rs home image


Accountants: Beware

Lessons Learned after a Data Breach or E-mail Phishing Scam
by Kim DeMarino

A proposed class action was filed against an Insured accountant after their clients received a phishing email. “Phishing” is a fraudulent attempt to obtain sensitive information by masquerading as a trustworthy party in an e-mail communication, website, or other electronic communication. In our case, the fraudsters sent emails to all of the Insured’s clients which looked like a legitimate message from the Insured. A copy of the email is listed below with the names changed to protect privacy.

There are a few hints in the content of the email that might alert a client that the email was a phishing attempt like the fact that the client is not addressed by name, the Insured had never mentioned Google Docs or SecureAcess before, and the language syntax is a bit unusual. However, the e-mail address appeared legitimate, the premise seemed reasonably related to accounting matters, and the fraudster even included an Avast email signature indicating that the message came without virus or malware.

One of the Insured’s clients called the Insured to ask about the email and the Insured quickly realized that their firm had been the victim of a phishing attempt. The Insured send out an email to all of their clients advising them not to open the SecureAcess email. However, Insured’s response to the phishing scam did not conform to industry best practices after a potential data breach. Shortly after the Insured’s response to the phishing scam, the Insured was sued for violations of certain state privacy laws, consumer fraud and deceptive business practices, and negligence due to the breach of the Insured’s security system as contained in the phishing email.

Accounting professionals are required to protect confidential client information which includes Personally Identifiable Information, Sensitive Personal Information, and social security numbers. To complicate matters, taxpayer identity theft and other attempts at data breach occur regularly and are likely on the rise with the IRS paying $5.8 billion in fraudulent tax refunds for 2013. Accountants need to develop a strategy for data protection, but they also need to know what to do when their efforts fail and there is an actual or even potential data breach.

The Great American Insurance Accountants Professional Liability Insurance Policy (12 17 edition) provides for assistance after a Security Incident which is defined as “the unauthorized access to or use of data containing private or confidential information in connection with the performance of Professional Services, which results in the violation of any privacy regulation.” The Policy provides for Supplementary Payments in Section VI. As follows:

  • B. Reimbursement for Security Incident The Company will reimburse the Named Insured for the following response expenses incurred by the Named Insured in responding to a Security Incident the Named Insured first discovers and reports in writing to the Company during the Policy Period. The maximum amount payable shall be $25,000 for all Security Incidents discovered and reported during the Policy Period, regardless of the number of Security Incidents or the number of Insureds. Security Incident response expenses are:
    1. reasonable fees and expenses by cyber forensic analysts to determine the extent of the Security Incident; or
    2. reasonable fees and expenses by attorneys or consultants to comply with federal, state or local privacy laws requiring that notification or credit monitoring services be provided to individuals when the security, confidentiality, or integrity of their personal information has been compromised by the Security Incident.

Take Away

In this instance, if the Insured Accountant would have contacted his insurance agent or broker after learning about the phishing email, Great American would have set up a potential claim file and assigned an attorney with a background in cyber security matters to investigate and determine if forensic analysis was necessary. Then the attorney would assist the Insured accountant in notifying the clients while ensuring that the notification met all federal, state, and local rules. The attorney fees, forensic analysis fees, notification costs, and credit monitoring service fee would all be covered at no cost to the Insured Accountant up to the $25,000 limit. Additionally, the Insured Accountant probably would not have been sued. Please call your insurance agent or broker or Great American if you think your firm has been involved in a Security Incident and might require expert assistance.

Disclosure: The information presented is intended to provide guidance and is not intended as a legal interpretation of any federal, state or local laws, rules, or regulations applicable to your business. The risk management information provided is intended only to assist policyholders with recognizing possible exposures. In providing such information, Great American does not warrant that all potential exposures have been evaluated or can be controlled. It is not intended as an offer to write insurance for such exposures. The liability of Great American Insurance Group and its affiliated insurers (“Great American”) is limited to the terms, limits and conditions of the insurance policies underwritten by any of them. Scenarios are provided to illustrate possible exposures faced by your business. The facts of any situation which may actually arise, and the terms, conditions, exclusions, and limitations in any policy in effect at that time, are unique. Thus, no representation is made that any specific insurance coverage applies to the above claims scenarios.

Coverage description is summarized. Refer to the actual policy for a full description of applicable terms, conditions, limits and exclusions. Policies are underwritten by Great American Assurance Company and Great American Insurance Company, authorized insurers in all 50 states and DC. Great American Insurance Group, 301 E. Fourth Street, Cincinnati, OH 45202. 5259-PLD-25 (5/18)

Author: Kim DeMarino

Kim DeMarino is the Divisional AVP - Claims, at The Great American Insurance Group, Professional Liability Division in Schaumburg, Illinois. You can contact Kim at

The Landy Agency is a national leader in providing non-medical, professional liability and cybercrime insurance for accountants, attorneys, and real estate professionals. John can be reached at 781‐292‐5417 or Visit for more information.

If you are an insurance producer looking to register with us or obtain coverage for your client, please visit ourPartner Resource Center for information.

Connect with Landy

I am interested in the following: