Your bookkeeper calls you at 8:47 a.m. on a Tuesday. She can’t open any files, and her screen is showing a message demanding payment in Bitcoin. You have no IT department. You have no printed plan. And the clock is already running.
What you do in the next 60 minutes will determine how bad this gets.
The Problem: Most Small Firms Have No Plan for the Moment It Happens
Ask most small accounting, law, or financial advisory firms whether they have an incident response plan, and you’ll get one of two answers: “I think our IT guy has something,” or “We should probably work on that.”
Neither answer helps you at 8:47 a.m.
The reality is that most small professional services firms rely on informal arrangements - a vendor’s phone number in someone’s email, an insurance policy that nobody has read, and the assumption that a breach is something that happens to bigger organizations. That assumption is wrong. According to the Verizon Data Breach Investigations Report, small businesses are targeted in a significant share of all breaches, and professional services firms are attractive targets precisely because they hold sensitive client data without the security infrastructure of larger enterprises.
The first hour after discovering an incident is when containment decisions matter most. Disconnecting the right systems, preserving evidence, and controlling internal communication can limit the damage significantly. But firms without a documented plan spend that hour doing something far less useful: trying to figure out who to call, debating whether this is really an incident, or - worst of all - asking staff to poke around in compromised systems trying to understand what happened.
By the time someone takes a meaningful action, the attacker may have already exfiltrated data, and your team may have inadvertently destroyed forensic evidence that your insurer and attorneys will need later.
Why This Matters for Professional Services Firms
Professional services firms occupy a uniquely exposed position under data privacy law. You are not just responsible for your own business data. You are stewards of your clients’ most sensitive financial, legal, and personal information.
That exposure carries legal weight.
California’s data breach notification law (Civil Code Section 1798.29 and 1798.82) requires notification to affected individuals “in the most expedient time possible and without unreasonable delay.” Many other states have similarly tight windows. Virginia requires notification within 60 days. Florida gives you 30 days. New York’s SHIELD Act requires “expedient” notification with no fixed outer limit, but regulators interpret that narrowly.
For CPA firms, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule now requires a formal written information security plan and mandates that you notify the Federal Trade Commission (FTC) within 30 days of discovering a breach affecting 500 or more customers. Law firms handling matters in regulated industries face additional exposure under state bar ethics rules, which increasingly treat data security as a component of competence and confidentiality obligations.
None of these deadlines start when you’ve figured out what happened. They start when you discover that something happened. That means your incident timeline documentation begins on day one, not after you’ve cleaned things up.
A firm without a response plan is also a firm that cannot demonstrate to its insurer, its regulator, or its clients that it acted reasonably. That matters when breach notification costs, forensic investigation fees, and client claims show up in your mailbox.
How to Build a Practical Incident Response Playbook
You do not need a 40-page document. You need four things documented before an incident occurs, and three scenario-specific response paths for when one does.
The Four Things to Document Now
1. Your IT emergency contact’s direct line. Not a general support email. A phone number that reaches a human being outside business hours. If you use a managed IT provider, confirm what their incident response protocol is and how to escalate after hours.
2. Your security insurance carrier’s claims line. Pull out your policy right now. Find the 24-hour claims number and write it on a card that lives in your physical office. Many policies require you to notify the carrier before engaging a forensic firm or paying any ransom, or you risk losing coverage.
3. A list of systems that touch client data. This does not need to be technical. It can be a simple list: “Client portal, practice management software, email, shared drive, accounting software, file server.” This list tells your IT contact where to look first and tells your attorney what scope to consider for notification.
4. A communication hold policy. Train every staff member that when a potential incident is discovered, they do not post about it internally in Slack, they do not email clients, and they do not discuss it on personal devices until leadership gives the all-clear. Premature or informal communication can tip off an attacker who still has access, violate attorney-client privilege, and create inconsistent records that complicate breach notification.
Three Scenarios, Three Response Paths
Ransomware: Disconnect the affected device from the network immediately - pull the network cable or turn off Wi-Fi. Do not turn the machine off. Call your IT contact and your security insurance carrier, in that order, before doing anything else. Do not pay without consulting both.
Business email compromise (BEC): If someone received or sent a fraudulent wire transfer or invoice, call your bank immediately using the number on the back of your card. Banks have fraud recall windows measured in hours. Then preserve every email in the thread without deleting anything. Notify your IT contact to check for inbox rules that may still be forwarding your email to the attacker.
Accidental data exposure: If a client file was emailed to the wrong person, a folder was shared publicly, or a laptop was lost, document exactly what data was involved and who may have accessed it. This documentation drives your notification obligation analysis. Call your attorney before contacting the recipient or the affected client.
Run a 30-Minute Tabletop Exercise Once a Year
Once a year, gather your team and walk through a hypothetical: “It’s Monday morning and we discover someone has been accessing our client file system from an unknown IP address over the weekend. What do we do first?” Then let people answer out loud and work through the gaps together.
You do not need a technical facilitator. You need honest conversation. Firms that run even one tabletop exercise per year respond measurably faster and more effectively when a real incident occurs, because staff have already thought through their role.
What to Look for in an IT Partner
If your current IT arrangement does not include incident response support, that is a gap worth addressing before something happens.
Ask any prospective IT provider these questions directly:
- Do you have a documented incident response process, and can I see it?
- What is your guaranteed response time for a declared security incident, including after hours and on weekends?
- Do you have experience working with our insurance carrier during an incident?
- Can you help us prepare for regulatory notification deadlines if client data is involved?
- Will you coordinate with our outside legal counsel, or do we need to manage that relationship ourselves?
A provider who cannot answer these questions clearly is a provider who will not be useful at 8:47 a.m. on a Tuesday.
The Bottom Line
An incident response plan does not require an IT department. It requires four documented items, three scenario-specific response paths, and a team that has talked through the plan at least once. The firms that manage incidents well are not the ones with the best technology. They are the ones that knew what to do in the first 60 minutes.
Frequently Asked Questions
What should a small law firm or accounting firm do first when they suspect a security incident?
The first action is to isolate the affected device or account from the network without turning off the machine or deleting anything. Then call your IT contact and your security insurance carrier before taking any other steps. Preserving evidence and getting professional guidance early prevents costly mistakes and protects your coverage.
How long do professional services firms have to notify clients after a data breach?
It depends on your state. California requires notification without unreasonable delay. Florida requires 30 days. Virginia allows up to 60 days. The clock typically starts when you discover the incident, not when the investigation is complete, so documenting your discovery date immediately is legally important.
Does my firm need an incident response plan even if we have security insurance?
Yes. Security insurance policies typically require you to follow specific steps, such as notifying the carrier before paying a ransom or engaging a forensic investigator. Firms without a documented plan often take actions that void coverage or trigger exclusions before they even realize it. The plan and the policy work together.
What is a tabletop exercise and does my firm actually need to do one?
A tabletop exercise is a structured, low-pressure conversation where your team walks through a hypothetical breach scenario out loud, identifying what they would do at each step. It requires no technical expertise and typically takes 30 minutes. Research and practical experience consistently show that teams who have done even one exercise respond faster and make fewer errors during a real incident.
One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s incident response posture.
