On March 28, 2025, the Florida Bar Board of Governors unanimously passed Recommendation 25-1 — a directive requiring every Florida Bar member to take concrete, documented steps toward cybersecurity compliance. The deadline for the first two requirements is March 2027. That is less than nine months away, and most Florida law firms have not started.
March 2027: Cybersecurity Maturity Assessment and Data Mapping Survey must be completed by every Florida Bar member.
March 2028: Written Incident Response Plan must be in place and maintained annually.
These are not suggestions. The Bar, cyber insurers, and corporate clients are treating these as the new standard of care.
This guide covers what Recommendation 25-1 actually requires, why it carries real consequences even as a voluntary recommendation, what the three deliverables involve, which ethical rules create the underlying obligation, and what a realistic compliance path looks like for a Florida law firm of any size.
Recommendation 25-1 is a formal policy recommendation adopted by the Florida Bar Board of Governors, developed by the Florida Bar's Cybersecurity and Privacy Law Committee. It was passed unanimously on March 28, 2025, making Florida one of the most proactive state bars in the country on attorney cybersecurity obligations.
The recommendation does not create a new disciplinary rule on its own. What it does is establish a documented, Bar-endorsed standard of practice for cybersecurity that every Florida attorney is expected to follow. In the event of a data breach, a malpractice claim, or a disciplinary inquiry, failing to have completed these requirements is the kind of gap that creates serious exposure — professionally, legally, and financially.
The recommendation specifically calls on Bar members to consider whether retention of qualified experts is reasonably necessary to ensure completion, accuracy, and consistency with evolving best practices. That language matters. It signals that the Bar expects attorneys to treat cybersecurity compliance the same way they treat tax compliance or employment law — as an area where bringing in a specialist is not optional, it is prudent.
The word voluntary appears in the recommendation language, and some attorneys have taken that to mean this is something they can address later. That interpretation is a mistake, and here is why.
First, when a data breach occurs and the Florida Bar or a client's attorney looks at what the firm did to protect client data, the question is not whether you followed the exact letter of a disciplinary rule. The question is whether you took reasonable steps. Recommendation 25-1 is the Bar's published answer to what reasonable steps look like. If you have not completed a maturity assessment and data map and a breach exposes client data, you are explaining why you ignored what your own Bar told you to do.
Second, cyber insurers in 2026 are already treating this as a standard of care. Underwriters reviewing Florida law firm renewal applications are asking whether a cybersecurity assessment has been completed. Firms without one are seeing premium increases of 200 to 300 percent or being denied renewal entirely. The financial consequence of non-compliance shows up at insurance renewal, not after a breach.
Third, corporate clients are requiring it. Fortune 500 companies and institutional clients increasingly send outside counsel security questionnaires before signing engagement letters. A law firm that cannot demonstrate it has conducted a cybersecurity maturity assessment is at risk of losing those engagements. The business development consequence is already here.
Recommendation 25-1 establishes three distinct deliverables with two separate deadlines. Each one builds on the previous. You cannot credibly complete a data map without first doing an assessment, and an incident response plan that is not grounded in both is a document with no operational basis.
Deadline: March 2027
A cybersecurity maturity assessment is a structured evaluation of where your firm currently stands across the security controls and practices that protect client data. It is not a penetration test. It is not an IT audit. It is an advisory-level review that produces a documented baseline and a prioritized list of what needs to change.
The assessment evaluates the firm across six core security domains. Each domain is scored on a maturity scale from Initial (ad hoc, nothing documented) through Developing, Defined, Managed, and Optimized. Most small and mid-size law firms score between Initial and Developing when they complete their first assessment, which is entirely normal — the goal is to know where you are so you can close the gaps systematically.
Who has access to what. Multi-factor authentication, password policies, offboarding procedures, least privilege enforcement.
SPF, DKIM, and DMARC configuration. Anti-phishing protection. Staff awareness and training. Business email compromise prevention.
Device protection on laptops, desktops, and mobile devices. Encryption at rest. Secure device disposal procedures.
How client data is stored, transmitted, retained, and destroyed. Secure communication methods. Retention schedule enforcement.
Security posture of the firm's IT provider and technology vendors. SOC 2 reports. Contract provisions for breach notification and data handling.
Whether a written incident response plan exists. Breach notification knowledge. Backup integrity. Recovery capability.
The maturity assessment produces a written report documenting the firm's score in each domain, findings that represent risk to client data, and a prioritized remediation roadmap. That report is your primary deliverable for satisfying the maturity assessment requirement of Recommendation 25-1.
