Targets

Law firms make ideal victims for AI-driven scams for several reasons:

Large Transactions: From settlements to real estate closings, firms often handle significant sums of money.
Public Communication: Many attorneys appear in hearings, interviews, webinars, or firm videos — providing plenty of voice samples to clone.
High Trust Environments: Attorneys, clients, and staff rely on established relationships and quick communication. When a familiar voice calls, few people question it.

That combination of accessibility, authority, and trust makes the legal sector especially vulnerable to deepfake and voice-cloning scams.

A Real-World Near Miss

Just a few months ago, a law firm nearly wired hundreds of thousands of dollars after receiving a voicemail that appeared to be from its managing partner. The message was urgent, specific, and completely believable.

Thankfully, a sharp-eyed paralegal hesitated and verified the request through another channel — preventing a catastrophic loss. But many firms aren’t so lucky. The scams are evolving faster than most people realize.

How to Protect Your Firm

The best defense against deepfake and AI voice scams isn’t fear — it’s preparedness.
Here’s how to safeguard your team and clients:

1. Verify Unusual Requests

Never rely on a single voicemail, text, or email — even if it sounds or looks legitimate.
Always confirm any urgent or high-value request in person or by calling a known, verified number.

2. Establish a Firm Policy

Create and enforce a rule such as:

“No wires or major actions without verbal confirmation from two trusted people.”

That simple step can stop most scams before they start.

3. Educate Your Team

Train everyone — attorneys, paralegals, and administrative staff — to recognize that voices and even videos can be faked.
Awareness is the most powerful security tool you have.

4. Limit Public Voice Samples

Be thoughtful about how much of your voice appears online.
When possible, restrict recordings or use watermarking technology to protect sensitive communications.

Deepfakes and AI voice scams represent the next wave of social engineering — but they’re not unbeatable.
By slowing down, verifying information, and building a culture of cybersecurity awareness, your firm can stay one step ahead.

Bonus Resource

For more real-world examples of digital deception and practical tips to protect your business, check out Game Over? Not Today! by Don Ivol — a must-read for any attorney serious about cybersecurity.

Stay Vigilant, Stay Informed

Deepfakes may mimic a voice, but they can’t replace human judgment.
Trust your instincts, double-check requests, and keep your firm — and your clients — safe from the next wave of AI-powered fraud.

The $8.5 Million Mistake: How Real Estate Wire Fraud Can Destroy a Closing Overnight

Posted on October 13, 2025 by Audrey Merckling

Your client wires $8.5 million to close on their dream property… but the money never reaches the seller.

Instead, it lands in a criminal’s account — and disappears forever.

This isn’t a thriller or a cautionary tale told at legal seminars.
It’s happening to law firms, title companies, and real estate professionals across the country right now.
And if you’re not taking precautions, it could happen to you.

How Real Estate Wire Fraud Works

Wire fraud schemes are disturbingly simple — and brutally effective.

Hackers infiltrate a lawyer’s or real estate agent’s email account, often by exploiting weak passwords or phishing links.
Once inside, they quietly monitor communication for weeks or even months, studying how you and your clients talk about the transaction.

Then, just days before closing, they strike.

They send your client a fake email — nearly identical to yours — with “updated wiring instructions.” The logo matches. The tone matches. Even the signature block looks right.

Except for one tiny detail:
The email address is off by a single letter.

Example:
Real: lawyer@firm.com
Fake: lawyer@firrn.com

Your client, eager to finalize the deal, follows the instructions and wires the funds — straight into the hacker’s account.
By the time anyone notices, it’s too late.

Why Attorneys Are Prime Targets

Real estate closings are a gold mine for cybercriminals:

They involve large sums of money
They happen under tight deadlines
They require constant communication among buyers, sellers, lenders, agents, and attorneys

When stress is high and time is short, mistakes happen — and hackers count on it.
And when millions vanish, the first question everyone asks is:

“Who’s responsible?”

All too often, the finger points at the attorney.

