What To Include in Your Law Firm's Plan for Cyber Attacks

Here is what should be included in your law firm’s plan for cyber attacks, or your incident response plan (IRP). You can use this blog post as a template that you can send to your IT team as a starting point.

Fill in the blanks with information that will help your office recover if you are facing a cyber attack or data breach.

Imagine the sinking feeling of your files suddenly disappearing or an unknown person demanding money to get your data back.

No one wants to think about a cyber attack, but because of the sensitive data involved in your work, law firms are at risk. However, a simple IRP can help you prepare. Your plan can be short and non-technical.

An IRP is a good idea for your internal operations, and it might also be required for cyber insurance purposes. It doesn’t need to be long or overly complicated. Feel free to use these points as a starting point for your first draft.

1. What to do BEFORE a cyber attack or data breach:

Identify where all your data lives.
How sensitive and critical is your data and technology systems?
How will you detect an attack? Work with your IT team to set up cyber security policies and alerts that will identify most breaches, before your clients are the ones to catch a breach. (Imagine getting an email from your client such as “I got a suspicious email from you…”)

2. What to do DURING a cyber attack or data breach:

In addition to your IT team, engage your third party insurance provider. They may send you a checklist of what to do. This will show your clients and other stakeholders you have done everything in your power to respond to the cyber attack or data breach. People will want to see that you’ve dealt with the breach appropriately.
What is the scope of the attack? (E.g. was it just one person’s email that was hacked, did the attack infiltrate your servers, has it gotten through to your backups…)
How will you know the attack has stopped? Stopping an attack can be complicated, but it can involve actions such as checking logins, resetting passwords, and revoking logins. Have a plan to confirm the attack has stopped. For example, “for the next 24 hours, we will check the logs for sign-ins every hour, to make sure nobody else has been hacked. For 30 days afterwards, we will check every day.” This is critically important. Successive data breaches will often start with just one account. If you have been breached once, it’s very common to be breached again within 30 days. Continuously verify that a cyber attack has been stopped.

3. What to do AFTER a cyber attack or data breach:

Who do you need to notify and how? You may have duties to notify your clients about the nature of the data that was breached. The best thing you can do is have a plan in place: who you should notify if xyz data is involved in a breach.
Send out your public relations/notification materials to the people who need to know about the cyber attack or data breach. Preferably, draft this ahead of time so you’re not scrambling after the fact. Your notifications should include basic information about the “who, what, when, where, how” of what happened. We are all used to getting such notifications in our email inboxes.

For more information on simple and affordable ways to help prevent cyber attacks, check out my video presentation: 5 Ways to Fight Cyber Attacks Without Breaking the Bank.