A cyberattack on a law firm targets not only the firm but also its clients. Law firms typically receive clients' Personally Identifiable Information (PII), Protected Health Information (PHI), and a variety of sensitive information that should be kept out of the hands of bad actors. Unique to law firms, clients entrust the firm with this sensitive information in combination with attorney-client privileged communications — information law firms are bound by professional rules to protect. If criminal actors access a law firm's information technology systems, it can expose trial strategies, trade secrets, private details, and other material that can destroy a client's personal and professional lives — and have a substantial negative impact on a law firm.
Understanding that cyberattacks are far too common, The Florida Bar Board of Governors voted unanimously at its March 28, 2025 meeting to approve the Incident Response Guidelines developed by the Cybersecurity & Privacy Law Committee. The Incident Response Guidelines are intended to address the unique vulnerabilities faced by legal practitioners. Recommendation 25-1 urges members of The Florida Bar to implement comprehensive cybersecurity measures. The voluntary guidance discusses technical options and planning efforts law firms should consider as they design their organizations' cybersecurity and data protection strategies.
The Committee recommends that law firms conduct a data mapping survey and a cybersecurity maturity assessment. While these efforts are related, they support two separate interests that should remain distinguished: information tracking and operational performance. Data mapping identifies the information a firm possesses, where and how it is retained, and how it is distributed. Mapping also uncovers insufficient data protection processes and the types of vulnerabilities criminals exploit. Maturity assessments allow a firm to evaluate its cybersecurity practices and their adequacy in light of emerging cyber threats.
The cornerstone of the Committee's recommendations is the establishment of an industry-compliant incident response plan (IRP). An effective IRP ensures that law firms are prepared to respond promptly and effectively to cybersecurity incidents and identifies the resources a firm will need if an incident occurs. Implemented correctly, an IRP minimizes operational disruptions and protects client and third-party data, reducing potential revenue loss and liability.
The Committee suggests that law firms consider retaining qualified cybersecurity experts to assist development and implementation of these strategies. Expert guidance ensures firms follow best practices and maintain compliance with evolving cybersecurity standards. Firms that have data and cyber security expertise on staff will still benefit from the advice of experts who handle incident prevention and response across a number of industries and have the benefit of learning from multiple organizations' security frameworks. The Committee also encourages law firms to conduct regular evaluations of their cybersecurity practices, update data protection policies, and provide continuous staff training in conjunction with experts.
It is imperative for law firms to prioritize cybersecurity and take proactive steps to safeguard their IT operations and data. Implementing an IRP and conducting regular assessments are essential strategies for achieving a robust cybersecurity posture. Implementing the committee's recommendations will not only enhance a firm's security, but it will also prepare them to be resilient during a cyber incident and to fend off cyber threats. Most importantly, it will foster trust with clients who expect their sensitive information to be handled with the utmost care.
At Buchanan, our Advanced Technology and Cybersecurity attorneys have deep industry experience and are following these developments closely. Our attorneys can help the legal industry navigate this rapidly evolving landscape to bring peace of mind to law firms facing ever-increasing cyberthreats looming around each corner.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
