ALA White Paper Legal Industry/Business Management

Business Resiliency: 7 Steps to Successful Incident Management, Business Continuity and Disaster Recovery Planning

Executive Summary

The types of plans related to business resiliency planning for organizational systems include business continuity plans (BCP), disaster recovery plans (DRP), continuity of operations plans (COOP), crisis communications plans (CMP), critical infrastructure plans (CIP), cyber incident response plans (CIRP), incident management plans (IMP) and occupant emergency plans (OEP). This white paper focuses on three of these plans — incident management (IM), business continuity (BC) and disaster recovery (DR). These plans form the core of an organization’s business resiliency strategy.

Albert J. Marcella Jr., PhD, CISA, CISM
President, Business Automation Consultants, LLC

There are two types of organizations today: those that have experienced a disruptive event that affected ongoing business operations and those that will.

A disruptive event is a technological problem that causes your information technology (IT) capabilities to end abnormally or abruptly, without warning.

A disruptive event may result from:

Hardware failure (e.g., hard drive malfunction, server crash)
Software failure (e.g., system freeze, reboot or total inoperability)

Telecommunications failure (e.g., internet, mobile communications outages)
Human failure (e.g., poor application design, outdated updates, inadequate backup procedures, error in judgment, poor security awareness training, intentional or unintentional unauthorized acts, etc.)

The 2021 Verizon Data Breach Investigations Report investigated 5,258 confirmed data breach cases. The median cost of an incident was $21,659, with 95% of incidents falling between $826 and $653,587.ⁱⁱ

The 2020 Legal Technology Survey Report conducted by the American Bar Association’s Legal Technology Resource Center (LTRC) revealed that the number of firms experiencing a security breach (such as a lost/stolen computer or smartphone, hack, break-in or website exploit) increased over the prior year — 29% of respondents compared to 26% in 2019.ⁱⁱⁱ

As you are considering these numbers, note that tangible expenses may also include the cost of downtime, hardware repair/replacement, potential Digital Forensics and Incident Response (DFIR) services and increased insurance fees along with noncompliance fines and penalties. Intangible costs associated with loss of business and customer confidence may be both more difficult to calculate and to recover. See Figure 1 (page 16).

Regardless of your legal organization’s size, your business is susceptible to events and incidents, some minor and some not so, that may cause disruptions to daily operations, providing client services and long-term sustainability of operations.

The ABA Profile of the Legal Profession 2020 report found that in general, the bigger the firm, the more likely they’ve experienced a security breach: 32% of firms with 500 lawyers or more reported in 2019 having experienced a breach sometime in the past; for solo practitioners, the number of firms impacted 14%.^v

The implications of the American Bar Association’s 2018 Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” places an even greater responsibility on the organization to substantiate valid internal controls, implement risk management practices and bolster its ability to sustain ongoing business operations.

Opinion 483 specifically states that “lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”^vi