Law Firm Cyber Attack Response Plan

Law firm cyber attacks are becoming increasingly common. No matter the size of firm, attorneys are more at risk than ever. Find out what you can do to respond.

Written by Mike McLean Published April 17, 2024

Share this article

  • X
  • LinkedIn
  • Facebook

Protect your business today!

Get a Quote

As a lawyer, your clients trust you with their most confidential information, making you a prime target for cybercriminals who are increasingly targeting law firms. But, do you have a law firm cyber attack response plan?

While we hate to be the bearers of bad news, there’s a good chance you’ll experience a cyber incident at some point in your career. According to a 2023 survey by the American Bar Association (ABA), 29% of law firms said they had experienced a security breach, while 19% reported not knowing if one had occurred. 

At Embroker, we also release our Cyber Risk Index report each year to get a sense of risks in the market for businesses, and assess the solutions for these ever-evolving attacks.

So, what should your law firm do in the aftermath of a cyberattack? Though you may feel like a fish out of water when dealing with cybersecurity issues, it’s an important matter that no law firm should ignore planning for. Not sure where to start? We’ve got you covered. Here’s what you need to know about preparing for, and responding to, a cyberattack on your law firm.

What are a Law Firm’s Ethical Obligations for Cybersecurity?

Lawyers are right up there with doctors when it comes to ethical obligations they must consider. It’s crucial to be aware of your law firm’s ethical obligations for cybersecurity so that you’re not caught off guard and inadvertently find yourself in hot water.

Especially since more and more law firms are facing legal battles over allegations of failing to protect client data.

According to the ABA Rule 1.6 Confidentiality of Information, lawyers are required to make reasonable efforts to detect breaches and avoid client data loss. Failure to do so can result in an ethical violation, per ABA’s Formal Option 438.

While it’s important to take steps to prevent a cyber incident with proper cybersecurity risk management, it’s also crucial to have a plan ready to respond to an attack. This is what’s known as an incident response plan.

The Importance of Creating a Cyber Incident Response Plan 

Why have a cyber incident response plan? We’ll let the ABA’s 2023 Cybersecurity TechReport explain that one:

“An incident response plan is an absolute necessity if you want to successfully navigate the storm following a cyber incident. It is your ‘road map’ for response and will save you much time and money, not to mention the significant number of headaches.”

Essentially, plan for the worst and hope you won’t need it. (But given the stats of cyberattacks on law firms, there’s a good chance you will.)

Despite the value of having an incident response plan, only 34% of law firms have one, according to findings from the ABA’s latest TechReport. Larger firms are more likely to have incident response plans, with 59% of firms employing 100-499 attorneys having such plans. In comparison, only 19% of solo law firms have created incident response plans.

There’s no such thing as “one-size-fits-all” for how a law firm responds to a cyber incident (though wouldn’t it be nice if there was?). So, what a cyber incident response plan contains will vary with every firm, but the goal and concept will remain the same: to have a process in place and ready to go if a cyber incident occurs. The plan should outline the steps to take at each stage after a cyber incident and identify the individuals responsible for each of those steps.

Remember that an incident response plan is only useful if it’s created before a cyberattack. The cardinal rule of risk management for law firms is not to make a problem worse, and not having a cyber incident response plan will do just that.

Steps Your Law Firm Should Take After a Cyberattack

Time is of the essence when it comes to cyberattacks. The first 48 hours after the discovery of a cyber incident are crucial. That’s why planning ahead is so important. 

As mentioned, the exact content of an incident response plan will vary based on a law firm’s size and area of specialization. Below are some common steps to take after a cyberattack.

Stop the Spread

As soon as a cyber incident is discovered, the first step is to contact your IT department or outside provider so they can investigate and find the attack vector

In the immediate aftermath of a cyber event, the top priority should be stopping the spread. That means disconnecting any impacted equipment from the firm’s network and internet, changing all passwords, enabling multifactor authentication if not already done, and remotely wiping any lost or stolen mobile devices. The initial instinct may be to hit the off button on any compromised equipment, but don’t. Stopping the spread is essential, but so is preserving evidence for investigation purposes.  

