Monthly Archives: August 2025

Real-Life Cyber Claim Examples With Don Ivol

Posted on by

Lawyers often ask for proof that cyber events and data mistakes really hit small firms—and what those losses look like in dollars. Below are two real-world claim scenarios to help you see how quickly costs add up and which safeguards (and coverages) matter most.

#1: Shared Office, Shared IT… Total Data Loss

The setup:


A three-lawyer firm subleased space from a larger firm and piggy-backed on the larger firm’s IT. To “separate” data, the small firm was given its own file server (originally used for email).

What went wrong:


The larger firm’s IT admin backed up email, formatted the shared server, and reinstalled software—but forgot to back up the small firm’s files. Result: complete data loss and an operational shutdown while the firm tried to rebuild.

Documented impact:

  • Data restoration expenses: $23,000
  • Lost billable hours: roughly $98,900 (about “$99k” in the narrative)

Why this matters:


Not every disaster is a hacker. Plain old human error and poor segregation of systems can be just as destructive.

How to prevent this (practical steps):

  • Own your backups (don’t rely solely on a landlord’s/host firm’s IT). Use a 3-2-1 backup strategy and test restores.
  • Put clear, written data-segregation and change-management terms in your office/IT agreement.
  • Keep off-network backups (immutable/cloud snapshots) and run recovery drills twice a year.
  • Maintain a simple RPO/RTO target (how much data you can afford to lose/how fast you must be back).

Where insurance can help (policy-dependent):
 Cyber policies with data restoration and business interruption coverage can respond to accidental data loss; some tech E&O or malpractice policies may also come into play depending on facts. Terms vary—review your policy.

#2: Cloud Downgrade → Confidential Case Exposed

The setup:


A firm used a cloud storage provider with two tiers: free and premium. The premium tier kept data private; the free tier made content searchable/downloadable by others.

What went wrong:


The firm missed the renewal. The account reverted to the free tier, quietly exposing the firm’s files online for months. During that window, third parties downloaded details of a sensitive whistleblower matter.

Documented impact (one case):

  • Notification costs: $27,000
  • Defense expenses: $35,000
  • Damages: $2,150,000
  • Fines & penalties: $120,000
  • (Additional client lawsuits were pending and not included in these totals.)

Why this matters:


Most breaches aren’t Hollywood hacks—they’re misconfigurations, missed renewals, or lax vendor settings.

How to prevent this (practical steps):

  • Use auto-renew with multiple payment methods and billing alerts for critical SaaS tools.
  • Enforce least-privilege access, MFA, and default private sharing settings; require approvals for any public link.
  • Turn on configuration monitoring and data-loss prevention (DLP) alerts for exposure of sensitive matter names/IDs.
  • Keep a data map: what you store, where it lives, who can access it, and how long you keep it.

Where insurance can help (policy-dependent):


Cyber policies commonly address privacy liability, regulatory investigations (where insurable), breach response (forensics, notifications, PR), and defense. Coverage for fines/penalties depends on jurisdiction and policy language. Some professional liability (LPL) policies may also respond to alleged ethical violations—review both with your broker.

What These Stories Prove

  • It’s not just “hackers.” Human error and billing lapses can trigger seven-figure exposure.
  • Shared or “free” is risky. If you don’t control the system, you don’t control the risk.
  • Time is money. Even “small” incidents bleed billable hours and momentum.

Insurance is a backstop, not a substitute for sound IT practices.

10-Point Cyber Hygiene Checklist for Small & Mid-Size Firms

  1. 3-2-1 backups with quarterly restore tests
  2. Vendor billing safeguards (auto-pay + backup card + calendar reminders)
  3. MFA everywhere (email, practice management, cloud storage, VPN)
  4. Least-privilege access and quarterly access reviews
  5. Encrypted, private-by-default cloud repositories; ban public links
  6. Patch/update cadence for OS, apps, and network devices
  7. Incident Response Plan with breach-coach contact and a tabletop twice a year
  8. Data map & retention policy (limit what you store; purge on schedule)
  9. Security awareness training (phishing, sharing, and file-handling)
  10. Annual policy review (cyber + LPL) to close obvious gaps

These aren’t edge cases—they’re everyday risks for modern law practices. A few process tweaks plus the right blend of cyber and malpractice coverage can be the difference between an expensive lesson and a swiftly managed incident.

Vacation as a Risk Management Tool

Posted on by

No, this isn’t a quick break from my desk—I’m actually taking a few days away from the office on a proper vacation. As I sit here on the porch, soaking in the peaceful view of the water and feeling more relaxed than I have in a long time, a thought struck me:

This might be one of the best risk management tools I can recommend—take a break.

That’s right. Step away from the desk. Let your brain unplug. Play a round of golf, cast a line into the water, take a boat ride, dive into a good book, or simply sit outside and do nothing. You don’t need a plane ticket to a faraway beach or a mountain retreat—just find a way to get out of the office and into a state of calm.

Why? Because time away helps you rejuvenate.

And when you’re back in the office, something magical happens:
You think more clearly.
You work more creatively.
You produce a better work product for your clients.

And that’s where risk management comes in.

Better Work = Lower Risk

A refreshed mind leads to fewer mistakes. That means fewer legal malpractice claims, better relationships with your clients, and even a more positive atmosphere in your workplace. It also means you’re more likely to be offered favorable malpractice insurance rates and terms—because insurers notice when your practice runs smoothly and claims stay low.

So, yes—a short vacation isn’t just good for your soul, it’s good for your business.

It may be the simplest risk management strategy, but it just might be the most powerful.

Coach Said It Best

There’s a quote from one of my favorite TV shows, Friday Night Lights, that always sticks with me:
“Clear eyes, full heart, can’t lose.”

So don’t lose.

Take some time off this year. Step away from the grind. Let yourself breathe, reset, and come back sharper than ever.