Your cyber-response plan should cover preparation, detection and analysis, containment and recovery, and post-incident activities.
Table of contents
You don’t need me to tell you how important planning is for your firm. Everything you do as a lawyer revolves around it. You’ve got plans to cover all situations, eventualities and contingencies. Except one. A plan for responding to a cyberattack is likely missing.
According to the most recent ABA TechReport, only 42% of respondents reported having an incident response plan in place. For smaller firms, the percentage shrinks to 26% for firms of 2-9 and only 9% for solo practitioners.
Yet without such an incident plan, you can easily find yourself in peril. If you don’t have a strategy to deal with a data breach, malware maelstrom, or ransomware demand, you risk financial ruin, reputational harm, loss of clients, and perhaps the loss of your law license.
Drafting a Cyber-Response Plan
Given those risks, the most prudent course of action is to sit down and draft what’s known as a cyber-response plan.
Perhaps you believe that as a solo practitioner or small firm, no hacker wants to bother with hacking you, so slim are the pickings. Or, possibly, you hew to the view that the client data in your possession is the low-grade, run-of-the-mill sort that carries too little value to entice bad actors. Or maybe you feel your data trove is impregnable thanks to the significant investments you’ve made in state-of-the-art anti-theft technology. Here’s the reality:
- You need a cyber-response plan because it doesn’t matter whether your office is large or small — you’re a lawyer, and online thieves have painted a bull’s eye on your back.
- You need a plan because crooks consider even the most insignificant data in your possession to be worthy of purloining.
- You need a plan because no hardware or software solution exists that can promise you absolute protection from determined hackers.
- And you need a cyber-response plan because it will help you stay out of trouble with your state bar or bar licensing authority. Most states have adopted the American Bar Association’s Rule of Professional Responsibility 1.6(c) and its requirement to take all reasonable steps to safeguard confidential client information entrusted to you. Developing and implementing a cyber-response plan demonstrates your fidelity to that rule in both letter and spirit.
Having said all that, let’s consider the critical elements of a cyber-response plan.
The Four Main Components of a Cyber-Response Plan
The National Institute of Standards and Technology (NIST) says four principal components constitute a viable cyber-response plan. They are 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) post-incident follow-up.
The starting point of this component is to identify who in your law office will be responsible for responding to a cyberattack. Typically, the responders, at a minimum, will be the firm owner or managing partner, the head of your information technology department, or the office administrator and IT managed services provider if you’ve elected to outsource the role. Once you know who your responders are, make sure to print their names and contact information on the first page of the plan. On a subsequent page near the front, provide a detailed description of what each responder needs to do during and after a cyberattack. (I recommend you first consult the NIST’s official Computer Security Incident Handling Guide.)
2. Detection and Analysis
Your response plan also needs to spell out how you’ll be able to tell if the funny, weird thing going on with your computers is a cyberattack or a mere software glitch. For illustration’s sake, assume it’s an actual full-out systems threat. Your response plan should tell you how to figure out what specific kind of attack it is and what actions to take to counter that attack.
3. Containment, Eradication and Recovery
The name of the game here is to make the attack stop, keep the attack from resuming, and dig out as quickly as possible from beneath the rubble if any. The plan needs to be granular enough to shepherd you through the steps of bottling up the attack vector — be it malware, ransomware, an email compromise, a baited phishing line, or what have you — and preventing it from spreading so that it can then be expelled from your systems, which you will then begin restoring to usable condition.
As an IT-managed services provider for lawyers, I encourage clients to add a sub-component to this containment-eradication-recovery phase. I urge them to include a plan for issuing public statements about what has happened in their cyber-response blueprint. The law in your state likely requires businesses hit by a data breach to disclose the attack and describe its impact publicly. So, after you report the crime to the appropriate authorities (per your response plan), you’ll also need to send one or more communications to your affected clients and to the news media. Your response plan must very carefully set forth what you’re going to say in those communications (because saying it wrong or even inaccurately is guaranteed to stir up a hornet’s nest of problems for you). The plan also needs to indicate the timing of the issuance of those communications.
4. Post-Incident Activities
The fourth part of the cyber-response plan should walk you through mopping up the mess and returning to normal. NIST recommends that the plan include instructions for convening a debriefing — or a cyber-response post-mortem. You will evaluate what you did right (and thus know to do more of in the future) and what you did wrong (and therefore learn to do not at all the next time — which there almost certainly will be, trust me on that). A good plan will include a list of thought-provoking, future-looking questions you can pose to your response team during the debriefing.
CISA’s Response Playbooks
The federal Cybersecurity & Infrastructure Security Agency (CISA) has authored a pair of publications to help you construct a cyber-response plan. The “Incident Response Playbook” applies to incidents involving confirmed malicious cyber activity for which a significant incident has been declared or not yet reasonably ruled out. The “Vulnerability Response Playbook” relates to any vulnerability observed to be used by adversaries to gain unauthorized entry (i.e., known exploited vulnerability) into computing resources.
A Cyber-Response Plan Makes Good Sense
Considering the rapid growth of cyber-criminality, it makes sense to invest in a cyber-security plan. Your firm is sitting on a precious trove of confidential data, and the thieves who relentlessly trawl the internet’s dark corners want it. There is much you can do to prevent those bad actors from stealing your data or taking your computer systems hostage. However, the most significant risk of harm to your law practice arises after the attack — whether successful or not-. That is precisely why a cyber-response plan is so necessary.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.