Law Firm Data Breach Response: What to Do in the First 72 Hours

By Ken Satkunam, CISM  ·  President & Founder, NorthStar Technology Group

April 2026  ·  11 min read

A data breach at a law firm is not like a breach at a retailer. The data at risk is not just financial or personally identifiable. It is attorney-client communications, litigation strategy, M&A terms, criminal defense files, and settlement figures. A single breach can expose clients, trigger bar complaints, generate malpractice claims, and destroy decades of earned trust in a matter of hours.

Law firms are among the most targeted organizations in cybersecurity today. Attackers know that legal files carry extraordinary value and that many firms operate with limited IT infrastructure relative to the sensitivity of what they hold. The question is not whether your firm could face a breach, but whether you are ready to respond effectively when it happens.

This guide covers what law firms need to do in the first 72 hours of a data breach, the professional responsibility obligations that govern your response, and how to build a posture that minimizes both the likelihood and the impact of an incident.

What professional responsibility obligations apply to law firms after a data breach?

The ABA Model Rules of Professional Conduct create clear obligations that directly govern how law firms must handle cybersecurity incidents. Three rules are most relevant.

Rule 1.1 (Competence) requires lawyers to maintain competence, which the ABA has extended through Comment 8 to include understanding the benefits and risks of relevant technology. A firm that suffers a breach and cannot demonstrate that it had reasonable security controls in place faces a competence argument.

Rule 1.4 (Communication) requires lawyers to keep clients reasonably informed about matters affecting their representation. A breach that exposes client data or disrupts access to client files triggers a communication obligation. Firms must notify affected clients promptly and accurately.

Rule 1.6 (Confidentiality) requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. This rule is the foundation of law firm cybersecurity obligations. Reasonable efforts in 2026 means encryption, access controls, multi-factor authentication, and documented security policies, at minimum.

Beyond the ABA Model Rules, most states have adopted similar provisions, and many have issued formal ethics opinions providing additional guidance on cybersecurity obligations. State bar notification requirements vary, and some states require reporting breaches that affect client confidences to bar disciplinary authorities.

What should a law firm do in the first 72 hours of a data breach?

The first 72 hours are the most consequential. Here is the response sequence that matters most:

1. Confirm and contain. Verify that a breach has actually occurred and isolate affected systems immediately. Do not shut everything down reflexively, as this can destroy forensic evidence, but do disconnect compromised endpoints from the network. If you use cloud-based practice management software, contact the vendor immediately.
2. Engage your incident response team. This should be a pre-arranged relationship, not a cold call during a crisis. Your IR team will lead forensic investigation, evidence preservation, and remediation. If you do not have an IR retainer, your cyber insurance carrier almost certainly has one available.
3. Notify your cyber insurance carrier. Most policies require prompt notification, often within 24 to 72 hours. Late notification can affect coverage. Your carrier will also guide you on what steps to take next and may require approval before you engage outside counsel or IR vendors.
4. Engage breach counsel. A law firm facing a breach needs its own legal counsel, separate from the attorneys handling client matters. Breach counsel can help assess notification obligations, manage privilege over the investigation, and coordinate regulatory filings.
5. Assess the scope of client data exposure. Determine which client files, communications, and matters may have been accessed. This assessment drives your notification obligations under both professional responsibility rules and applicable state and federal breach notification laws.
6. Notify affected clients. Under ABA Model Rule 1.4 and most state equivalents, firms must notify clients whose confidential information was or may have been accessed. Notifications should be accurate, timely, and prepared in coordination with breach counsel. Avoid speculation about what was accessed until the forensic investigation confirms scope.
7. Preserve evidence. Do not wipe or reimage systems before forensic imaging is complete. Evidence of the attack vector, the attacker's actions, and the scope of access will be needed for insurance claims, regulatory responses, and potential litigation.

What state and federal breach notification laws apply to law firms?

Law firms are subject to a patchwork of breach notification requirements depending on the types of client data they handle and the states where they operate and serve clients.

