Florida Bar Urges Law Firms to Adopt Incident Response Plans A Call to Action for Legal Professionals Workplace Privacy Data Management Security Report

pIn late March 2025 the Florida Bar Board of Governors unanimously endorsed the recommendation of its Special Committee on Cybersecurity and Privacy Law that law firms should adopt written incident response plans IRPs to better prepare for and respond to data security incidents The recommendation reflects a growing recognition across professional service industriesparticularly law firmsof the serious risks posed by cyber threats and the need for structured proactive responsesppThe message is simple law firms must be preparedppAs most practitioners will observe it is not a matter of if an organization will experience a data breach but when Development and implementation of an IRP can be challenging as the nature of legal practice poses unique challenges even for smaller firms At the same time as stewards of vast amounts of highly sensitive client and employee data often spanning multiple industries jurisdictions and confidentiality regimes such data sets make law firms attractive targets for threat actors especially those seeking access to intellectual property litigation strategies and regulatory or financial information not to mention sensitive personal informationppWhat Makes Law Firms DifferentppUnlike organizations in several other industries law firms often lack centralized compliance infrastructures or inhouse technical expertise Client confidentiality obligations and the attorneyclient privilege can complicate both the detection and disclosure of incidents In some cases firm may confuse confidentiality for security when both are neededppIn addition unlike most other professional service providers law firms grapple with a set of comprehensive rules of professional responsibility that increasingly delve into data privacy and cybersecurity issues Of course those rules sit on top of generally applicable business regulation that law firms also face See for example our recent discussion about the Florida Information Protection Act FIPA which mandates that certain entities including law firms implement reasonable measures to protect electronic data containing personal informationppWhen engaging a new client a simple engagement letter may no longer be sufficient especially for law firms representing certain businesses particularly those that are heavily regulated Consider law firms that defend medical malpractice claims Their clients are most likely healthcare providers covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act HIPAA That makes these firms business associates to the extent those services involve access to protected health information Just like their healthcare provider clients business associate law firms are required to maintain an incident response plan 45 CFR 164308a6 So even before Recommendation 251 many law firms may have already been obligated to maintain an IRP at least with respect to certain information collected from or on behalf of certain clientsppGiven these realities for law firms the Florida Bars recommendation is both timely and necessary even if not unprecedented Notably in 2018 the ABA issued Formal Opinion 483 which made a similar recommendation Law firms considering an IRP should consult Formal Opinion 483 ppWhat Should a Law Firms Incident Response Plan IncludeppA comprehensive and tailored IRP should be riskbased and scalable to firm size practice areas and existing infrastructure Here are some components all firms should consider including in their IRPppAdditional Tools and ResourcesppWith cyber threats evolving and legal obligations expanding law firms must treat incident response planning as an ethical professional and business imperative The Florida Bars recommendation should serve as a wakeup call By building a strong IRP law firms can better protect client confidences meet regulatory requirements and preserve their professional reputationppJoseph J Lazzarotti is a principal in the Tampa Florida office of Jackson Lewis PC He founded and currently coleads the firms Privacy Data and Cybersecurity practice group edits the firms Privacy Blog and is a Certified Information Privacy Professional CIPP with theppJoseph J Lazzarotti is a principal in the Tampa Florida office of Jackson Lewis PC He founded and currently coleads the firms Privacy Data and Cybersecurity practice group edits the firms Privacy Blog and is a Certified Information Privacy Professional CIPP with the International Association of Privacy Professionals Trained as an employee benefits lawyer focused on compliance Joe also is a member of the firms Employee Benefits practice groupppIn short his practice focuses on the matrix of laws governing the privacy security and management of data as well as the impact and regulation of social media He also counsels companies on compliance fiduciary taxation and administrative matters with respect to employee benefit plansppFocused on employment and labor law since 1958 Jackson Lewis PCs 1000 attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business We help employers develop proactive strategies strong policies and businessoriented solutions to cultivate highfunctioning workforces that are engaged and stable and share our clients goals to emphasize belonging and respect for the contributions of every employeep