In late March 2025, the Florida Bar Board of Governors unanimously endorsed the recommendation of its Special Committee on Cybersecurity and Privacy Law that law firms should adopt written incident response plans (IRPs) to better prepare for and respond to data security incidents. The recommendation reflects a growing recognition across professional service industries—particularly law firms—of the serious risks posed by cyber threats and the need for structured, proactive responses.
The message is simple: law firms must be prepared.
As most practitioners will observe, it is not a matter of if an organization will experience a data breach, but when. Development and implementation of an IRP can be challenging as the nature of legal practice poses unique challenges, even for smaller firms. At the same time, as stewards of vast amounts of highly sensitive client and employee data, often spanning multiple industries, jurisdictions, and confidentiality regimes, such data sets make law firms attractive targets for threat actors, especially those seeking access to intellectual property, litigation strategies, and regulatory or financial information, not to mention sensitive personal information.
What Makes Law Firms Different?
Unlike organizations in several other industries, law firms often lack centralized compliance infrastructures or in-house technical expertise. Client confidentiality obligations and the attorney-client privilege can complicate both the detection and disclosure of incidents. In some cases, firm may confuse confidentiality for security, when both are needed.
In addition, unlike most other professional service providers, law firms grapple with a set of comprehensive rules of professional responsibility that increasingly delve into data privacy and cybersecurity issues. Of course, those rules sit on top of generally applicable business regulation that law firms also face. See, for example, our recent discussion about the Florida Information Protection Act (FIPA) which mandates that certain entities, including law firms, implement reasonable measures to protect electronic data containing personal information.
When engaging a new client, a simple engagement letter may no longer be sufficient, especially for law firms representing certain businesses, particularly those that are heavily regulated. Consider law firms that defend medical malpractice claims. Their clients are most likely healthcare providers covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). That makes these firms "business associates" to the extent those services involve access to "protected health information." Just like their healthcare provider clients, business associate law firms are required to maintain an incident response plan. 45 CFR 164.308(a)(6). So, even before Recommendation 25-1, many law firms may have already been obligated to maintain an IRP, at least with respect to certain information collected from or on behalf of certain clients.
Given these realities for law firms, the Florida Bar's recommendation is both timely and necessary, even if not unprecedented. Notably, in 2018, the ABA issued Formal Opinion 483 which made a similar recommendation. Law firms considering an IRP should consult Formal Opinion 483.
What Should a Law Firm's Incident Response Plan Include?
A comprehensive and tailored IRP should be risk-based and scalable to firm size, practice areas, and existing infrastructure. Here are some components all firms should consider including in their IRP:
- Governance and Roles
Define the internal response team and assign roles, including legal, IT, communications, HR, and leadership. Identify outside partners, such as breach counsel, forensics, and public relations firms. - Data Mapping and Risk Assessment
Map the data your firm collects, stores, and shares. Understand where sensitive client and employee information resides and how it is secured. A risk assessment will help prioritize which systems and data are most critical. - Incident Detection and Reporting
Establish processes for identifying, reporting, and escalating suspected incidents. Time is critical when responding to ransomware, business email compromise, or other attacks. Remember to have a plan to communication outside of the firm's existing systems which may not be operable. - Investigation and Containment
Outline steps to contain and investigate an incident, including coordination with law enforcement, insurance carriers, forensic investigators, and legal advisors. - Notification and Legal Obligations
Address client communications, breach notification laws, ethical duties, and contractual terms that may require specific responses. - Post-Incident Review and Testing
After resolving an incident, assess what went well and what needs improvement. Regular tabletop exercises and plan updates are essential.
Additional Tools and Resources
- ACC Toolkit: Association of Corporate Counsel (ACC) released a Cybersecurity Issue Brief and Toolkit which includes guidance for outside counsel on incident response planning, data governance, and third-party risk management.
- Podcast: Our cybersecurity team recently discussed practical tips for incident response plans generally. You can listen to the episode here.
- Blogs:
- Incident response planning generally
- IRS and FTC guidance regarding IRPs for tax preparers
- SEC guidance for IRPs
With cyber threats evolving and legal obligations expanding, law firms must treat incident response planning as an ethical, professional, and business imperative. The Florida Bar's recommendation should serve as a wake-up call. By building a strong IRP, law firms can better protect client confidences, meet regulatory requirements, and preserve their professional reputation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
