Law Firm Compliance

Incident Response Plan for Law Firms: Florida Bar Requirements and How to Build One

Makita Tunsill, JM
Juris Master — Cybersecurity, Privacy & Technology Risk Management | First Step Technology LLC
Published: July 4, 2026
14 min read

A cybersecurity incident at a law firm is not a question of if. It is a question of when, how severe, and how prepared the firm is when it happens. Florida Bar Recommendation 25-1 requires every Florida Bar member to have a written, maintained incident response plan in place by March 2028. But the ethical obligation to have a plan — grounded in ABA Rule 1.6 and ABA Formal Opinion 483 — has existed for years. The recommendation formalizes what was already required.

Recommendation 25-1 IRP Deadline

March 2028: Every Florida Bar member must have a written, annually reviewed Incident Response Plan in place. The Florida Bar has published a Model IRP available through LegalFuel.com as a starting framework for customization. The IRP deadline is one year after the March 2027 deadline for the cybersecurity maturity assessment and data mapping survey.

This article explains what a law firm incident response plan must cover, how the Florida Bar Model IRP is structured, what the first 30 days of a real breach looks like with and without a plan, and the practical steps for building a plan that works under pressure — not just one that sits in a folder and satisfies a checkbox.

What an Incident Response Plan Is and Why It Matters

An incident response plan is a written document that defines exactly what a law firm does when a cybersecurity incident occurs. It identifies who is responsible for what, what decisions need to be made by whom, what external parties need to be contacted and in what order, and what legal and ethical notification obligations need to be fulfilled within what timeframes.

The plan matters for two distinct reasons that are worth separating clearly. First, it matters operationally. A firm facing ransomware at 9 PM on a Friday that has a written plan knows who to call within 15 minutes. A firm without a plan spends the first several hours figuring out who should be making decisions, whether to call law enforcement, whether to contact the IT provider or wait until morning, and what to tell the attorney who is asking whether the client files are recoverable. That time has direct consequences for containment, evidence preservation, and eventual recovery.

Second, it matters for compliance and liability. ABA Formal Opinion 483 is explicit: having an incident response plan before an incident occurs is part of satisfying the reasonable efforts standard under Rule 1.6(c). A firm that suffers a breach and cannot produce a pre-existing written plan is demonstrating, by definition, that it did not make reasonable pre-breach efforts. The IRP is the documentary evidence of those efforts.

What the Florida Bar Model IRP Covers

The Florida Bar's Model Incident Response Plan, available through LegalFuel.com, provides a framework specifically designed for law firm environments. It is a starting point, not a finished product — every firm must customize it to reflect its actual size, systems, personnel, vendors, and practice areas. The Model IRP addresses seven core areas:

Section 1

Incident Classification

A tiered system for categorizing incidents by severity. Level 1 is a contained event with no data exposure. Level 3 is an active breach with confirmed data exfiltration. The classification determines the response protocol and who needs to be notified.

Section 2

Response Team and Roles

Named roles for the incident response: who leads the response, who handles communications, who coordinates with the IT provider, who makes decisions about client notification. Role clarity prevents the paralysis that occurs when everyone is looking at everyone else.

Section 3

Immediate Response Procedures

Step-by-step actions for the first 24 hours. Containment steps for ransomware, unauthorized access, and data exfiltration scenarios. Evidence preservation requirements. System isolation procedures that do not destroy forensic data.

Section 4

Notification Requirements

FIPA's 30-day notification deadline. ABA Rule 1.4 client communication obligations. Bar reporting considerations. Law enforcement contact decisions. The plan specifies who drafts notifications, who approves them, and who sends them.

Section 5

Vendor and MSP Coordination

How to engage the IT provider during an incident without compromising evidence. Vendor contact information for after-hours response. What the IT provider is authorized to do without separate approval during an active incident.

Section 6

Recovery Procedures

Steps for restoring systems from backups. Verification procedures to confirm systems are clean before returning to operation. Communication to clients and staff during the recovery period.

Section 7

Post-Incident Review

A structured review process after every incident to document what happened, what worked, what did not, and what changes to make to the plan and to firm security practices based on the lessons learned.

The First 30 Days of a Breach: With and Without a Plan

The practical difference between having a written incident response plan and not having one becomes clearest in the first 30 days of an actual incident. The timeline below illustrates what those 30 days look like in each scenario based on a ransomware attack discovered on a Monday morning by a paralegal who cannot open any files.

Hour 0
Discovery

With IRP: Paralegal reports to designated first responder per plan. IT provider emergency line called within 20 minutes. Systems isolated per containment procedure.

Without IRP: Paralegal tells a partner. Partner calls another partner. Two hours pass while attorneys debate whether to turn systems off. IT provider finally reached but cannot get there until afternoon.

Hour 6
Containment

With IRP: Affected systems isolated. Forensic image of one affected workstation preserved. Scope of compromise under investigation. Response team assembled.

Without IRP: IT provider has partially contained the attack but additional systems may have been infected during the delay. Evidence preservation has not been discussed. No one has designated a response lead.

