Florida Bar News September 12, 2025

Chuck Bowen

When a cyber incident affects your firm, a lot is riding on your response: how much it will cost, the legal consequences, and how much embarrassment it will cause. The best way to ensure an effective response? Have an incident response plan (IRP). This column can help you write one.

To start with, identify your team. You need someone to lead the response, a communications lead, someone to ensure legal compliance, and IT support. In a small or solo firm, people may need to wear more than one hat, but make sure all the roles are accounted for.

IT support may need some planning. Firms that manage their IT in-house should have an IT representative on the response team. For firms that outsource IT operations, you need to know how to bring your vendor into a response as quickly as possible.

Also consider outside resources. If you have cyber insurance, claim reporting should be in the plan. Also, consider involving outside counsel. They will have experience and expertise to guide your response and can also provide attorney-client privileged advice.

Once you have your team, move on to planning the response. Incident response is divided into phases: Detect and Identify, Contain, Eradicate, Recover, and Report and Review. This column highlights some key considerations for these phases, but you can find more detail and an IRP template in The Florida Bar Committee on Cybersecurity and Privacy’s recently published Recommendation 25-1.

Detect and Identify is the phase where the incident is discovered and incident response starts. The person that first notices the issue may not be a response team member, so make sure all firm personnel know who to contact if they notice something. Quick mobilization is key, so make sure team member contact information is easily accessible. Keep in mind that normal communication channels could be offline because of the incident.

The Contain phase is for stopping the intrusion and preventing additional damage. You may need to disconnect systems or disable accounts during this phase, which can be disruptive but necessary. The plan should address how these decisions will be made.

The Eradicate and Recover phases involve removing or repairing affected system components and bringing systems back online. Consult with your IT resource for this part of the plan, as they will be largely responsible for these phases.

Finally, the Report and Review phase. Reporting includes stakeholder communication and any legally required notices. The data you need for notices may not be in one place, so consider how you will gather that data if you need it. Also, be sure to involve legal counsel to ensure notices comply with applicable laws.

Now that your first IRP is written, you need to practice it and make sure you can follow it in a crisis. After each real or practice run, review what went well and what didn’t, and use that review to improve the IRP. With this basic preparation, you’ll be in a much better position when an incident happens.

Chuck Bowen is the chief privacy officer at the Office of the General Counsel of Citizens Property Insurance Corporation and a member of  The Florida Bar Cybersecurity & Privacy Law Committee. The information provided is for general informational purposes only and does not constitute legal advice. Attorneys should conduct their own analysis and consider all relevant facts and circumstances for their clients’ specific situations.

VIEWS AND CONCLUSIONS EXPRESSED IN ARTICLES HEREIN ARE THOSE OF THE AUTHORS AND NOT NECESSARILY THOSE OF FLORIDA BAR STAFF, OFFICIALS, OR BOARD OF GOVERNORS OF THE FLORIDA BAR.