Site icon centerbase.com

Before, During, and After: Ensure Your Law Firm is Prepared to Address a Data Breach

Having an incident response plan in place before a data breach occurs is the key for law firms to address the cyber attack and minimize its impact.

When law firms are impacted by a cyber attack, they must take immediate steps to address the data breach and minimize its impact. While these tasks generally occur in the days following an event, the most effective response requires the existence of an incident response plan before an attack occurs. By contemplating the potential impact of these disruptive events ahead of time and crafting a plan, law firms can be better prepared to respond.

Read on for a checklist of steps that law firm attorneys and administrators alike can take to appropriately respond to a data breach:

Incident Response Plan

According to the ABA’s most recent Legal Technology Survey Report, only about a third of respondents have an incident response plan in place. Yet, the ABA notes that incident response plans are critical to law firm operations, providing firms with a roadmap of steps to take when a data breach occurs. These plans require a significant amount of preparation, but the effort is worth its benefit should a breach occur.

There are numerous models for law firms to follow when crafting their own incident responses, but every plan should include these general provisions:

Stop the Breach and Mitigate

Formal Opinion 483 of the ABA Standing Committee on Ethics and Professional Responsibility states that “when a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

Stopping the breach may entail a number of different steps, including:

Once the breach has been stopped, firms need to take “all reasonable efforts” to restore operations and resume client services.

Analyze the Occurrence

Then, firms should next take steps to determine how the data breach occurred, which may require the assistance of a tech expert. Attorneys and administrators should ask probing questions, such as:

The information and evidence gathered can be used to ensure that the current breach has been effectively stopped, while also helping to identify what steps can be taken to prevent future attacks. An analysis of the lost or accessed data also promotes honest and transparent disclosure of the breach to clients and other impacted parties.

Address Vulnerabilities

After the problem has been identified, firms must move quickly to address it. Affected systems need to be secured and vulnerabilities removed. The appropriate tasks depend on the nature of the breach. For example:

Contact Impacted Parties

When identifying impacted parties, firms should analyze the type of data that was compromised. Did the data loss include the last name of a person along with at least the first initial of the first name? Did it include social security numbers or tax ID numbers? Were financial accounts, credit card data, drivers license numbers, or medical information compromised? If any of these details were stolen, then the impacted person or business should be notified.

Under most state ethics rules, attorneys generally have a duty to notify impacted clients of cyber incidents, particularly when the breach compromises confidential information or impairs the law firm’s ability to provide legal services. Though notification to former clients is not specifically addressed in many jurisdictions, law firms may still have a duty to notify them if their data was impacted.

But the duty to inform also extends from general state laws concerning data breaches. For instance, a breach of clients’ personal health records may fall under the Health Breach Notification Rule, which could require notification to the Fair-Trade Commission (FTC) as well as the media. This type of breach may also trigger notification requirements under the Health Insurance Portability and Accountability Act (HIPAA).

Firms need to comply with all federal, state, and local laws in notifying impacted individuals and businesses. States differ in the amount of time given to provide notification, but most typically set a 60-day limitation.

Details typically included within notifications include:

It is also useful for law firm attorneys or administrators to consult with any law enforcement working on the case to ensure that the information provided does not hinder the investigation.

The FTC offers the following advice for businesses when notifying impacted parties:

Following Up

A cybersecurity data breach is not over once the initial disruption is addressed. These incidents have lasting effects and law firms can continuously support impacted parties by taking the following steps:

Exit mobile version