Day 3
Assessment

With IRP: IT forensics has identified the attack vector. Data map available to assess which client data was in the affected systems. Preliminary scope of potential breach established.

Without IRP: No data map exists. Cannot determine which clients' data was on the affected systems without manually reviewing files. Scope of potential notification unknown.

Day 14
Notification

With IRP: Client notification letters drafted, reviewed, and sent. FIPA notification timeline tracked. Notification documented in incident log. 16 days remain in the 30-day FIPA window.

Without IRP: Still working to determine which clients are affected. Attorneys are divided on whether to notify before the scope is fully confirmed. FIPA deadline is in 16 days but the firm is not tracking it formally.

Day 30
FIPA Deadline

With IRP: Notification complete. Systems restored from clean backups. Post-incident review scheduled. Documentation of response preserved for potential Bar inquiry or insurance claim.

Without IRP: Notification has not been sent because scope is still disputed internally. FIPA deadline has passed. The firm now has a potential statutory violation on top of the breach itself.

Building Your Law Firm Incident Response Plan

Building an effective incident response plan for a law firm is a four-phase process. The Florida Bar Model IRP from LegalFuel.com provides the structural framework. The customization work requires input from firm leadership, the IT provider, and the attorneys responsible for managing different matter types.

Phase 1

Foundation: Understand Your Environment First

The IRP must be built on a realistic picture of the firm's actual technology environment, data holdings, and vendor relationships. This is why the cybersecurity maturity assessment and data mapping survey come before the IRP — they provide the operational foundation the plan needs to be functional rather than generic.

Phase 2

Customization: Adapt the Model IRP to Your Firm

Download the Florida Bar Model IRP from LegalFuel.com. Work through each section and replace the placeholder language with information specific to your firm. Every role should have a named individual and a backup. Every vendor contact should have an actual phone number. Every procedure should reference your actual systems by name.

Phase 3

Testing: Tabletop Exercise

A written plan that has never been tested is a plan that will fail under pressure. A tabletop exercise is a structured discussion-based simulation where the response team walks through a hypothetical incident scenario using the IRP. No systems are actually affected. The exercise surfaces gaps in the plan, clarifies roles, and ensures everyone knows what to do before they have to do it under real pressure.

A basic tabletop exercise for a small law firm takes two to three hours. The facilitator presents a scenario — ransomware, a phishing-based credential compromise, a lost laptop with unencrypted client files — and the team works through the response using the IRP. The gaps identified in the exercise become updates to the plan.

Phase 4

Maintenance: Annual Review and Update

Recommendation 25-1 requires the IRP to be maintained annually. Annual review should update contact information, reflect any changes to the firm's systems or vendor relationships, incorporate lessons learned from any incidents or near-misses during the year, and account for changes in the threat landscape and notification requirements. The review should be documented — a dated notation in the plan itself showing when it was reviewed and by whom.

What the Plan Does Not Cover: When to Get Outside Help

An incident response plan tells the firm what to do. It does not replace the outside expertise that a serious incident requires. Law firms experiencing an active breach should understand which categories of outside help the plan should identify in advance:

Backup integrity is the IRP's foundation: The incident response plan can specify a recovery procedure, but the procedure only works if the backups it relies on are current, tested, and stored in a way that ransomware cannot reach them. An incident response plan that specifies recovery from backups and those backups are either nonexistent, untested, or connected to the same network that was encrypted is not a functional plan. Backup integrity — immutable, offsite, regularly tested — is the technical prerequisite for any recovery procedure in the IRP.

Start Before the March 2028 Deadline

The March 2028 deadline for the IRP is one year after the March 2027 deadline for the maturity assessment and data mapping survey. That sequencing is intentional — the IRP should be built on the foundation the assessment and data map provide. Firms that complete the assessment and data map in 2026 or early 2027 have time to build the IRP deliberately and test it before the deadline. Firms that wait until 2027 to start the assessment will find themselves building the IRP under time pressure.

The most effective approach is a single integrated engagement that completes all three Recommendation 25-1 deliverables in sequence: maturity assessment, data mapping survey, and incident response plan. The assessment informs the data map. The data map informs the IRP. Each deliverable builds on the last, producing a compliance package that is internally consistent and operationally grounded rather than three separate documents that do not reference each other.

Build Your Law Firm Incident Response Plan

First Step Technology LLC develops incident response plans for Florida law firms using the Florida Bar Model IRP as the structural framework. Engagements include the facilitated building process, tabletop exercise, and documentation package that satisfies the Recommendation 25-1 March 2028 requirement.

Start Your IRP Engagement
Disclaimer: This article is published by ComplianceFirst.io, a compliance intelligence publication of First Step Technology LLC. It is provided for informational purposes only and does not constitute legal advice. First Step Technology LLC is not a law firm. The Florida Bar Model IRP referenced in this article is available through LegalFuel.com. Questions regarding your specific obligations under the Florida Rules of Professional Conduct or FIPA should be directed to qualified legal counsel or the Florida Bar Ethics Hotline at 1-800-235-8619.