A 3-Step Plan to Stop Wire Fraud Cold

The good news?
You can prevent most wire fraud attempts with three simple steps.

1. Verify Wiring Instructions by Phone

Before any funds are transferred, have your client call a known, trusted phone number to confirm the wiring details.
Not the number in the email — the one you gave them at the start of the engagement.
Even a 30-second phone call can save millions.

2. Educate Your Clients Early

Make it part of your onboarding process to warn clients about wire fraud.
Tell them exactly what to expect — and what not to.
Use this simple script:

“We will never send you wiring instructions by email without verbal confirmation.”

Setting expectations early can eliminate panic and prevent confusion when scammers strike.

3. Use Secure Communication Tools

Whenever possible, send wiring instructions and sensitive details through encrypted portals instead of email.
Think of it as locking the message in a safe instead of dropping it in an open mailbox.

Final Thoughts

Wire fraud isn’t just a technology problem — it’s a people problem.

Hackers rely on trust, urgency, and human error to make their schemes work.
But by slowing down, verifying, and securing your communication, you can protect your clients, your firm, and your reputation.

Bonus Tip: Want to Learn More?

For more real-world stories about cyber risks facing attorneys, check out Don Ivol’s book Game Over? Not Today!
It’s packed with lessons and strategies to help professionals stay one step ahead of cyber threats.

The Hidden Dangers of Public Wi-Fi for Attorneys

Posted on October 6, 2025 by Audrey Merckling

Would you hand your briefcase full of confidential client files to a total stranger at Starbucks?
Probably not.

But every time you hop on public Wi-Fi without protection, that’s basically what you’re doing — without even realizing it.

The Illusion of “Free” Wi-Fi

Public Wi-Fi networks at airports, hotels, and coffee shops seem harmless — even convenient. But here’s the truth: these networks are wide-open doors for cybercriminals.

Hackers can launch what’s known as a “man-in-the-middle” attack, which means they slip between you and the internet, secretly watching everything you send — emails, client documents, and even your login credentials.

It’s like passing your case files through a stranger who reads every page before forwarding it along.

Why Attorneys Are Prime Targets

As an attorney, you handle some of the most sensitive information imaginable — from real-estate transactions and business deals to medical records and trust accounts. A single intercepted email could lead to:

A breach of client confidentiality
Wire fraud involving client trust accounts
Or even a malpractice claim

And let’s face it — your reputation is everything. One careless connection on public Wi-Fi could cost you clients, your credibility, and potentially thousands in damages.

How to Protect Yourself (and Your Clients)

The good news? Protecting yourself doesn’t have to be complicated. Here are three quick ways to stay secure when working remotely:

1. Use a VPN (Virtual Private Network)

A VPN encrypts your connection, locking your data in a secure “briefcase” before it travels online. Even if someone intercepts it, they can’t read it.

2. Use Your Phone’s Hotspot

When possible, connect through your mobile data instead of public Wi-Fi. Your phone’s network is far more secure than that “free coffee shop Wi-Fi.”

3. Double-Check the Network Name

Hackers often set up fake Wi-Fi networks with names like “Free Hotel Wi-Fi” or “Airport Guest.” Always verify the exact network name before connecting — or ask an employee to confirm it.

These small steps make it dramatically harder for cybercriminals to snoop on your information.

Cybersecurity Is Client Protection

Cybersecurity isn’t just about safeguarding your computer — it’s about protecting your clients, your firm, and your reputation.

So the next time you’re working outside the office, take a moment before you connect. A little caution now can save you a massive headache later.

Optional Add-On (for Don’s Book Mention)

For even more cybersecurity tips tailored to law firms, check out Don Ivol’s book, Game Over? Not Today! — your guide to understanding the cyber risks every attorney needs to know.

Real-Life Cyber Claim Examples With Don Ivol

Posted on August 25, 2025 by Audrey Merckling

Lawyers often ask for proof that cyber events and data mistakes really hit small firms—and what those losses look like in dollars. Below are two real-world claim scenarios to help you see how quickly costs add up and which safeguards (and coverages) matter most.

