Law Firm Data Breach: The 72-Hour Playbook That Protects Privilege, Coverage, and the Bar Standing

Incident Response · Law Firms · Breach Playbook

A partner opens the laptop on Saturday morning and finds an extortion email addressed to the firm by name, with a sample of client files attached as proof. The next 72 hours decide three things: how much of the matter you keep privileged, whether your ABA Rule 1.6 duty is met, and whether the firm's name appears in a state attorney general's breach register. This is the hour-by-hour playbook, written from a decade of incident response inside law firms.

Key Takeaways

• A law firm data breach has at least seven different clocks running in parallel: state breach-notification statutes, contractual notice to enterprise clients, the carrier's strict notice clause, ABA Opinion 483 client-notification duty, HIPAA 60-day rule if you handle PHI, GDPR 72-hour rule if you handle EU data, and the local rules of professional conduct in each jurisdiction the firm practices.
• The first call is not to IT, not to the police, and not to the client. It is to breach counsel and to your cyber insurance carrier's pre-approved responder panel. Calling out of order can void coverage and waive privilege.
• Engage forensics through breach counsel from minute one. Direct engagement by the firm itself routinely produces a forensic report that is discoverable in the very malpractice litigation it was meant to defend.
• By Hour 24 you need a containment posture; by Hour 48 a scoped picture of what was accessed; by Hour 72 a written incident summary good enough to anchor the notifications going out the door.
• ABA Formal Opinion 483 imposes a duty to notify affected current clients under Model Rule 1.4 when client information has been compromised. State data breach statutes layer on separate notifications to individuals and regulators.
• Paying the ransom is the wrong first question. The right first question is which decryption is faster, cheaper, and more reliable: backup restore or attacker tooling? In most engagements we have run, the answer is backup restore.

A law firm is not a generic business under attack. From the attacker's point of view it is unusually attractive on three independent dimensions, and the combination of the three is the reason the legal sector has moved from a quiet middle of the breach-frequency table to the top quartile in the last three years.

First, a law firm holds the actionable form of a counterparty's secret. A manufacturer holds drawings; a law firm holds the drawings plus the litigation strategy, the M&A target, the regulatory filing under draft, the divorce inventory, the immigration file, and the privileged communication explaining the weak spot. The attacker who wants to extort a Fortune 500 company has a more efficient route through its outside counsel than through the company itself. Second, a law firm tends to be smaller than its largest client and run on consumer-grade collaboration tools (Microsoft 365 or Google Workspace, Dropbox, NetDocuments, iManage, Clio), which a generalist attacker has practiced against thousands of times. Third, a law firm is exquisitely sensitive to public exposure because confidentiality is not just a preference, it is a Model Rule. The reputational cost of a public breach is higher than the technical cost of the breach itself, and a sophisticated extortionist knows this and prices the demand accordingly.

A practical implication follows. The Hour Zero playbook is not generic. It is tuned to two unusual properties of the legal sector: the duty of confidentiality under Model Rule 1.6, and the privilege questions that determine whether your forensic findings end up in the hands of the plaintiff in a malpractice action. Get either of those wrong and the cost of the incident multiplies. Get both right and even a serious incident closes without lasting damage to the firm.

The sequence of phone calls in the first hour after discovery is not a matter of taste. It is the difference between a forensic report that survives a future discovery dispute and a forensic report that the plaintiff's lawyer in a malpractice case reads aloud at deposition. It is also the difference between a paid claim and a denied claim under a cyber policy. The right order, in our engagements, is the following.

The single most common error we see is the order being inverted. Firms call IT first, IT engages a forensic vendor they personally know, the firm signs the engagement letter directly, and the resulting report becomes ordinary business records: discoverable, citable, fatal in the malpractice case the firm did not yet know it was about to face. The right order takes the same amount of time and produces a fundamentally different legal posture by the end of Hour One.

By the end of Hour 24 the firm should hold three things. A containment posture that has stopped the attacker from doing further harm. A preservation posture that has captured the evidence forensics will need. And a written, time-stamped chronology that will form the spine of every subsequent notification, claim, and report.

The two most consequential operational moves inside Hour 24 are identity containment and evidence preservation. Identity containment means revoking sessions and tokens, not just resetting passwords. A reset password without a session revocation leaves the attacker logged in on the device they captured the token from; we have watched attackers continue to read mailboxes for hours after the firm reset every password in the directory. In Microsoft 365 the right sequence is to disable sign-in, revoke sessions in Entra ID, invalidate refresh tokens, and only then rotate credentials and require fresh multi-factor enrollment for every user the forensic team flags. In Google Workspace the corresponding steps live in the admin console under user security and OAuth token revocation.

