Florida Bar News

Bar moves closer to issuing voluntary cybersecurity incident response guidelines

The objective is to identify what data the firm holds, where it resides, how it flows, and where potential vulnerabilities exist

Franklin Zemel

Florida Bar members are one step closer to receiving guidelines for creating a cybersecurity incident response plan, an essential tool for a profession that is a frequent target of cybercriminals.

During its meeting at the Bar’s Winter Meeting in Orlando, the Cybersecurity & Privacy Law Committee approved a voluntary Incident Response Plan (IRP) for ransomware attacks and other data breaches. The draft IRP will now be reviewed by the Board of Governors Technology Committee.

Given that lawyers and law firms handle highly confidential data, they are prime targets for cyberattacks. The proposed voluntary IRP outlines a series of steps for identifying, containing, investigating, and recovering from a cybersecurity incident.

Co-Chair Franklin Zemel said having an IRP in place is a “proven, effective way” to reduce cybersecurity exposure.

“Our focus is very much to jump-start a discussion about this,” said Zemel, adding that very few in the Bar really understand what cybersecurity is. “We really want to get a much-needed discussion going across the Bar,” and the draft recommendations are designed to start that conversation.

The committee is recommending that all Florida Bar members and their staff prepare and annually maintain an IRP tailored to their firm’s “assessed security needs and maturity level.”

“As necessary predicate steps to an effective Incident Response Plan, the Committee recommends that a Data Mapping Survey [also known as Data Inventorying] followed by an appropriate Maturity Assessment be initiated and completed within 2 years and an appropriate Incident Response Plan in place within 3 years,” according to the recommendation. “These time frames are the Committee’s recommendations only but the Committee strongly encourages implementation as soon as possible. These predicate steps, in conjunction with an Incident Response Plan, are the only proven effective strategies to reduce the impacts of cybersecurity incidents.”

Jade Davis

Jade Davis of Sarasota, who leads the subcommittee that drafted the recommendations, said many Florida practitioners are “just winging it” when it comes to cybersecurity and don’t understand the heightened need to adopt precautions.

Davis, who focuses part of her practice on data privacy and cybersecurity, said these are “very foundational recommendations” that provide some examples and best practices, which can be built upon going forward.

The objective is to identify what data the firm holds, where it resides, how it flows, and where potential vulnerabilities exist.

As currently outlined, the draft recommendations include:

• Encourage Data Mapping — Understanding the lifecycle and flow of data enables Members to assess potential vulnerabilities and to enhance targeted security measures. Exercises in understanding “what data do I have” and “where is my data” are proven disciplines in reducing exposure.

• Promote Maturity Assessments — Regular evaluations of a law firm’s data security maturity allow for continuous improvement in cybersecurity practices, ensuring they evolve with emerging threats and technologies. Maturity Assessments allow for an initial baseline of cyber-resiliency followed by annual review upon which improvements may be added to protect against evolving cybersecurity threats.

• Enhance Cybersecurity Preparedness — Incident Response Plans help ensure that Members are well-prepared to respond promptly and effectively to cybersecurity incidents and possible data breaches. Incident Response plans help minimize operational disruptions and protect Client and Third-Party data, reducing potential revenue loss and liability risks.

The recommendation also includes a sample Data Mapping Guide and basic guidance for Maturity Assessments.

Key Components of an IRP, include:

1. Preparation
   • Define roles and responsibilities for incident response.
   • Develop a communication plan (internal and external).
   • Conduct regular security awareness training.
   • Maintain a list of critical systems, data assets, and third-party vendors.

2. Detection and Identification
   • Implement monitoring tools to detect anomalies.
   • Establish clear criteria for identifying cybersecurity incidents.
   • Develop an incident classification system (e.g., low, medium, high severity).

3. Containment
   • Isolate affected systems to prevent further damage.
   • Implement short-term and long-term containment measures.

4. Eradication
   • Identify the root cause of the incident.
   • Remove malware or unauthorized access points.
   • Patch vulnerabilities and strengthen defenses.

5. Recovery
   • Restore affected systems and data.
   • Verify systems are clean and fully functional.
   • Monitor systems for recurrence of the incident.

6. Post-Incident Review
   • Conduct a “Lessons Learned” meeting within 14 days.
   • Update the IRP based on findings.
   • Document the incident and response actions for compliance.

According to a 2023 ABA survey, 29% of U.S. law firms have experienced a data breach, and 19% were unsure whether they had been breached.

In addition to the formal recommendation, the committee also plans to develop webinars, CLEs, and instructional materials over the next year to assist Florida lawyers — especially solo practitioners and small firms — in creating their own IRPs.