Deadline: March 2027
The data mapping survey is a documented inventory of what client data the firm holds, where it lives, who has access to it, how it is protected, how long it is retained, and how it is ultimately disposed of. Most law firms have never formally done this, and the results are consistently surprising when they do.
Client data at a typical law firm is scattered across practice management software, cloud file storage, email systems, local servers, portable devices, and sometimes paper files. Matter files contain personal identifiers, financial records, health information, settlement figures, and privileged communications — some of the most sensitive information that exists. The data map makes that landscape visible so it can be protected and managed.
The data mapping survey is not just a Recommendation 25-1 requirement. It is also foundational to compliance with Florida's Information Protection Act (FIPA), which requires breach notification when personal information is compromised. You cannot notify clients about breached data categories you did not know you were holding.
What the data map must cover: Data type and sensitivity classification, storage location and system, access controls and who has access, retention period by data category, disposal method for each category, and which vendors or technology providers have access to each data type. Every gap identified in the data map is a potential breach notification obligation and a malpractice exposure.
Deadline: March 2028
The incident response plan is a written, maintained document that tells the firm exactly what to do when a cybersecurity incident occurs. The Florida Bar has published a Model Incident Response Plan on LegalFuel.com, the Bar's practice management resource, which firms are encouraged to use as a starting template and customize to their specific environment.
A functional incident response plan addresses seven core areas: incident classification and severity levels, immediate containment steps for different incident types, internal communication and escalation procedures, external notification obligations including FIPA's 30-day requirement and client notification under ABA Rule 1.4, forensic evidence preservation, recovery procedures, and post-incident review. The plan must be reviewed annually and tested through a tabletop exercise at minimum.
The March 2028 deadline gives firms additional time, but the IRP is also the most operationally complex deliverable. Firms that wait until 2027 to start the IRP process after completing the assessment will find themselves under time pressure. The smart approach is to complete the assessment and data map by mid-2026, use the findings to inform the IRP, and have the plan documented by late 2026 or early 2027.
Recommendation 25-1 does not exist in isolation. It is grounded in existing professional responsibility obligations that have been in place for years. Understanding the ethical framework helps explain why the Bar issued this recommendation and what the consequences of ignoring it look like.
ABA Model Rule 1.1 requires a lawyer to provide competent representation, which includes the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. Comment 8 to Rule 1.1 explicitly addresses technology: a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
Florida has adopted this standard through Florida Rule of Professional Conduct 4-1.1. In practice, this means that understanding how your firm's technology handles client data is not a suggestion — it is a component of competent representation. An attorney who does not know whether client files are encrypted, where they are backed up, or who at the firm's IT vendor can access them is falling short of the competence standard.
ABA Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. This is the cornerstone ethical obligation behind cybersecurity for attorneys.
The phrase reasonable efforts is doing significant work in that rule. What is reasonable in 2026 is measured against current standards — and Recommendation 25-1 is the Florida Bar's published statement of what reasonable looks like. A firm that suffers a breach of client data and cannot demonstrate it conducted a maturity assessment, maintained a data map, and had a written incident response plan will have difficulty defending that it made reasonable efforts under Rule 1.6.
ABA Formal Opinion 483, issued in 2018, addresses a lawyer's obligations after an electronic data breach or cyberattack. The opinion establishes that a lawyer has a duty to take reasonable steps to monitor for and respond to a breach, to stop it, to restore systems, and to notify affected clients when their material information may have been compromised.
Opinion 483 also makes clear that having a written incident response plan in place before an incident occurs is part of satisfying the reasonable efforts standard. A firm that discovers a breach and is improvising its response because it has no documented plan is, by definition, not meeting the standard the ABA has articulated.
The Florida Bar's Model Incident Response Plan, available through LegalFuel.com, provides a framework specifically designed for law firm environments. It covers the following areas:
The Model IRP is a starting point, not a finished product. It requires customization to the firm's specific size, practice areas, technology environment, and vendor relationships. A solo practitioner's IRP looks different from a 20-attorney firm's plan, which looks different again from a regional firm with multiple offices.
