As cyber professionals often counsel, it’s “when, not if” a cyber attack will affect you, your firm and your clients. Our duties and obligations as practitioners require that we take steps to protect ourselves and our clients from the risks associated with such attacks, including developing and implementing plans and procedures to address cyber-related incidents. The best time for doing so is before an incident occurs. Despite such best practices, a 2018 report by LogicForce showed only 55% of mid-sized firms [20-200 people] surveyed had procedures in place for a cyber-attack1. A small jump from the only 47% that had an incident response plan in place in 20172.
An Incident Response Plan (IRP) is like an evacuation plan for a cyber security incident. It outlines step-by-step your response in the event of an incident and guides you in your response to the breach, recovery of your electronic systems and compliance with applicable laws, regulations and your ethical duties. In the ever-changing landscape of cyber security, it is not uncommon for law firms or companies to face multiple cyber-attacks. Once a victim is targeted as susceptible to a breach it’s more likely an attacker will try again. An effective IRP can help prevent future breaches when timely implemented and carried out. IRPs are useful in just about every cyber-related incident, including “ransomware (a cyber-attack denying access to a computer or specific programs until a ransom is paid), attempted hacks, an insider accessing data without authorization, or a lost or stolen laptop or mobile device.3”
Not only is it a best practice for a law firm to prepare and implement an incident response plan to protect its information but we, as attorneys have certain ethical obligations to protect our client’s information. Model Professional Rule of Conduct 1.6 addresses confidentiality of information and an attorney’s duties to clients. Briefly, an attorney shall not reveal confidential client information without their consent and make reasonable efforts to prevent any unauthorized disclosure or access to such information.4 Further, Model Rule 1.4 requires that when material client information was or is reasonably suspected to have been revealed or lost, notification must be provided to a client with enough information “reasonably necessary” for them to make informed decisions as to their representation.5 Best practice may require a lawyer to keep his or her clients updated on the steps being taken to respond to the breach, to recover any information lost, and to inform such clients of the measures being taken to prevent future incidents. By having an IRP in place, recovery of client information and notification to clients in the event of a breach can be effectuated more quickly.
Developing an IRP that is right for you
No firm is the same, each may encounter different types of risks, have different vulnerabilities and various levels of risk tolerance. An IRP should be tailored to fit a firm’s needs and capabilities. To get that best fit, it may be beneficial to bring in a cyber security consultant if circumstances allow. By having a cybersecurity specialist consider your or your firm’s specific needs, he or she may be able to pinpoint missing or weak areas in an IRP or assist you in creating one from scratch. Alternatively, having a template IRP is a great place to start for smaller businesses and better than having no plan at all.6
Keeping in mind that the size of the firm and its capabilities may impact the complexity of an IRP, below are examples of common topics an IRP may cover:
- Consider the appropriate IRP Team Members. Team Members may include both individuals inside your firm as well as outside professionals who specialize in IT or cybersecurity issues.
Step-by-Step Plan for Response to Cybersecurity Incident
- Identify steps to be taken when a cybersecurity incident is discovered and how and when cybersecurity incidents should be reported to the IRP team.
- Ascertain the nature of incident, whether and which systems were compromised and for how long.
- Determine whether any breach of data occurred (i.e., whether data or records were accessed, whether personal or confidential information was affected and whether client or employee data was affected.)
- Investigate how the cybersecurity incident occurred.
- Repair your electronic systems and make sure system protections are in place and up-to-date.
- Determine what, if any, notification is required pursuant to applicable laws, regulations or rules and the timeline for doing so.
Insurance Carrier Information and Reporting Timeframe
- Determine reporting requirements under cybersecurity insurance policy and timeline for reporting. Your carrier may not only require immediate notification, but may offer quick assistance in investigating and resolving a cyber-related incident.
- If you do not have cybersecurity insurance, consider obtaining coverage.
Post-Incident Investigation/Lessons Learned
- Conduct an in-depth investigation to determine how and why the cyber incident occurred in order to be better positioned to prevent similar incidents in the future.
Testing of IRP Process
- Conduct periodic testing or audits of your IRP process.
Training of Employees
- Train and educate your employees on the importance of prevention of cyber-related risks and prompt response to cyber-related incidents under your IRP.
Anyone can stumble upon a cyber security incident or data breach. Making sure all employees know how to proceed in such an event will ensure a rapid response. It should be clear to the employees what their responsibilities are during a breach and who is in charge of the overall implementation of the IRP7. Training and testing out the plan will help giving employees familiarity and better understanding of the IRP and their responsibilities in the event of a cybersecurity incident8.
Even with an efficient and effective incident response plan in place, you cannot respond to something you don’t know is happening. Detection is a key component to addressing a cyber attack, the earlier you can detect the more information you can protect. While nothing can avoid 100% of cybersecurity risk, being prepared is your best defense.
This article was prepared by Holly M. Whalen, Esq. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.
- See Cyber Security Scorecard Q4 2018, LOGICFORCE (2018), https://www.logicforce.com/2018/11/02/cyber-security-scorecard-q4-2018/.
- Cheryl B. Preston, Article: Lawyers’ Abuse of Technology, 103 Cornell L. Rev. 879, 922 (May 2018).
- Sharon D. Nelson, David G. Ries and John W. Simek, Department: Technology: What To Do When Your Data Is Breached, 62 Res Gestae 26, 28 (Sept. 2018).
- See MODEL RULES OF PROF’L CONDUCT R. 1.6 (2018).
- See MODEL RULES OF PROF’L CONDUCT R. 1.4 (2018).
- See Nelson, Ries and Simek, supra. at 28.
- Inside Key ABA Guidance on Attorneys’ Cybersecurity Duties, LEXISNEXIS Law 360 (Dec. 12, 2018).
- See Nelson, Ries and Simek, supra. at 29.