Law firms continue to increase their focus on cybersecurity, but according to the American Bar Association's (ABA) latest Legal Technology Survey Report, only about one-third of respondents have an incident response plan. As the ABA notes, all law firms need tailored cybersecurity programs and having an incident response plan is a critical part of such programs. This blog looks at how a law firm's response to a data breach will go a long way toward mitigating — or exacerbating — financial and reputational costs.

Why Your Law Firm Needs a Plan

Law firms are vulnerable to both internal and external incidents. Whether it is an attorney losing a device containing confidential information, an administrator falling prey to a phishing or ransomware attack, or a hacker targeting the firm, the consequences can be devastating.

That is why your law firm needs to establish a formal plan that outlines procedures to stop the breach and restore affected systems. A structured response will prove much more effective than an ad hoc, heat-of-the-moment response. For example, imagine the time and expense that will be saved by having the contact information on hand for the qualified (and insurer-approved) vendors you need to effectively respond.

Where to start

The first step is to assemble an incident response team (IRT). According to the Ponemon Institute's 2019 Cost of a Data Breach Report, the formation of an IRT reduces the total cost of a data breach by an average $360,000, from the mean cost of $3.92 million. The team must, of course, be equipped with the talent, authority and tools it needs to achieve such savings.

Ideally, an IRT is cross disciplinary, with representatives from areas including management, IT, human resources, finance/accounting, marketing and client relations. Assign each department specific roles and responsibilities in the event of a crisis. It is best to designate two representatives from each department to increase the odds that someone will be available when an incident occurs.

What to Include in the Incident Response Plan

You can base your plan on reputable standards, such as the National Institute of Standards and Technology (NIST) framework, considering your state's relevant laws, regulations and ethics rules.

Regardless of the model you follow, your incident response plan must cover a range of issues, including:

  • Incident Reporting and Confirmation Establish a mechanism for attorneys and staff to report suspected incidents. Give the IRT the authority and flexibility to promptly respond to reports in order to determine their validity.
  • Investigation/Mitigation of Loss and Business Disruption Forensic consultants can help your firm find the source of a breach and respond appropriately (for example, by quarantining affected devices, systems and servers). While loss mitigation and the return to normal operations are paramount, evidence preservation for prosecution purposes and the protection of attorney-client privilege also are essential considerations.
  • Recovery Mandate testing and validation of all systems before they are restored to use. Putting this requirement in writing will make it easier to resist the pressure to restore systems prematurely in order to avoid further damage.
  • Notification Failing to comply with the strict statutory notification requirements (while also adhering to ethics rules) can lead to stiff penalties and other repercussions. Notify the relevant insurers as soon as possible, as well, to avoid forfeiting coverage.
  • Training/Drills Ponemon reports that the formation of an IRT, combined with testing of the plan (for example, in tabletop exercises), reduces data breach costs more than any single security process.
  • Review/Lessons Learned Have the IRT conduct a post-mortem after any incident to determine what went right and what went wrong, and then revise the incident response plan going forward.

An ongoing process

With many employees working remotely due to the COVID-19 crisis, cybersecurity is more important than ever. Remember, drafting an incident response plan is not a one-off task. Cyber threats evolve constantly and firm operations and personnel change, making it important to have your IRT meet and update your firm's incident response plan regularly.

Originally published 21 April, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.