Week #3—An Ounce of Preparation…
Following cybersecurity best practices in the use of technology (such as recognizing and deleting phishing messages, using a VPN and strong passwords, and regularly updating software) will go a long way in protecting against cyber-attack. However, even the most vigilant still face some risk. As technology evolves, so too does cyber-crime. Since the risk cannot be eliminated, lawyers must consider the potential impact of a cyber-attack and how to respond to minimize the impact on the firm and its clients.
In 2018 the ABA addressed the ethical implications of a cyber-attack—specifically regarding a lawyer’s duty to maintain client confidentiality under Model Rule 1.6. The ABA advised that:
As a matter of preparation and best practices… lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.
See, ABA Formal Opinion 483 at 6. One of the benefits of a well-drafted Incident Response Plan (“IRP”) is that “it supports responding to incidents systematically… so that the appropriate actions are taken.” An IRP will also help “minimize loss or theft of information and disruption of services caused by the incidents.” See, id.; citing, National Institute of Standards and Technology’s (“NIST”) Computer Security Incident Handling Guide.
The ABA’s opinion goes on to identify the common features of an IRP. The IRP should lay out a plan to promptly:
- Identify and evaluate any potential network anomaly or intrusion.
- Assess the nature and scope of the intrusion.
- Determine if any data or information may have been accessed or compromised.
- Quarantine the threat or malware.
- Prevent the exfiltration of information from the firm.
- Eradicate the malware.
- Restore the integrity of the firm’s network.
Each stage of the process should be described with the specific steps to be taken.
An IRP should also identify the individuals responsible for implementing the plan. It should:
- Identify team members and their backups
- Provide a means to reach team members at any time an intrusion is reported.
- Define the roles of each team member.
- Designate the team member responsible for each step.
- Designate a team member responsible for the overall response.
Coupling vigilant prevention practices with a detailed and through response plan provides protection on both ends of a cyber-attack. This two-pronged protection is not only recommended by the ABA and the NIST; it is also part of the holistic approach of building a culture of cyber readiness recommended by the Cybersecurity & Infrastructure Security Agency (“CISA”).
More resources for developing a cyber incident response plan are available on OBLIC’s Cyber Toolbox. The ABA also offers A Brief Guide to Handling a Cyber Incident. CISA has also developed a guide for leaders of small businesses called “Cyber Essentials” that is available on CISA’s website. The guide also provides access to CISA’s Cyber Essentials Starter Kit and Cyber Essentials Toolkits which includes a chapter on crisis response.
We hope that you take advantage of these resources and provide the best protection for your firm and your clients by developing a cybersecurity IRP.
If you have any questions or need help navigating these resources, give us a call. We are happy to help.
Gretchen Mote, Esq
Director of Loss Prevention
Monica Waller, Esq.
Senior Loss Prevention Counsel