Evidence preservation means not letting anyone reformat anything. The instinct of an IT team that has just learned about an active breach is to rebuild affected machines. The forensic team needs the unmodified state. Hosts come off the network but stay powered, RAM-captured where possible, and disk-imaged before re-imaging. M365 audit logs and Unified Audit Log queries are pulled now, because retention varies by license tier and the data you need on Tuesday may not exist on Friday. Inbox-rule histories, mail-flow rules, OAuth-application consents, and sign-in logs all need to be captured immediately. We keep a one-page evidence preservation checklist on the wall of the war room for every law-firm engagement we run.

A law firm breach is not subject to one notification clock. It is subject to at least seven, each with a different trigger, audience, and form. The clocks run in parallel and do not pause for each other. The clock that owns a Tuesday morning conversation with a state attorney general's office is not the clock that owns the Wednesday call to a Fortune 500 general counsel under an outside counsel guideline, and neither is the clock that owns the call to the bar.

A few items are worth pulling out of that map. State data breach statutes are not uniform. Most U.S. states define a covered breach by the type of personal information involved (name plus an identifier such as Social Security number, financial account number, or driver's license number), then impose a written-notice obligation to affected residents and frequently to the state attorney general. Some states require notice within a specific number of days from discovery (Florida is 30 days, for example), others use the "without unreasonable delay" standard. New York, California, and Texas each have their own particularities and their own enforcement appetites. The firm's residents-affected list, not the firm's residents-of-origin list, drives which statutes apply.

ABA Formal Opinion 483 (2018) is the cornerstone obligation specific to lawyers. It reads onto Model Rule 1.4 (the duty to keep clients reasonably informed) and Model Rule 1.6 (the duty of confidentiality), and it tells lawyers that they must notify current clients whose material confidential information has been compromised. The opinion does not impose a strict-timing rule of its own but it makes clear that the duty is owed in time for the client to take action to protect themselves. In practice, that translates to client letters going out at the end of Hour 72 or shortly after, once you have a real and defensible understanding of what was accessed.

Contracts with enterprise clients are the wild card. A firm that has signed outside counsel guidelines or vendor agreements with sophisticated clients almost certainly has clauses that require notification within 24 to 72 hours of becoming aware of a security incident, often with a definition of "security incident" that triggers on access regardless of whether confirmed exfiltration has occurred. Read every one of those contracts in the first hours; you are likely already late to one of them by Hour 24 if you do not start drafting that notification at Hour 12.

HIPAA applies if the firm acts as a business associate of a covered entity, which almost any firm with healthcare-sector clients does. The 60-day clock to notify the covered entity runs from discovery of the breach. GDPR applies if the firm holds personal data of EU data subjects, which is common in cross-border practice. The 72-hour clock to notify the relevant supervisory authority runs from awareness, with narrow exceptions for unlikely risk to data subjects' rights.

"Should we pay?" is the wrong question. The right question is "what restores the firm fastest at the lowest total cost while staying inside the law and our policy?" Reframed that way, the ransom is one input among several, and the decision becomes tractable.

Three facts make this decision more constrained than firms initially assume. First, paying a sanctioned entity is illegal in the United States and many other jurisdictions, and OFAC has been explicit since 2020 that facilitating a ransom payment to a designated actor can carry strict liability for the firm and its advisors. Before any payment moves, a careful check of the wallet and the known affiliations of the threat-actor brand is mandatory. Second, recent law in some states (and a federal disclosure rule for public companies and certain critical-infrastructure operators) requires reporting of ransom payments to specific agencies inside short windows. Third, modern cyber policies often condition coverage of the ransom payment itself on advance carrier approval and use of a panel negotiator. Pay first, ask later, and the carrier has a clean reason to refuse the reimbursement.

A different question is whether to engage at all when the attacker is purely an exfiltration extortionist (no encryption, just a threat to publish the data). The argument for engaging is that delayed publication can be worth real money to the firm; the argument against is that paying does not reliably stop publication, and the firm has put itself into a posture where the data is gone, the money is gone, and the public disclosure may still arrive months later. Our default counsel here is to engage only when there is a specific operational reason to (for example, time to notify clients before a leak, or evidence the attacker will accept a structured non-payment outcome), and to engage through a professional negotiator rather than directly.

