The Florida Bar

Florida Bar News

Florida Bar panel eyes incident response plans amid rising cyber threats

Senior Editor Top Stories

Data privacy/Barbara KelleyThe Cybersecurity & Privacy Law Committee is weighing a formal recommendation that Florida Bar members develop an “incident response plan” for ransomware attacks and other data breaches.

“We have to assume everyone is going to get hit, and we have to have the best profile in place when that awful day comes,” Co-Chair Franklin Zemel said at an October 16 meeting.

Experts say lawyers and law firms regularly handle such confidential data that they are prime targets for ransomware attacks. An incident response plan, or “IRP,” typically includes detailed steps for identifying, containing, investigating, and recovering from a cybersecurity incident.

In addition to a formal recommendation, the committee intends over the next year to develop webinars, CLE, and instructional materials that would help Florida lawyers, especially solo practitioners and lawyers in small firms, create an IRP.

The latest ABA survey from 2023 showed that 29% of U.S. law firms experienced a data breach, and 19% were unsure. Even the ABA isn’t immune. A breach of its IT systems netted cybercriminals a trove of old usernames and passwords.

“Law firm Allen & Overy suffered a ransomware attack in November 2023 when hacking group LockBit threatened to publish data stolen from the firm’s files,” the insurance group Broker wrote in a recent report. “Or there’s the ransomware group that took credit for accessing data at law firms Kirkland & Ellis, K&L Gates, and Proskauer Rose by exploiting a vulnerability in the file transfer software MOVEit.”

Last year, the Gunster law firm announced that on April 6 it was mailing notices to individuals whose information may have been involved in a data breach and setting up toll-free numbers. According to the announcement, the files were related to the provision of legal services and “other law firm business,” and depending on the individual, could include names, dates of birth, Social Security numbers, and medical records, including diagnosis and treatment information.

“We’re seeing more and more law firms getting sued, and more and more law firms having incidents that are not public,” Zemel said.

Zemel said he wanted to make IRPs mandatory for Florida Bar members, but appeared to change his mind after committee members objected.

Zemel said a mandatory IRP would be preferable to another suggestion the committee received – mandating a minimal level of technical proficiency, which he strongly opposes.

“Each lawyer, each law firm, has different issues,” he said. “If you set minimum standards it’s going to be over-inclusive for some, and under-inclusive for others.”

Some committee members were concerned that mandating an incident response plan would expose a lawyer or law firm to increased liability. Co-Chair Steve Teppler predicted that a proposed mandate would generate “a lot of push back.”

“I’m all for incident response plan implementation, especially by lawyers, but I worry about the process of making it mandatory. The devil is in the details.”

Tim Morrel, a Palm Beach attorney, was concerned that a mandate would be unfair to Florida lawyers who lack technical proficiency. He said there is a “big education gap” in the Bar.

“If we’re going to require anything, require that a CLE be taken, a couple-hour seminar. We could have model incident response plans that we could educate members of the Bar on.”

News in Photos

Columns

Mindfulness in the Law Firm

Columns | Jan 29, 2025

Be an Action-Oriented Lawyer

Columns | Jan 07, 2025

Be a Curious Lawyer

Columns | Dec 12, 2024

Staying Calm and Connected: Mindful Strategies for Meaningful Holiday Conversations

Columns | Nov 26, 2024