The minute a breach is identified, the firm must execute the IRP. Multiple factors make a breach response more difficult for a law firm: strong personalities, a constant sense of urgency and a culture to never stop working. An IRP helps the firm better navigate this by predefining certain things such as authority figures during the breach.
Multiple factors make a breach response more difficult for a law firm: strong personalities, a constant sense of urgency and a culture to never stop working.
Follow the Leader: Cyber Insurance
If the firm has a cyber insurance policy, this must be integrated with the IRP and involved early. Even if the firm is unsure of a breach and is investigating, a “notice of circumstance” should be sent to the insurance carrier, letting them know a claim may be coming. This does not affect your rate but is part of the policy requirements for claims notifications. If a true breach is identified, the firm’s insurance carrier will have specific processes and experts to help and will assign experts to lead the response effort.
Clear Communication with Guardrails
Discussing an active breach can lead to liabilities for a firm, both internal and external. In cyber insurance, there are horror stories of attorneys talking to the media and making a bad situation worse, or of IT becoming impatient and restoring from backups, only to find the hackers were already in the system. One of the first steps in every IRP should be a managing partner or equivalent reiterating to the firm that the processes must be followed and respected. But what happens after the firm has recovered? “Everyone returns to work” is the wrong answer — this is the prime time to work on improving processes and cyber security.