Understanding the multi-dimensional risk of failing to complete these requirements helps clarify why this is a priority, not a backburner item.
| Risk Area | The Exposure | Timeline |
|---|---|---|
| Bar Discipline | A breach occurring after the March 2027 deadline without a completed assessment creates a documented failure to follow Bar guidance. Disciplinary committees will ask what the firm did to comply with Recommendation 25-1. | Post-breach, on complaint |
| Malpractice Liability | A client whose data is breached because the firm failed to implement basic security controls has a viable negligence claim. The maturity assessment documents what controls were in place and when. | Post-breach, civil litigation |
| Cyber Insurance | Underwriters are requiring documented security assessments at renewal. Firms without one face premium increases of 200-300% or coverage denial. This consequence does not wait for a breach. | At next renewal |
| Corporate Clients | Outside counsel security questionnaires from sophisticated clients now ask whether an assessment has been conducted. Inability to answer affirmatively risks losing the engagement before it starts. | Current and ongoing |
| FIPA Violations | Florida's Information Protection Act requires breach notification within 30 days. Without a data map, the firm may not know what was breached or who to notify — creating a compliance failure on top of a security incident. | Post-breach, within 30 days |
For most small and mid-size Florida law firms, completing the Recommendation 25-1 requirements is a three-phase process that takes between two and six months depending on the firm's current state and the complexity of its environment.
The process begins with a discovery call to understand the firm's size, practice areas, technology environment, and existing security practices. A structured information request goes to the managing partner or administrator covering existing policies, vendor relationships, system inventory, and any prior security work.
The assessment itself combines structured interviews with the managing partner, the IT contact or MSP, and at least one attorney who handles sensitive client matters, plus technical spot checks on email security configuration (SPF, DKIM, DMARC), external-facing systems, and any cloud environments the firm uses. The data mapping session runs concurrently — it works best as a facilitated working session rather than a form the firm fills out independently, because most firms discover data they did not know they had when someone asks the right questions.
Raw findings get translated into a maturity score for each domain, a full findings table with plain-English business impact statements, a data map summary documenting the firm's data landscape, and a prioritized remediation roadmap. The report is written for two audiences simultaneously: the managing partner who needs to understand the risk in business terms, and the firm's IT contact or MSP who needs to understand what to change.
Observation: The firm has not enforced multi-factor authentication on the email platform and has not completed a formal access review following the departure of three staff members in the past 12 months.
Business Impact: Without MFA, a single compromised credential provides immediate access to all firm email, including client communications and matter documents. Former employee accounts that remain active create an unauthorized access risk that represents a direct violation of the firm's duty of confidentiality under Rule 1.6.
Recommendation: Enable MFA enforcement for all users on the email platform within 30 days. Conduct an immediate access review and disable all accounts associated with former employees or contractors. Establish a formal offboarding checklist that includes access revocation as a required step.
Using the findings from the assessment as the operational foundation, the incident response plan is built to reflect the firm's actual environment. The Florida Bar Model IRP provides the structure. The customization work involves mapping the firm's specific vendors, systems, personnel, and client relationships to each component of the plan. The finished IRP gets reviewed by the managing partner, approved, and scheduled for annual review.
Recommendation 25-1 specifically uses the phrase "qualified expert" when describing who should assist with these requirements. That language is significant. Not every IT company that offers managed services is positioned to conduct a cybersecurity maturity assessment that satisfies an ethical compliance requirement.
A qualified expert in this context brings a combination of technical cybersecurity knowledge and an understanding of the legal and ethical framework that creates the obligation. The advisor needs to understand what Rule 1.6 requires, what FIPA mandates, what ABA Opinion 483 establishes, and how those obligations translate into the technical controls being assessed. An IT support company that reboots servers and manages email does not have that framework. An advisor with a background in cybersecurity and a credential in cybersecurity law and technology risk management does.
When evaluating a potential expert, ask whether they have experience with law firm environments specifically, whether they can explain the connection between the assessment findings and the firm's ethical obligations, and whether the deliverable they produce can be used to demonstrate compliance to an insurer, a disciplinary committee, or a corporate client asking for documentation.
Attorneys with specific questions about their professional responsibility obligations in relation to cybersecurity can contact the Florida Bar Ethics Hotline at 1-800-235-8619. The hotline provides guidance on professional conduct questions and can help clarify how specific situations relate to the Florida Rules of Professional Conduct.
A cybersecurity advisor can help a firm complete the technical and operational requirements of Recommendation 25-1. Questions about how specific facts relate to a firm's disciplinary obligations under the Rules of Professional Conduct are best directed to the Bar's Ethics Hotline or to bar counsel.
Given that the March 2027 deadline is less than nine months away, firms that have not started should begin immediately. The process takes time, and firms that start in the fourth quarter of 2026 may find themselves rushed or unable to schedule with qualified advisors before the deadline.
First Step Technology LLC provides cybersecurity maturity assessments, data mapping surveys, and incident response plan development specifically for Florida law firms. Engagements are designed to satisfy all three Recommendation 25-1 requirements with minimal disruption to firm operations.
Schedule a Consultation