American Bar Association Formal Opinion 477R (May 2017), …. describes the current threat environment: “Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if’…” a company (or law firm) will be breached.
The above sentence is from Cybersecurity for Attorneys: The Ethics of Incident Response by David G. Ries in Law Practice Today.
If the threat of a cybersecurity breach happening to a law firm is “when” and not “if” you will have a cyber security breach, the question is whether your law firm has an incident response plan and does it comply with your ethical obligations? David’s useful article will assist you with that. Forms for incident response plans can be located online and some are better than others. But key provisions of an incident response plan for a law firm (or any of a firm’s business clients) are unique to the firm. Where are our insurance policies? Who does the firm notify at the insurance company to help it deal with a cybersecurity breach (assuming you have coverage)? Who is your IT support in such a disaster? Is the situation so major public relations help is required and has the firm identified who to contact, especially if it is after business hours? There are many questions to be answered and all are better answered in an advance planning session rather than in the middle of a cyber-mess!