#1: Shared Office, Shared IT… Total Data Loss

The setup:

A three-lawyer firm subleased space from a larger firm and piggy-backed on the larger firm’s IT. To “separate” data, the small firm was given its own file server (originally used for email).

What went wrong:

The larger firm’s IT admin backed up email, formatted the shared server, and reinstalled software—but forgot to back up the small firm’s files. Result: complete data loss and an operational shutdown while the firm tried to rebuild.

Documented impact:

Data restoration expenses: $23,000
Lost billable hours: roughly $98,900 (about “$99k” in the narrative)

Why this matters:

Not every disaster is a hacker. Plain old human error and poor segregation of systems can be just as destructive.

How to prevent this (practical steps):

Own your backups (don’t rely solely on a landlord’s/host firm’s IT). Use a 3-2-1 backup strategy and test restores.
Put clear, written data-segregation and change-management terms in your office/IT agreement.
Keep off-network backups (immutable/cloud snapshots) and run recovery drills twice a year.
Maintain a simple RPO/RTO target (how much data you can afford to lose/how fast you must be back).

Where insurance can help (policy-dependent):
Cyber policies with data restoration and business interruption coverage can respond to accidental data loss; some tech E&O or malpractice policies may also come into play depending on facts. Terms vary—review your policy.

#2: Cloud Downgrade → Confidential Case Exposed

The setup:

A firm used a cloud storage provider with two tiers: free and premium. The premium tier kept data private; the free tier made content searchable/downloadable by others.

What went wrong:

The firm missed the renewal. The account reverted to the free tier, quietly exposing the firm’s files online for months. During that window, third parties downloaded details of a sensitive whistleblower matter.

Documented impact (one case):

Notification costs: $27,000
Defense expenses: $35,000
Damages: $2,150,000
Fines & penalties: $120,000
(Additional client lawsuits were pending and not included in these totals.)

Why this matters:

Most breaches aren’t Hollywood hacks—they’re misconfigurations, missed renewals, or lax vendor settings.

How to prevent this (practical steps):

Use auto-renew with multiple payment methods and billing alerts for critical SaaS tools.
Enforce least-privilege access, MFA, and default private sharing settings; require approvals for any public link.
Turn on configuration monitoring and data-loss prevention (DLP) alerts for exposure of sensitive matter names/IDs.
Keep a data map: what you store, where it lives, who can access it, and how long you keep it.

Where insurance can help (policy-dependent):

Cyber policies commonly address privacy liability, regulatory investigations (where insurable), breach response (forensics, notifications, PR), and defense. Coverage for fines/penalties depends on jurisdiction and policy language. Some professional liability (LPL) policies may also respond to alleged ethical violations—review both with your broker.

What These Stories Prove

It’s not just “hackers.” Human error and billing lapses can trigger seven-figure exposure.
Shared or “free” is risky. If you don’t control the system, you don’t control the risk.
Time is money. Even “small” incidents bleed billable hours and momentum.

Insurance is a backstop, not a substitute for sound IT practices.

10-Point Cyber Hygiene Checklist for Small & Mid-Size Firms

3-2-1 backups with quarterly restore tests
Vendor billing safeguards (auto-pay + backup card + calendar reminders)
MFA everywhere (email, practice management, cloud storage, VPN)
Least-privilege access and quarterly access reviews
Encrypted, private-by-default cloud repositories; ban public links
Patch/update cadence for OS, apps, and network devices
Incident Response Plan with breach-coach contact and a tabletop twice a year
Data map & retention policy (limit what you store; purge on schedule)
Security awareness training (phishing, sharing, and file-handling)
Annual policy review (cyber + LPL) to close obvious gaps

These aren’t edge cases—they’re everyday risks for modern law practices. A few process tweaks plus the right blend of cyber and malpractice coverage can be the difference between an expensive lesson and a swiftly managed incident.