On March 28, 2025, the Florida Bar unanimously approved Recommendation 25-1, which was proposed by its Cybersecurity & Privacy Law Committee and encourages all Florida Bar members and their firms to adopt certain proactive cybersecurity measures. Specifically, the Recommendation urges firms to perform a Data Mapping Survey and Cybersecurity Maturity Assessment within two years, and to develop an Incident Response Plan (IRP) within three years.

Data mapping helps firms identify what sensitive information they possess, where it resides, and how it moves through their systems. Maturity assessments evaluate a firm’s current cybersecurity posture, establish a baseline, and highlight areas of improvement. The Recommendation’s cornerstone is development of an IRP, which prepares a firm to respond promptly to cyber incidents, minimize operational disruption, protect client and third-party data, and reduce liability exposure.

Although purely voluntary, Recommendation 25-1 reflects cybersecurity best practices and positions Florida as the first U.S. state bar to formally pass cyber resilience guidelines. It comes amid several high-profile breaches at law firms, including at Gunster (2022 attack impacting 9,000 individuals and resulting in a $8.5 million settlement) and at Orrick, Herrington & Sutcliffe (2023 attack impacting 600,000 individuals and resulting in a $8 million settlement).