Cybersecurity Incident Response Plans in the Works
The IT security firm Check Point said the “insurance/legal” sector saw 636 weekly attacks in 2022, a 68% increase from 2021. That figure was expected to triple in 2024.
TALLAHASSEE, Fla. – Florida Bar members could be getting guidelines for creating a cybersecurity incident response plan, something experts say is essential in a profession highly targeted by cybercriminals.
At a September 20, 2024, Florida Bar Board of Governors meeting, Board Technology Committee Chair Duffy Myrtetus said his panel has been working with Cybersecurity and Privacy Law Committee Co-Chairs Steven Teppler and Franklin Zemel, and Vice Chair John Giantsidis, on the initiative.
“The reasoning goes, if you’re able to develop an acceptable incident response plan, you are more likely than not to avoid the need for an incident response plan,” Myrtetus quipped.
Experts warn that attacks are so prevalent that lawyers should consider a data breach inevitable.
According to the latest data available from IT security firm Check Point, the “insurance/legal” sector saw 636 weekly attacks in 2022, a 68% increase from 2021. That figure was expected to triple in 2024.
“There are dozens of well-publicized law firm breaches,” Zemel told a cybersecurity seminar last summer. “I can tell you that what’s been reported is a fraction of what’s going on because when we get hacked, it’s not something that we want to call attention to.”
Zemel quoted American Bar Association (ABA) statistics that suggested 27% of all law firms have experienced a data breach. Every firm should have an incident response plan, Zemel and other experts say.
“Today the issue is not if a law firm will suffer a cyber intrusion, but when, and what type. Therefore, the critical question for any law firm is how well it will respond when the inevitable happens,” Hinshaw & Culberson General Counsel for Privacy, Security & Compliance Steven Puiszis warned in an ABA “Professional Lawyer” article.
According to a 2022 ABA survey, 75% of all respondents reported having some type of cybersecurity training at their firms. The same survey showed that only 42% of all firms had a security response plan, and just 9% of solo practitioners had a response plan.
“Clients are mandating that their law firms have safeguards in place to prevent a data breach,” Puiszis warned. “But technology is far from foolproof, and even the strongest technical, administrative, and physical safeguards are no guarantee that a law firm will not be breached.”
In other business, the Board Technology Committee is reviewing a Vision 2016 goal, Myrtetus said.
“There were some efforts undertaken by a committee back in 2015 that were really directed at having a permanent capability on the Technology Committee to track and report to the board on technology matters that effect both members, but [also] the clerks and the courts,” Myrtetus said. “We’ve done that in a manner with the special artificial intelligence subcommittee, but we’re looking to develop a longer term and more permanent capability for the Technology Committee.”
Meanwhile, Myrtetus said, the Board Technology Committee is reaching out to malpractice insurance companies to learn more about cybersecurity coverage.
“We have begun an effort to communicate with malpractice carriers about matters that are covered and excluded as part of malpractice coverage involving technology matters,” Myrtetus said. “It’s been slow going. It won’t surprise you to know that many carriers are not willing to share detailed underwriting criteria, but it’s something we intend to pursue.”
This article originally appeared in The Florida Bar News.
© 2024 Florida Realtors®