All 50 states have enacted breach notification laws that require notification to individuals whose personally identifiable information was compromised. Most state laws require notification within 30 to 90 days of discovery, though several states, including Florida and Colorado, require notification within 30 days.

Law firms that handle healthcare matters or serve healthcare clients as business associates under HIPAA may have additional breach notification obligations under the HIPAA Breach Notification Rule, including notification to HHS and potentially to the media for breaches affecting 500 or more individuals in a single state.

Firms that handle data subject to the Gramm-Leach-Bliley Act through financial services clients, or that operate in states with comprehensive privacy laws such as California, Virginia, or Colorado, may face additional obligations. Multi-state firms should map their notification obligations at the outset of an incident, not during the response.

How can law firms reduce their breach risk before an incident occurs?

The most effective breach response is one you never have to execute. Law firms can significantly reduce their exposure by implementing a layered security posture aligned with their risk profile.

The controls that matter most for law firms include:

• Email security: Phishing remains the primary entry point for law firm breaches. Advanced email filtering, domain-based message authentication (DMARC, DKIM, SPF), and anti-phishing training reduce this risk substantially. For practical steps, see our guide on what cybersecurity law firms actually need.
• Multi-factor authentication: MFA on every system that touches client data, including email, practice management software, document management, and remote access tools, is the single highest-impact control most firms are not fully implementing.
• Endpoint detection and response: Traditional antivirus does not catch modern threats. EDR platforms monitor behavior in real time and can stop an attack before it reaches client files.
• Encrypted file storage and transmission: Client files should be encrypted at rest and in transit. This does not prevent a breach, but it significantly limits what an attacker can do with data they access.
• Access controls and least privilege: Staff should only have access to the client files and systems their role requires. Lateral movement in a breach is far more damaging when attackers have unrestricted access across the entire firm.
• Incident response planning: Law firms should have a written incident response plan that is tested at least annually. The plan should identify who is responsible for each step, who has authority to make containment decisions, and how client notification will be managed.

Our guide to penetration testing and security audits for law firms covers how to validate that your controls are working as intended.

What role does cyber insurance play in law firm breach response?

Cyber insurance is a critical component of breach response for law firms, but it is not a substitute for security controls. Coverage typically includes forensic investigation costs, breach counsel fees, client notification expenses, regulatory defense, and business interruption losses. Some policies also cover reputational harm and extortion payments in ransomware incidents.

The gap most firms discover during a breach is that their coverage limits are insufficient for the actual cost of response. A breach affecting several hundred client matters can generate notification costs, legal fees, and reputational losses that exceed a $1 million policy limit quickly. Law firms should review their coverage annually against their current risk profile.

For a deeper look at what coverage law firms actually need, see our article on cyber insurance requirements for law firms in 2026.

How can NorthStar Technology Group help law firms prepare for and respond to a breach?

NorthStar Technology Group works with law firms across the country to build security programs that meet professional responsibility obligations and reduce real-world breach risk. Our services for law firms include 24/7 managed detection and response, incident response planning and tabletop exercises, HIPAA and privacy compliance support for firms with healthcare clients, penetration testing and security assessments, and staff security awareness training.

We understand the confidentiality obligations that govern legal practice. Our team works within your professional responsibility framework and can serve as a technical resource for your breach counsel during an incident. If your firm does not have a current incident response plan, that is the right place to start. Our free security check can help identify where your current posture has gaps.

For more resources on cybersecurity for legal organizations, visit our legal industry resource hub.

ABOUT THE AUTHOR

Ken Satkunam, CISM
President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership serving regulated organizations. He founded NorthStar Technology Group in 2000 and holds the CISM credential from ISACA. NorthStar has been recognized on the Inc. 5000 list in 2024 (#3837) and 2025 (#2393). Ken is the co-author of the Amazon best-seller Cyber Attack Prevention.

CISM • Inc. 5000 • MSP 500 • Published Author • 25+ Years