Incident Response19 min read
Law Firm Data Breach: The 72-Hour Playbook That Protects Privilege, Coverage, and the Bar Standing
A partner opens a laptop on Saturday morning and finds an extortion email with a sample of client files attached as proof. The next 72 hours decide how much of the matter you keep privileged, whether your ABA Rule 1.6 duty is met, and whether the firm's name appears in a state attorney general's breach register. Hour by hour from a decade of incident response inside law firms: why a legal-sector breach is its own category (concentrated counterparty secrets, standardized cloud tooling, exceptional reputational leverage), the Hour Zero call order that protects privilege and coverage (breach counsel, then carrier through counsel, then forensics on a counsel-signed engagement, then IT, then law enforcement, then clients on counsel's advice), the first 24-hour stabilize-preserve-contain window (identity containment via session revocation not just password reset, M365/Workspace audit-log preservation before retention rolls off, endpoint imaging before reimage, offline backup verification, written chronology), the seven notification clocks running in parallel (state breach statutes, cyber carrier notice clause, ABA Opinion 483/Rule 1.4 client notice, outside counsel guideline clauses, HIPAA 60-day rule, GDPR 72-hour rule, bar rules of professional conduct), the ransom decision tree (backup-restore feasibility first, OFAC check before any payment, exfil-only extortion handled separately, panel negotiator and panel crypto facilitator), the Rule 1.4 client notification letter (five sections, named signer, scoped to the client, breach counsel reviewed, three traps to avoid), and the 30/60/90-day post-incident hardening that aligns to the next cyber insurance renewal. Six FAQ entries on IT-first calls and privilege recovery, who gets a notification letter, what cyber insurance actually pays for, OFAC and ransom legality, access-without-exfil obligations, and small-firm response plans.