The client notification letter is the single most consequential piece of writing the firm will produce in the first week. It is the document the client's general counsel will forward to their CFO, their board, their own outside counsel, and potentially to a state regulator. It is also the document a plaintiff lawyer will read aloud in the deposition that may follow. It needs to do three things at once: discharge the firm's Rule 1.4 duty to keep the client reasonably informed, provide an accurate factual picture without overstating what is yet unknown, and avoid creating new exposure through careless concessions or speculation.

The structure that works, refined over a decade of these letters, is short and disciplined. The letter is from the firm (not from a single partner), is signed by a named senior lawyer (typically the managing partner or the relationship partner), and contains five sections in this order: (1) a factual paragraph stating what is known about the incident; (2) a specific statement of what client information was affected, scoped to that client; (3) the steps the firm has taken to contain and remediate; (4) a description of the client's likely action items, including credit monitoring or other protective measures where applicable; (5) the firm's contact for follow-up, which should be a single named partner and one paralegal, not "any of us." Avoid the phrase "out of an abundance of caution." It reads as boilerplate. State what you actually know.

Three traps to avoid in the letter. Do not assert that no client information was accessed unless your forensic team has signed off on that conclusion in writing; reversing the assertion two weeks later is the moment your client loses faith. Do not promise specific remediation steps the firm has not actually committed to (a SOC 2 audit, a third-party assessment, a new EDR rollout) unless the partnership has approved the spend; promised-but-undelivered remediation features prominently in malpractice complaints. And do not, under any circumstances, send the letter before breach counsel has reviewed it, because every word in it is a representation the firm will be held to.

A firm that has been through a breach has two windows it should not waste. The first is the 90-day window after closure, while the partnership and the board are still paying attention and budgets are unusually available. The second is the upcoming cyber insurance renewal, where the underwriting questions will be tighter than last year and the consequence of an honest "no" will be measured in tens of thousands of dollars of premium and lower sublimits. Both windows close fast.

In our post-incident engagements with firms, the same control set keeps coming back as the highest-leverage post-breach investment. The list is short and it overlaps almost perfectly with the eight gatekeeper controls underwriters now require: phishing-resistant MFA on email and remote access and admin accounts, EDR on every laptop and server with central monitoring, tested offline or immutable backups with a documented restore test, email filtering with link, attachment and impersonation protection, mandatory security awareness training for every employee including partners, timely patching with no end-of-life software, a written and rehearsed incident response plan, and privileged access control with separated admin accounts. The same controls that would have prevented or contained the incident are the controls the next carrier wants attested to on the application. One block of work serves both purposes.

Two specific hardening moves deserve their own attention. The first is a real Microsoft 365 or Google Workspace tenant review by someone who actually understands the platform. The typical law-firm tenant we audit has between fourteen and twenty-two configuration findings that a generalist IT vendor has missed: legacy authentication still enabled, conditional access policies with exceptions older than anyone remembers, OAuth application consents granted years ago, mail-flow rules added by ex-employees, audit-log retention left at the default. The second is a tabletop exercise within 60 days of recovery, run by an outside facilitator, covering exactly the scenario the firm just lived through. Firms that run this exercise once typically reduce the recovery time of a second incident by half. The cost is a fraction of the legal fees from a single bar complaint.

How Atlant Security Helps

24/7 Incident Response for Law Firms

When a partner opens a laptop on Saturday morning to a ransom note, the next 72 hours decide the firm's exposure, its bar standing, and its cyber claim. We run that 72 hours end to end: identity containment in Microsoft 365 or Google Workspace within the first hour, forensic preservation under counsel privilege, clock-by-clock notification mapping, ransom-decision support, and a 30/60/90 hardening plan that aligns to your next insurance renewal.

• Senior responder on the first call, no junior triage layer
• Engaged through breach counsel to preserve privilege
• On every cyber-carrier panel of meaningful size
• Fluent in Rule 1.6, Opinion 483, state breach statutes, HIPAA, GDPR
• Written report suitable for the carrier, the bar, and the AG

Book a 30-minute readiness call →

The thirty-attorney firm that started this article submitted its state attorney general notice on Day 9, sent client notification letters on Day 11, and closed the matter with no bar complaints and no malpractice filings. The cyber carrier paid the forensic and counsel bills in full and reimbursed the negotiation fee. The firm did not pay the ransom. The decisive moments in that timeline were not the technical work or the size of the ransom demand. They were the order of the first six phone calls on Saturday morning.

If your firm has never written down what those first six calls are and in what order, that is the single most valuable hour you can spend this month. Write it. Tape it to the inside of the file cabinet behind the firm administrator. Hope you never need it.

Need a 24/7 responder relationship in place before the next call? Book a 30-minute readiness call or email alexander@atlantsecurity.com directly.