One of the most striking findings of the ABA’s 2018 Legal Technology Survey Report was that only 25 percent of law firms had an Incident Response Plan (IRP). In a world struggling daily against cyber incidents and data breaches, that is a piteous statistic. We don’t know why so many law firms fail to create IRPs, but it’s time to come to grips with the necessity of having one. The last time we focused on this subject was in this column in November/December 2015. So it’s definitely time to revisit the topic and issue a rallying cry for the adoption of IRPs.
Let us be clear at the outset that we are zeroing in on solo, small and midsized law firms. While large law firms will include all the elements we reference below in their IRPs, theirs will be far more complex, with many moving parts. As ever, we are trying to craft a solution that is reasonable and not financially overwhelming to meet the ethical rules that govern lawyers.
What Does an IRP Prepare You For?
An IRP prepares you for data breaches and cyber incidents. And we’ll stop right there because we know many folks are confused by the difference. A lot of cyber incidents are not breaches. A common example is ransomware where your data is encrypted but not (in almost all cases) compromised. The whole point is to get you to pay a ransom, not to access and take your data.