Florida Bar News May 15, 2025

‘The Cybersecurity and Privacy Law Committee will continue its work in this area with educational programs and resources so solo and small firms can implement the practice’

Florida Bar cybersecurity experts are urging all attorneys to consider new, voluntary guidelines for implementing “Model Incident Response Plans.”

“Although entirely voluntary and not intended to establish a minimum standard of care, the model Incident Response Plan recommended by The Florida Bar’s Committee on Cybersecurity and Privacy Law provides Florida Bar members with a practical, risk-based framework to improve cyber resilience,” said Co-Chair Steven Teppler.

A partner with Mandelbaum Barrett, Teppler chairs the firm’s Cybersecurity and Privacy Practice Group. He is an ISACA Certified Data Privacy Solutions Engineer (CDPSE) who has been at the forefront of cybersecurity, data privacy and eDiscovery since 2000.

Co-Chair Franklin Zemel is a Fox Rothschild partner who focuses his practice on cybersecurity and data privacy, First Amendment and civil rights litigation, complex business litigation, trusts and estates, and privacy law.  He is a Certified Information Privacy Manager (CIPM) credentialed by the International Association of Privacy Professionals. “Voluntary Implementation of Incident Response Plans, Recommendation 25-1,” is now available at Legalfuel.com Florida Bar Committee on Cybersecurity and Privacy Law Recommendation 25-1 | Voluntary Implementation of Incident Response Plans | and the Cybersecurity & Privacy Law Committee webpage. Recommendation 25-1 — Voluntary Implementation of Incident Response Plans – The Florida Bar

The Board Technology Committee that coordinate’s the Bar’s tech initiatives will continue its focus on necessary “details and mechanisms needed for implementation of the recommended practices,” assures Chair E. “Duffy” Myrtetus, a member of the Board of Governors.

“The Cybersecurity and Privacy Law Committee will continue its work in this area with educational programs and resources so solo and small firms can implement the practice,” added Board Technology Committee Vice Chair Karl Klein, who also sits on the Board of Governors. “The CPL Committee’s work on educating and preparing members will likely be key to actually implementing these guidelines.”

The committee recommends that all Bar members and their staff prepare and annually maintain an IRP tailored to their firm’s “assessed security needs and maturity level.”

“As necessary predicate steps to an effective Incident Response Plan, the Committee recommends that a Data Mapping Survey followed by an appropriate Maturity Assessment be initiated and completed within 2 years and an appropriate Incident Response Plan in place within 3 years. These time frames are the Committee’s recommendations only but the Committee strongly encourages implementation as soon as possible. These predicate steps, in conjunction with an Incident Response Plan, are the only proven effective strategies to reduce the impacts of cybersecurity incidents.”

Jade Davis of Sarasota, who leads the subcommittee that drafted the recommendations, said many Florida practitioners are “just winging it” when it comes to cybersecurity and don’t understand the heightened need to adopt precautions.

Davis, who focuses part of her practice on data privacy and cybersecurity, said these are “very foundational recommendations” that provide some examples and best practices, which can be built upon going forward.

The objective is to identify what data the firm holds, where it resides, how it flows, and where potential vulnerabilities exist.

The recommendations also include:

Encouraging Data Mapping — Understanding the lifecycle and flow of data enables members to assess potential vulnerabilities and to enhance targeted security measures. Exercises in understanding “what data do I have” and “where is my data” are proven disciplines in reducing exposure.

Promote Maturity Assessments — Regular evaluations of a law firm’s data security maturity allow for continuous improvement in cybersecurity practices, ensuring they evolve with emerging threats and technologies. Maturity assessments allow for an initial baseline of cyber-resiliency followed by annual review upon which improvements may be added to protect against evolving cybersecurity threats.

Enhance Cybersecurity Preparedness — Incident response plans help ensure that members are well-prepared to respond promptly and effectively to cybersecurity incidents and possible data breaches. Incident Response plans help minimize operational disruptions and protect client and third-party data, reducing potential revenue loss and liability risks.

The committee also recommended that Bar members should consider “whether retention of qualified experts” is reasonably necessary “to ensure completion, accuracy and consistency” with evolving best practices.

Key components of the incident response plan (IRP)

1. Preparation
   • Define roles and responsibilities for incident response.
   • Develop a communication plan (internal and external).
   • Conduct regular security awareness training.
   • Maintain a list of critical systems, data assets, and third-party vendors.

2. Detection and Identification
   • Implement monitoring tools to detect anomalies.
   • Establish clear criteria for identifying cybersecurity incidents.
   • Develop an incident classification system (e.g., low, medium, high severity).

3. Containment
   • Isolate affected systems to prevent further damage.
   • Implement short-term and long-term containment measures.

4. Eradication
   • Identify the root cause of the incident.
   • Remove malware or unauthorized access points.
   • Patch vulnerabilities and strengthen defenses.

5. Recovery
   • Restore affected systems and data.
   • Verify systems are clean and fully functional.
   • Monitor systems for recurrence of the incident.

6. Post-Incident Review
   • Conduct a “Lessons Learned” meeting within 14 days.
   • Update the IRP based on findings.
   • Document the incident and response actions for compliance.

“Following these recommendations can help attorneys — regardless of practice size — prepare for, respond to, and recover from cybersecurity incidents more effectively, thereby reducing the likelihood of client data compromise, reputational harm, and operational disruption,” Teppler said.

An ABA cybersecurity report found that 29% of law firms experienced some form of security breach in 2023. Experts often warn that it’s not a matter of if a security breach will happen, but when.

“In today’s threat landscape, proactive planning is one of the most cost-effective strategies to protect client confidences and professional integrity,” Teppler says. “Adopting these practices, including data mapping and maturity assessments, allows attorneys to tailor reasonable safeguards to their specific risk profile while demonstrating a commitment to ethical and secure client service.”

VIEWS AND CONCLUSIONS EXPRESSED IN ARTICLES HEREIN ARE THOSE OF THE AUTHORS AND NOT NECESSARILY THOSE OF FLORIDA BAR STAFF, OFFICIALS, OR BOARD OF GOVERNORS OF THE FLORIDA BAR.