Make sure to safeguard any firewall, servers, or network access logs for investigators. 

Call in the Experts

Unless your expertise is in cybersecurity, you’ll want to get some additional help after a cyberattack.

As soon as possible after a cyber incident, contact a data privacy and cybersecurity law firm. They will know how to guide you through the process following a cyberattack and provide advice on managing tricky situations like issuing public statements.

Depending on your resources, it may also be worth calling in a digital forensics team. These experts bring valuable experience for dealing with cyberattacks, including determining the best way to recover compromised data.  

Contact Your Insurance Provider

Hopefully, you already have cyber insurance. These days, cyber insurance is an absolute must-have for any business, including law firms. Actually, it’s especially important for law firms

Cyberattacks are stressful, but with the right insurance coverage, you’ll be able to breathe a little easier.

No matter how significant the cyber incident is, always contact your insurance provider to inform them of the situation. Depending on your carrier, you may be able to reach out 24/7 to their hotline for potential or real cyber incidents.

Even minor incidents can lead to a claim being filed at a later date. Letting your insurer know about the current situation will ensure you’re covered in the future. 

Inform Law Enforcement

Cybercriminals may use the internet to commit offenses, but they’re definitely still criminals. 

The Cybersecurity and Infrastructure Security Agency has detailed information on reporting a cyber incident.

Client and Partner Notifications

This is where you’ll be thankful to have called in reinforcements (aka, cybersecurity counsel). 

Notifying clients, partners, or other third parties potentially affected by the incident is a crucial but tricky step following a cyberattack. Emotions usually run high following a cyber incident, so have your cybersecurity legal team approve any communication before it goes out. Your counsel can also help determine the best way to circulate messaging and respond to questions.

At this stage, you want to let people know about the situation without providing too many unnecessary details that will only fuel fears. More detailed communication can follow later once you know whose data has been affected.

Regulatory Compliance

In addition to the ethical obligations outlined earlier, law firms have legal responsibilities in the event of a cyberattack. 

Be mindful of requirements, including who to contact, for state-specific data breach regulations as well as certain federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA).

Being aware of these obligations well ahead of time and making sure they are included in your incident response plan can help avoid regulatory consequences because of an oversight.

How to Prevent Future Cyberattacks at Your Law Firm

Once you’ve experienced a cyberattack, you’ll likely want to do anything in your power to prevent another. While there is no guaranteed, foolproof way to avoid cyber incidents, there are measures you can implement to protect your firm from future attacks:

  • Improve password security: Using “12345” or the last digits of your phone number is like leaving the door wide open for cybercriminals. Strong passwords and regular password changes are the first line of defense against cyber incidents.
  • Encrypt everything: Literally everything. Encryption is an effective way for law firms to thwart cybercriminals. 
  • Train employees: Did you know that employee mistakes cause 88% of data breaches? Don’t just assume that staff will know not to click on an unusual email link. Train employees about phishing emails and other cybersecurity best practices to mitigate data breaches.
  • Reduce data transfers: Avoid transferring data between business and personal devices. Keeping sensitive data on personal devices increases vulnerability to cyberattacks.
  • Get insured: Having the right insurance coverage is an important part of your toolkit for combating cyberattacks. At Embroker, we offer tailored, holistic coverage in just a few steps.

The key to protecting your firm against cyberattacks? Thinking about cybersecurity all the time. 

Cyberattacks threaten all businesses and are becoming more sophisticated with artificial intelligence (AI). Being proactive with cybersecurity is crucial for mitigating a cyber incident, as is being prepared to respond if your firm experiences a cyberattack. Remember that the best way to deal with a cyber incident is to take action before it happens.

Want to learn more about our coverages?

Related articles and resources

  • 2025 predictions: November 2024 Embroker Newsletter
    December 9, 2024
  • The definitive tech hardware risk management guide
    December 9, 2024
  • 2024 Cyber Risk Index shows coverage confidence increase, even as startups fear AI’s shadow
    November 19, 2024
  • 5 professional liability claims examples: Real-world cases and lessons learned
    November 12, 2024

Stay in the loop. Sign up for our newsletter.